Enterprise Cybersecurity MGMT

Enterprise Cybersecurity Management

Cybersecurity Strategy Composition

Purpose of a Formal Strategy

Many organizations developed cybersecurity programs reactively, without a documented strategy. Regulatory scrutiny forced formalization, but many resulting documents were generic and provided little internal value. A properly authored strategy should articulate what is unique about the enterprise, tie cybersecurity objectives directly to business strategy, and prioritize threats to direct resource investment.

Framework: NIST Cybersecurity Framework (CSF)

Created 2014, globally adopted. Five core functions serve as natural strategy section headings.

  • Identify — Asset management, business environment, risk, regulatory context, stakeholders
  • Protect — Access control, authentication, segmentation, awareness training, data security
  • Detect — SIEM, EDR, behavioral analytics, deception technology
  • Respond — Incident response procedures (CIRP), tabletop exercises, analyst training
  • Recover — Communications planning, coordination with IT/engineering teams

Strategy Components (Each NIST Section)

  • Description — How the section relates to the mission established in Identify
  • Relevant Programs — Specific areas likely to be raised in third-party review (insider threat, behavioral analytics, etc.)
  • Target State Metrics — Define the measurement itself, not necessarily the value; must be achievable within the strategy's time horizon

Time Horizon and Ratification

Accepted timeline: 2–5 years; 3 years is most common. Avoid overly prescriptive technology commitments (they become obsolete). When a program is new or under pressure following an incident, a roadmap (Gantt-style, with responsible parties and target dates) should accompany the strategy. Ratification should extend beyond the security department — in publicly traded companies, to board level via audit or risk committee.

NIST CSF Function Detail

Identify

The most important element is not technical asset inventory — it is understanding the business mission. The CISO must embed with key stakeholders (CFO, COO, CIO, CTO, General Counsel, CEO) to understand organizational strategy. Cover: business environment and mission, threat objectives mapped from business goals, regulatory environment, key stakeholders, ongoing risk management program, and third-party/vendor risk management approach.

Protect

Describe classes of controls — not specific vendors or technologies (those will be obsolete within the strategy horizon). Appropriate specificity examples: access recertification programs for privileged/externally-accessible systems, authentication standards tied to engineering implementation, segmentation strategy (network, workload, environment, user), security awareness program, data classification and governance.

Detect

  • SIEM — centralized log aggregation and alerting logic
  • EDR — alert generation on endpoints
  • Behavioral baselines — dynamic alerting on anomalous but authorized activity
  • Deception technology — honeypots, honey tokens (forward-looking commitment)

Respond

Commit to maintaining a Cyber Incident Response Procedure (CIRP), not spelling it out in the strategy. Key commitments: CIRP maintenance and regular updates, tabletop exercises simulating incidents across all responsible parties, analyst training (onsite, online, or offsite).

Recover

Recovery operations primarily belong to IT and engineering. CISO responsibility is limited to communications planning (part of incident response) and tabletop exercise coordination. In smaller organizations where the CISO absorbs IT functions, frame it explicitly as above-and-beyond effort with a plan to spin it out as staffing grows.

Threat Objectives

Why Vocabulary and Taxonomy Matter

Cybersecurity lacks a universal standard. An agreed-upon taxonomy enables benchmarking (comparing programs across peers), threat intelligence communication (concise, unambiguous reporting), and organizational alignment. Always define terms before using them with new audiences who lack shared context.

Adversarial Risk Management

Standard risk management assumes predictable, non-adaptive threats. Cybersecurity differs because the adversary is sentient and adapts to defensive actions. Key terms:

  • Threat — a situation that could jeopardize organizational mission
  • Condition — a configuration or arrangement of facts that may or may not constitute a risk (superset)
  • Risk — an atomic condition that could lead to a threat materializing
  • Control — a mechanism, tool, or process providing protection, detection, or mitigation
  • Event — any loggable occurrence (superset)
  • Incident — an event that can lead to threat materialization

The Threat Objective Model — Organizing by Why

Organizing threats by What (malware, DDoS), How (brute force), Who (nation-state), or Where (Cloud) all fail the MECE test. Real incidents span multiple categories simultaneously. Organizing by adversary motivation (the why) produces a MECE taxonomy.

Six Threat Objectives:

  • Extortion — Ransomware and coercive attacks; increasingly targeted and persistent
  • Sabotage — Destruction-focused; shares many TTPs with extortion; no financial monetization required
  • Financial Fraud — Transaction-focused; account takeover, credential stuffing, SIM swapping, opportunistic modular malware
  • Data Theft — PII, PHI, IP, MNPI; controls include DLP, access recertification, tokenization
  • Resource Hijacking — Opportunistic; botnets, cryptojacking, cloud instance abuse
  • Watering Hole Attacks — Targeting an organization to reach its customer base (e.g., SolarWinds 2021)

Threat Objective Heat Map

Threat objectives are plotted on a likelihood/impact grid with two values per objective: Inherent risk (before controls; likelihood from threat intelligence; impact assessed with business leadership) and Residual risk (after controls; likelihood from red team/pen test results). Risk appetite is a diagonal line. Inherent risks above the line define the CISO's mission. Residual risks above the line are unacceptable and require remediation investment.

Practical Applications of Threat Objectives

  • CTI collection priorities — filter threat intel by relevant objectives
  • Risk scoring — vulnerabilities linked to high-priority objectives are prioritized
  • Red team scheduling — exercises designed around specific objective TTPs
  • Third-party risk management — narrow vendor questionnaires to relevant objectives only
  • Board governance — organize briefings and risk appetite discussions around the heat map
  • Incident tagging — tag internal incidents to objectives to trigger escalation/notification

Scoring Considerations

  • Quantifying impact in dollars is discouraged — the CISO is perceived as conflicted; present descriptive scenarios and let governance do the math
  • High-watermark problem — when multiple sub-types within one objective have different profiles, consider splitting into separate objectives
  • Multi-subsidiary orgs — maintain one heat map per major segment only when independent cybersecurity leadership and governance exist for that segment (generally fewer than five)

Departmental Organization

The Three Lines Model

Adapted from the Institute of Internal Auditors:

  • First Line — operational functions; if removed, impact is immediate (revenue/service disruption) → called Cybersecurity
  • Second Line — oversight and monitoring; impact of removal is delayed but lasting → called Security Assurance
  • Third Line — Internal Audit; independent, reports to board audit committee, not management

First-Line Cybersecurity Functions

  • Incident Response / SOC (DFIR) — monitoring, triage, forensics, containment; largest headcount due to 24/7 shift coverage; commonly outsourced
  • Automation — security-specific engineering; Python scripting; automates analyst workflows and reactive controls
  • Architecture — consults with engineering teams; defines security patterns; reviews submissions; specifies tooling
  • Data Science — analytical functions embedded within security
  • Threat Intelligence (operational) — operationalizes indicator feeds into endpoint and network controls

Second-Line Security Assurance Functions

  • GRC — largest second-line team; documentation, policy, regulatory response, governance meeting management
  • Red Team — adversarial testing; second-line because removal doesn't cause immediate operational impact; supplement with external rotation for fresh perspectives
  • AppSec — secure coding practices, pre-deployment testing, Application Development Security Policy (ADSP)
  • TPRM — vendor cybersecurity assessment; threat objective-driven to narrow questionnaire scope
  • IAM — recertifications for sensitive systems; access provisioning
  • Threat Intelligence (strategic) — feeds inherent likelihood in heat map; informs red team scenarios

CISO Reporting Structures

  • First-Line CISO — reports to CIO; oversees primarily operational/reactive functions
  • Second-Line CISO — reports to Chief Risk Officer; oversees risk, GRC, strategy; first-line under CIO
  • Executive CISO — encompasses both lines; should report to CEO or President (not CIO or CRO) to preserve independence; deputies for each line recommended

CISO Deputy Roles

  • BISO (Business Information Security Officer) — aligned to a business segment; most common deputy title; translates central security requirements; ensures subsidiaries receive equitable attention
  • RISO (Regional Information Security Officer) — aligned by geography (NA, EMEA, APAC); accounts for different regulatory environments per region

Benchmarking

  • Headcount ratio — security FTEs as % of total company FTEs; compare only against orgs with similar overall headcount structure; typical range in financial market infrastructure: 1–2%
  • Spend ratio — security spend as % of total OpEx (preferred over IT spend, which lacks a standard accounting definition); typical range: ~1% (~$10–20M per $1B OpEx)

Talent Management

Three Pillars of Talent Retention

  • Mission — altruistic organizational mission, recognizable brand, or cultivated practitioner reputation through conferences and research
  • Empowerment — cultural tone from the top; open-door access to leadership; freedom to fail and innovate; accountability for real impact; hierarchy and classism are the enemy of empowerment
  • Compensation — most quantitative pillar; structure compensation bands with HR in advance to prevent escalation requests from being rejected

An organization needs at least two of three pillars to be competitive.

Compensation Notes

Junior-to-mid promotion typically requires ~33% total comp increase; junior-to-senior ~50%. Standard COLA adjustments (3–4%) are insufficient. Senior roles incorporate bonus and equity (vesting ~4 years = "golden handcuffs"). Signing bonuses are easier to approve than base increases and can bridge gaps.

Screening and Hiring

Avoid accreditation and vendor-specific bias in screening. Use vendor-agnostic, concept-based interview questions (e.g., firewall logic and Layer 3 networking rather than Palo Alto UI specifics). This opens access to candidates from smaller organizations, open-source backgrounds, and students with home lab experience.

Internal Recruiting — High-Value Source Pools

  • Software Engineering → Application Security
  • Systems/Network/Cloud Engineering → Architecture
  • IT Operations → Incident Response
  • Audit/Risk/Compliance/Legal → GRC, IAM, Risk Assessment

Build credibility with source departments by bringing exploitable, demonstrated findings rather than theoretical concerns.

Talent Metrics

  • Headcount donut chart — visualizes team allocation and open positions; surfaces gaps for governance discussion
  • Average tenure — lagging indicator of institutional knowledge depth
  • Anonymous volume-weighted manager surveys — rate managers on empowerment-related behaviors; anonymized aggregation enables candid feedback

Cyber Threat Intelligence (CTI)

Types of CTI

  • Strategic — narrative summaries of incidents or trends; digestible by executives and board; tied to threat objectives above risk appetite; includes confidence intervals
  • Operational — TTPs broken down by kill chain phase; used by incident responders for threat hunting; informs vulnerability prioritization
  • Tactical — Indicators of Compromise (IOCs): IP addresses, file hashes, domain names, email addresses; used for log retrospective analysis; less effective for real-time blocking (indicators are burned before widespread dissemination)

CTI Filtering

CTI must be filtered before dissemination — blasting all intelligence to all teams creates noise and causes stakeholders to disengage. Primary filter: threat objectives above risk appetite. Secondary filter: audience-specific relevance.

Audience map: Incident Response (operational TTPs), Vulnerability Management (exploitation confirmation), CISO/Leadership (strategic intel), Board (curated strategic intel above risk appetite), Customers (ecosystem protection).

Information Sharing

Peer-to-peer intelligence sharing has grown from legally cautious practice to board-level expectation. Smaller groups have higher trust and more candid sharing. Government-run portals suffer from size and trust concerns. ISACs, informal meet-ups, and sector peer groups are most effective.

Traffic Light Protocol (TLP)

  • TLP:RED — recipient only; cannot be shared further
  • TLP:AMBER — within the recipient organization only
  • TLP:AMBER+STRICT — same organization, added 2020 for tighter control
  • TLP:GREEN — community-wide, not public
  • TLP:CLEAR — fully public

Takedowns and Sock Puppets

  • Takedowns — removal of brand-infringing or malicious internet infrastructure; cease-and-desist letters to registrars/hosts/ISPs are faster and more effective than ICANN UDRP proceedings (~$1,500, months-long)
  • Sock puppets — false identities used to engage adversaries to generate intelligence on TTPs and motivations; risky when discovered; commercial firms provide as managed service; direct employee engagement generally prohibited in corporate environments