Mapping Leadership Talent To Cybersecurity: Part 4, Detect

 

Detecting cyber-intrusions or threats to information systems falls naturally in the NIST CSF sequence after you've identified what assets you're going to defend and you've developed a process to defend those assets.

Let's let Brendan discuss detection:

The Detect pillar is where daily Cybersecurity operations come into play. Someone has to do the monitoring, and not simply watch the events go by, but confirm that the activity being monitored is either expected or appropriate. Most importantly, the Detect step is about separating the worrisome from the normal, and then taking appropriate action to either confirm that there is an issue or to discover that there is a good explanation. If there is a problem, then we have “an incident” so we go to the Respond pillar (and Incident Response Plan (IRP)).

As part of Detect, you gather evidence. Sometimes the evidence shows you that all is well. Sometimes the evidence shows you that something odd is happening. Sometimes the evidence shows you that something bad is happening. But it is all evidence and it is all worth gathering and reporting. You may choose to archive only the evidence of incidents, but you always gather the evidence and report it up the chain. The evidence assures people with front-line cybersecurity responsibility that they know what is going on. Reporting the evidence up the chain assures the supervisors that the monitoring is happening, and that the monitoring is working.

Think about this like going fishing. You have a certain set of tackle, or bait, or a net or drag line or a lobster pot, that is meant to catch certain aquatic targets. You'll catch other things too that follow your targets or are caught up by your trap (false positives), some -- usually the biggest ones -- will get avoid you or turn away (false negatives), and you'll spend a lot of time dealing with what you intended to catch (true positives). Sometimes you'll be hacked (true negatives).

No matter how excellent at detection your artificial intelligence (AI) platform is, you'll continue to make errors. You'll miss things, you won't necessarily notice that you've been compromised, or you will have a false alarm. Detection is not perfect, it only has to be better than your adversary or threat array.

We've profiled strong cybersecurity leaders as part of our assessment development process working with Conchie Associates. Here is one surprising finding: even among highly talented cybersecurity leaders, there are areas where they excel and areas where they struggle. 

Much as with Protect, cyber-leaders are generally not working with cybersecurity processes on a daily basis they may have greater variability in their skills and talent than they might for other CSF-related pillars. In contrast to Protect, cyber-leaders shape the saturation of cybersecurity within the organization and so may have more influence on what "counts" as a true positive (etc.); it's part of the cyber-leader's own performance plan.

Here is our take on Detect as a talent area for a cybersecurity leader:

DETECT — Monitoring, Anomaly Analysis & Detection Programs

The DETECT function requires continuous, disciplined operation of monitoring programs and rigorous analysis of detection outputs. The cyber-leader involved with detection is setting the tone for the entire cybersecurity function, and sets the balance for humans teaming with AI.

DETECT as a process depends on a small cluster of themes: 

• Logic (evidence-based decision-making)
• Systems Thinking (interconnection tracing)
• Structure (program rigor)
• Flexibility (adapting to evolving threats)

In our view, identifying cybersecurity threats requires a puzzle-solving mindset that's nimble and open to revision. It's not paranoia -- basically all cybersecurity has an element of paranoia to it -- as much as it's about raging to master cybersecurity as an evolving technical specialty within the confines of daily operations.

Among our sample of highly talented cybersecurity leaders, people with decades of multi-national experience and success, this function was not the hardest CSF pillar from a talent perspective but our assessments revealed a variety of ways to address this function.

Here is how our report describes our most talented assessee for this area:

"[The assessee's] exceptional Flexibility supports adaptive detection architecture; high Logic supports rigorous engagement with threat intelligence; while moderate scores for Structure and Systems Thinking sit at levels above peers for these themes."

Here is another talented assessee:

"[The assessee] will not be misled by superficial threat intelligence and will interrogate detection findings rigorously. His moderate Systems Thinking is actually the second-highest among peers. However, the assessee's Structure score is low and creates substantial risk for continuous monitoring program rigor. DETECT requires consistent operation -- not episodic engagement -- and this assessee will need strong SOC leadership beneath him to compensate."

What about lowest-scoring assessees? They tended as a group to have even, moderate scores on the three themes with no outstandingly high or low score.

Among these highly successful assesses, each of whom has significant talent in some areas of the CSF, each approaches the Detect function from different perspectives, and each has a talent-based limitation that needs to be addressed in their development and teams.

What do we do about this?

We have a strong belief that part of an organization's success requires excellence in human capital identification, accession, and developing. You cannot be a world-class cybersecurity program without world-class practices. AI is changing the nature of detection, requiring leaders to think systematically about how they will employ it. Brendan also has thoughts about this.

There will be mistakes at lower levels, and excellent leaders will make some of these mistakes. What separates them and prepares them to engage with business partners is their capacity for resilience, reflection, and humility coupled with a passion for cybersecurity mastery and the business functions they support.

It's called talent and it's not on the resume.

Ask us how you can measure whether your cybersecurity leaders have the talent they need -- and what to do if they need more of it.

(image credit: S. Sachse, A. Bockisch, U. Enseleit, F. Gerlach, K. Ahlborn, T. Kuhnke, U. Rother, E. Kielhorn, P. Neubauer, S. Junne, W. Vonau, CC BY 3.0 <https://creativecommons.org/licenses/by/3.0>, via Wikimedia Commons)