The Great Cybersecurity Bake Off: Mastering the Recipe

Greg Touhill, CISSP, CISM, is the president of Cyxtera Federal Group, former federal chief information security officer, and guest author for the (ISC)² U.S. Government Advisory Council Executive Writers Bureau.

In part one of this series, I addressed the four ingredients necessary for effectively “baking in” cybersecurity. In part two, I address the role that the right cookbook and a trained chef play in mastering your cybersecurity recipe.

If technology represents the ingredients in your cybersecurity recipe, your processes represent the cookbook. Your processes define and document the implementation of your cybersecurity strategy and supporting policies. They provide your workforce, both organic employees and third-party partners, with the instructions of not only what you want done, but why and how it needs to be done properly.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Your processes should clearly link your cybersecurity strategy to discrete tasks supporting your operations. Ensuring that your workforce is appropriately and adequately trained to successfully accomplish those tasks is an essential due care and due diligence function. Training is a continual process and not a “one and done” activity. Best-in-class organizations such as the U.S. military have proven that training-to-task for basic certification, followed by regular continuing task evaluation results in a more proficient, reliable and confident workforce. As a result, risk is better managed.

Great organizations also add to the cookbook with regular testing and auditing of their processes and procedures. They look to make sure that their processes and procedures remain valid, are well-defined, executable and implemented as designed. These organizations are not static and constantly seek opportunities to improve. They embrace a culture of learning and implementing quality improvements. Testing and auditing are invaluable for operations as they help formally define baselines of performance and identify when processes are out of tolerance. Your adversary is not standing still; neither should you. Testing and auditing your processes are essential parts of your cybersecurity recipe.

Thus far we’ve talked about your technology being your ingredients and processes being your cookbooks, but none of it comes together without a chef with the right training and experience to execute the recipe well. As in the culinary arts, which feature such talent as cooks, sous chefs, chefs and executive chefs, cybersecurity requires a variety of skilled talent to meet organizational objectives. You can say that you’ve “baked” cybersecurity in to your products or processes, yet without a workforce that has cybersecurity “baked in” to their culture, attitude and attention, you will not meet your mission objectives nor meet your cyber risk management goals.

“Baking” cybersecurity into your workforce starts at the top. Leaders set the tempo that their people will follow so it is essential throughout the organization that cybersecurity remains on every agenda. You need to clearly define your strategy and risk appetite. You need to understand the value of your information and identify your “key cyber terrain.” Adherence to corporate cybersecurity policy and objectives ought to be on every performance plan and annual appraisal. The reward structure of the organization ought to value and encourage following best practices in protecting valued information as well as creating innovative solutions. If your cybersecurity program is properly designed and implemented, it produces a culture where everyone in the organization recognizes and executes their role in protecting the confidentiality, integrity and availability of the organization’s information.

Sadly, many organizations fall short on producing this type of culture by short-changing cybersecurity training. They merely conduct rudimentary introductory awareness training at in-processing and perhaps have a meager rehash of the “same old stuff, different day” in annual refresher training. This kind of training invariably proves inadequate in today’s highly contested and ever-evolving cyber environment. The best organizations look to constantly improve their cyber risk posture and invest in their people. They conduct regular, innovative and engaging training and awareness programs such as cyber training games, spear-phishing drills and bug bounties that inspire and reward their workforce to pay attention to threats, as well as focus on their role in protecting organizational assets. They prepare the workforce to execute the cybersecurity cookbook with a high level of precision and attention to detail, thus reducing their cyber risk exposure.

The best, just like those famous chefs you see on television, also recognize you need to be ready when things go wrong. When the ice cream machine in the “Chopped” kitchen is unavailable, the chefs there need to know how to quickly respond and recover. When things don’t go as expected, you need to be prepared. Top organizations conduct cyber tactical drills, tests and alerts that hone the skills of their people and refine processes, procedures, and checklists. They conduct cyber exercises that challenge everyone in the organization, not just the technical staff in the server room.

Leaders in these organizations play an active role in these exercises because when leadership is engaged, it reinforces the importance of the activity and dramatically increases the likelihood of success. The best organizations create plans that detail proposed responses to address worst case scenarios and test them in “war games” that harden the workforce against cyber risks while leading to improved responses that reduce enterprise risk and better protect the organization.

Cybersecurity is an essential element of an enterprise risk management program. You can never get your risk to zero, but you can manage it to acceptable levels by “baking it in” to your people, processes and technology. Following best practices, such as those detailed in this article, creates a recipe that demonstrates due care and due diligence, hardens your workforce and delivers results that are more effective, efficient and secure. Challenge yourself to be the best by creating the best cybersecurity recipe possible. As Mary Berry, host of “The Great British Bake Off” says, “…if you follow a good recipe, you will get success.”