When reviewing the latest 2023/2024 infosec trends and technical risk mgt. capabilities, I realized I needed to update the 2021 White House Executive Order (…Improving the Nation’s Cybersecurity) fundamentals outline. In order to scale with limited resources to achieve the basics, below are the fundamental hygienic basics one must achieve.
2023 Fundamentals to meet White House’s mandates and scale with no resources
Enable Secure Application access
Secure expanded attack surface
Security of sensitive data accessed from home
Automate patching
Secure DevOps, DevSecOps
Embedding security tools in CI/CD pipelines
Automate threat hunting
Automate risk scoring
Automate asset inventory
Security infrastructure as code
Automate API inventory
Automate risk register
Automate security metrics
Resiliency Engineering
Branding
Automation and AI Automation Engineering
R&D Technology breakdowns and systems engineering mgt.
Consolidation and reduction of infosec vendors/tools with material value add per unit of spend
Finance
Security Projects
Business Support Drivers Development
Alignment with Projects
Balance FTE and contractors needs
Balancing budget for People, Trainings, and Tools/Technology
CapEx and OpEx considerations
Cyber Risk Insurance
Technology amortization
Retire redundant & under utilized tools
M&A
Acquisition Risk Assessment
Network/Application/Cloud Integration Cost
Identity Management
Security tools rationalization
Outsourced compute and workloads
Multi-Cloud architecture
Strategy and Guidelines
Cloud Security Posture Management (CSPM)
Ownership/Liability/Incidents
Vendor's Financial Strength
SLAs, RTOs, and similar contractual metrics
Infrastructure Audit
Proof of Application Security
Disaster Recovery Posture
Application Architecture
Integration of Identity
Management/Federation/SSO
SaaS Policy and Guidelines
Cloud log integration/APIs
VIrtualized security appliances
Cloud-native apps security
Containers-to-container communication security
Service mesh, micro services
Serverless computing security
Mobile (capital) technology and assets
Technology advancements
Lost/Stolen devices
BYOD and MDM (Mobile Device Management)
Mobile Apps Inventory
Processes
HR/On Boarding/Terminations
Business Partnerships
Standard Operating Procedures to conduct Core Business As Usual Activities
Enablement
Agility, Business Continuity and Disaster Recovery
Understand industry trends (e.g. retail, financials, etc)
Evaluating Emerging Technologies (Quantum, Crypto, Blockchain etc.)
Data Analytics
Augmented and Virtual Reality
Drones
5G use cases
Edge Computing and Smart endpoints
IOT (R&D)
IOT Frameworks
Hardware/Devices security features
IOT Communication Protocols
Device Identity, Auth and Integrity
Over the Air updates
IOT Use cases
Track and Trace
Condition Based Monitoring
Customer Experience
Smart Grid
Smart Cities / Communities
Others ...
IoT SaaS Platforms
AI/ML
Train InfoSec teams
Secure models
Securing training and test data
Adversarial attacks
Chatbots and NLP
LLAMA
Whisper
ChatGPT and similar models
GIGO
Datasets
Deep fakes
Delivery Excellence
Embedding security in Requirements
Design reviews
Security Testing
Certification and Accreditation
Architecture and Design
Traditional Network Segmentation
Micro segmentation strategy
Application protection
Defense-in-depth
Remote Access
Encryption Technologies
Backup/Replication/Multiple Sites
Cloud/Hybrid/Multiple Cloud Vendors
Software Defined Networking
Network Function Virtualization
Zero trust models and roadmap
SASE/SSE strategy, vendors
Overlay networks, secure enclaves
Multi-Cloud architecture
IT Compliance & Auditors
CCPA, GDPR & other data privacy laws
PCI
SOX
HIPAA and HITECH
Regular Audits
SSAE 18
NIST/FISMA
Executive order on improving the Nation's Cybersecurity
Other compliance needs
Legal Risks
Data Discovery and Data Ownership
Vendor Contracts
Investigations/Forensics
Attorney-Client Privileges
Data Retention and Destruction
Team development, talent management
Technical and Enterprise Risk
Physical Security
Vulnerability Management
Ongoing risk assessments/pen testing
Integration to Project Delivery (PMO)
Code Reviews
Use of Risk Assessment Methodology and framework
Policies and Procedures
Testing effectiveness Phishing and Associate Awareness
Data Centric Approach
Data Discovery
Data Classification
Access Control
Data Loss Prevention - DLP
Partner Access
Encryption/Masking
Monitoring and Alerting
ICS
PLCs
SCADA
HMIs
Integrate threat intelligence
Vendor risk management
Cyber Risk Quantification (CRQ)
Risk Register
Loss, Fraud prevention
SecOps
Create adequate Incident Response capability
Media Relations
Incident Readiness Assessment
Forensic Investigation
Data Breach Preparation
Update and Test
Incident Response Plan
Set Leadership
Expectations
Business Continuity Plan
Forensic and IR
Partner, retainer
Adequate Logging
Breach exercises
(e.g. simulations)
First responders Training
Ransomware
Identify critical systems
Perform ransomware BIA
Tie with BC/DR Plans
Devise containment
strategy
Ensure adequate backups
Periodic backup test
Offline backups in case
backup is ransomed.
Mock exercises
Implement machine
integrity checking
Automation and SOAR
Playbooks
Runbooks
Signals Intelligence and Data Management
Supply chain incident mgmt
Keep inventory of software components
Integrate into vulnerability mgmt
Integrate into SDLC and risk mgmt process
Managing relationships
Detection
Log Analysis/correlation/SIEM
Alerting (IDS/IPS, FIM,
WAF, Antivirus, etc)
NetFlow analysis
DLP
Threat hunting and Insider threat
MSSP integration
Threat Detection
capability assessment
Gap assessment
Prioritization to fill gaps
SOC Operations
SOC Resource Mgmt
SOC Staff continuous training
Shift management
SOC procedures
SOC Metrics and Reports
SOC and NOC Integration
SOC Tech stack management
Threat Intelligence Feeds
and proper utilization
SOC DR exercise
Partnerships with ISACs
Long term trend analysis
Unstructured data from IoT
Integrate new data
sources (see areas
under skills development)
Skills Development
Machine Learning
Skill Development
Understand Algorithm Biases
IOT
Autonomous
Vehicles
Drones
Medical Devices
Industrial Control
Systems (ICS)
Blockchain &
Smart Contracts
MITRE ATT&CK
Soft skills
Human experience
DevOps Integration
Prepare for unplanned work
Use of AI and Data Analytics
Use of computer vision in physical security
Log Anomaly Detection
ML model training, retraining
Red team/blue team exercises (and whatever you want to call them)
Integrate threat intelligence platform (TIP)
Deception technologies for breach detection
Full packet inspection
Detect misconfigurations
Prevention
Network/Application
Firewalls
Vulnerability Management
Scope
Operating Systems
Network Devices
Applications
Databases
Code Review
Physical Security
Cloud misconfiguration testing
Mobile Devices & Apps
Attack surface management
IoT
OT/SCADA
Identify
Periodic (or continuous)
Comprehensive
Classify
Risk Based Approach
Prioritize
Mitigation (Fix, verify)
Measure
Baseline
Metric
Application Security
Application Development
Standards
Secure Code
Training and Review
Application Vulnerability Testing
Change Control
File Integrity Monitoring
Web Application Firewall
Integration to SDLC and Project Delivery
Inventory open source components
Source code supply chain security
API Security
IPS
Identity Management
DLP
Anti Malware, Anti-spam
Proxy/Content Filtering
DNS security/ filtering
Patching
DDoS Protection
Hardening guidelines
Desktop security
Encryption, SSL
PKI
Security Health Checks
Public software repositories
IAM/Authn/Authz
Identity Credentialing
Account Creation/Deletions
Single Sign On (SSO, Simplified sign on)
Repository (LDAP/Active Directory, Cloud Identity, Local ID stores)
Federation, SAML, Shibboleth
2-Factor (multi-factor) Authentication - MFA
Role-Based Access Control
Ecommerce and Mobile Apps
Password resets/self-service
HR Process Integration
Integrating cloud-based identities
IoT device identities
IAM SaaS solutions
Unified identity profiles
Password-less authentication
Voice signatures
Face recognition
IAM with Zero Trust technologies
Privileged access management
Use of public identity
(Google, FB etc.)
OAuth
OpenID
Digital Certificates
Infosec Basics Office
Strategy and business alignment
Security policies, standards
Risk Mgmt/Control Frameworks
COSO
COBIT
ISO
ITIL
NIST - relevant NIST standards and guidelines
FAIR
Visibility across multiple frameworks
Resource Management
Roles and Responsibilities
Data Ownership, sharing, and data privacy
Conflict Management
Metrics and Reporting
Operational Metrics
Executive Metrics and Reporting
Validating effectiveness of metrics
IT, OT, IoT/IIoT Convergence
Explore options for cooperative SOC, collaborative infosec
Tools and vendors consolidation
Evaluating control effectiveness
Maintaining a roadmap/plan for 1-3 years
Aligning with Corporate
Objectives
Continuous Mgmt Updates, metrics
Innovation and Value Creation
Expectations Management
Build project business cases
Show progress/ risk reduction
ROSI