CISO Freebook Final

Download as pdf or txt
Download as pdf or txt
You are on page 1of 92
At a glance
Powered by AI
The role of the CISO has evolved from a technical focus to a leadership role. An effective security program balances people, process, and technology.

Originally the CISO role required strong technical skills but now leadership is most important. The CISO should hire technically skilled people and lead the security program rather than dictate.

The author advocates for a balance of people, process, and technology controls tailored for each business.

TABLE OF CONTENTS

C) Introduction

C) 1 • About the authors

C) 2 • Learning from History? and My First


CISO Lesson: The Squirrel

C) 3 • The Business of Being CISO

C) 4 • Securing Cyberspace Is Everybody's


Business

5 • Business Strategy and Value


C) Preservation
Chapter 2

Learning from History?

I’m often asked, “What is the most important thing about being a Chief Information
Security Officer (CISO)?” Interestingly, over the years, the answer has changed,
just like the field of information security.
Twenty-five years ago, I would have listed technical expertise. Most of us were
one-person shops with a focus on antivirus and firewall rules. The threats were
fairly slow moving, as was technology. Over the years as the job has changed, I will
now unequivocally tell everyone that leadership is now the most critical attribute.
The CISO is now one role in an effective security group. Don’t get a big head, I
didn’t say the most important, just one of the jobs.
A seasoned CISO understands the value of hiring people technically smarter
than him or her. You need all sorts of tools and talent to be successful; you can’t do
it all yourself. Your job is to lead the program with skill, not dictate. Information
security is a war of attrition, and leading your staff is like training the team to run
a marathon. You can’t do it by running on their heels and barking commands. You
must give them something to run toward. The way you do it is by exhibiting strong
leadership and having a crystal clear strategy. Be transparent and honest. You hired
smart people; let them do their job. Remember, even though you undoubtedly
worked hard to achieve the CISO title; don’t get too wrapped up in your own self-
importance. Being the leader is a job that is only needed if there is a team. Value
and nurture them.
If you follow information security and stories of breaches, you’ll notice as I did
that every year lately is referred to as the year of the breach. We are seeing unheard
of numbers of records being breached, and the reports of breaches are coming faster
and faster.
As I said, we are in a war of attrition with the criminals. The professional crimi-
nals are well organized, well trained, and well compensated. When I first started,
the typical hacker was a loner, or a teen with too much time on their hands. The

5
6 ◾ The CISO Journey

typical attack was a nuisance attack, more of an irritant than anything. We used to
refer to a large portion of them as “ankle biters.” Don’t worry, this will not turn into
a yearning for the “good old days” discussions. The world of today is what it is. We
have no control over the bad guys, we can only control how we respond and react.
There is no silver bullet; if there was, we would all know about it. In fact, I propose
that focusing all your efforts on searching for a technology solution will ultimately
hurt your security stance.
The best security solution for a business is a balance of People, Process, and
Technology controls that is tailored to the business need and mission. Throughout
this book, you will see me reference the People, Process, and Technology model.
Putting too much emphasis on only one segment weakens the whole model. Your
job is to be the visionary that maintains the balance. There are security frameworks
and control structures we can reference, but I’m sad to say there is no cookie cutter
approach that guarantees security.
Much of what we do as CISOs or security professionals is based on our experi-
ences and the lessons we have learned over the years. Mentorship is a critical part of
the development of our skills. In my case, I was lucky to have an excellent mentor
named Rick Jacek who taught me as much about human behavior as technology.
Rick was the Technology Troubleshooter for the company. If there was a technol-
ogy product headed south anywhere in the global company, Rick was sent in to
fix it. It was from him that I initially learned about the importance of People,
Process, and Technology, as it was never just one component that put the project
at risk. He was also keenly aware of the effect of culture, particularly outside of the
United States. I remember a discussion with a business unit manager in a South
American company recently purchased by the firm for which we worked. Rick had
to convince the manager that keeping a pile of cash in his desk drawer to “get things
done” was no longer an acceptable operating model.
I also learned from various mentors that Information Technology is in place to
serve the business, not the other way around. Computers are just a tool that allows
us to do what we are in place to do: serve the customer. This was made clear to
me in my first “Data Processing Manager” role for a manufacturing firm. My job
was to run systems that supported the end goal of getting product on the shipping
dock at the end of the day. If I did anything to jeopardize that goal, my job was at
risk. I knew my job was less important than the people who built and shipped the
product. A lesson I’ve kept till this day.
We have to constantly rethink our strategies and approaches. It’s clear that the
“build big walls” strategy of the past is not working. Technology companies would
have us believe that if we buy the latest, greatest product, we will be safe, but com-
mon sense tells us that is simply not true.
We are also at a significant crossroads in the evolution of the CISO role. The
image of an ass-kicking, hard-charging, and damn the torpedoes, barely legal cyber
cowboy must die. While I still see many of my peers hanging on to that stereotype,
it is absolutely the opposite of the C suite executive. We must become business
Learning from History? ◾ 7

people, able to protect the business while showing the value of what we are doing.
We all remember the FUD factor: Fear, Uncertainty, and Doubt? In the past, we all
used it at least a little to scare the business into making critical security investments.
Well, put it away, it doesn’t work in the long term anymore. You need to be a busi-
ness partner, an advocate of the business, and build the critical alliances necessary
to strengthen the security culture of the organization.
The other stereotype that must die is what I call the “secret police.” While it is
true that CISOs have many tools at their disposal that can monitor user activity,
they must not be used for fishing expeditions or to instill a “big brother” mentality
at a business. Ultimately, that will destroy security goodwill and culture. Watch
for the security folks who like to wear fobs or toys from law enforcement. Watch
for the people who say if they had to do it over again they would join the CIA or
Secret Service. CISOs must investigate, but must do it within the bounds of cor-
porate policy and culture. Like many people, I am a Dilbert fan. One of the char-
acters that turn up from time to time is “Mordac—The Preventer of Information
Services.” Trust me, you never want to get pegged as that person. If people assume
your answer will be no, they will look for ways around you. Your job is to say
“how” to do it securely. Work with the business, be part of the solution, don’t be
the problem.
For most of us, we are charged with protecting the information entrusted to the
company by its customers. We don’t own it, and we are bound by professionalism
to build and maintain a balanced security structure to protect it. It has taken me
years of experiences to build an approach to security. While it is impossible to cover
30 years in a short book, I’d like to share some of the major lessons and rules I’ve
developed. Around those lessons, I will try to inject some of my current thinking
on the issues.
Have I done everything right? Hell no. The one thing I do wish is that I’d had
a dedicated CISO mentor, but since that wasn’t possible, I gleaned information
from some great mentors over my career. My hope is that you take my experience
and thinking, and find at least a couple of good ideas that will help you in your
“Journey.”
Spoiler Alert: Since every business is different, and the threats morph quickly,
there is no silver bullet. You will have to find your way, build your alliances, and
become the great CISO that the industry needs going forward.
Chapter 3

My First CISO Lesson:


The Squirrel

It all started in my youth:


We all have life lessons learned as a child. Many of them are common, such
as work hard, study hard, be honest, and have integrity. However, there are some
in retrospect that, while we did not know it at the time, gave us long-term lessons
for life.
My first lesson started with a bird feeder. As a boy, I was always messing with
my father’s tools, building things out of whatever I could find. One of my great
achievements was a bird feeder for the yard. After careful planning, crafting, and
painting, I proudly staked it out in our yard, filled it with seed, and went in the
house confident that we would be overrun with colorful birds in no time.
The next morning, I jumped up, ran to the window to see the flock of birds, and
much to my surprise, the feeder was empty…and no birds. The lawn around the
feeder looked like a mess, strewn with seeds—those must have been some ravenous
birds. I filled up the feeder one more time in the evening, confident that if I got up
early, I’d see the flock of birds.
Setting my alarm early, I ran to the window, and much to my shock, I saw no
birds; only a gray squirrel having breakfast…On My Bird Feeder!!!! Immediately,
my mind began to formulate plans to stymie this interloper; no free food for this
squirrel anymore.
Over the next few days, I tried every trick I knew; I greased the pole, I put a
rubber collar on the pole, I sprayed ammonia around the pole. But every day the
story was the same: the squirrel was getting fatter and my bird feeder was always
empty. Not only that, but to this day, I swear that the little SOB started mocking

9
10 ◾ The CISO Journey

me from his perch in the neighbor’s yard. It had become personal. That little rat
with a fuzzy tail was messing with me, an official Boy Scout.
The daily war continued for a couple of weeks. I was more irritated; the squir-
rel was fatter. Finally, one day, our neighbor, who was a retired farmer, sensed my
frustration and came over with some sound advice. He said, “I see your problem,
and you will never beat that squirrel!” “Why?” I asked, trying to be polite. He took
a puff on his pipe, looked at me wisely and said, “You spend maybe an hour a day
trying to keep that squirrel out of your feeder, but that squirrel spends 24 hours a
day figuring out how to steal your bird seed. If you are not prepared to make the
same effort to keep him out, you will lose.”
At that time, I thought I had learned a lesson about bird feeders and squirrels.
But, as I progressed in my career, I realized that it was about dealing with adversar-
ies of any type. In the cybersecurity world, we are no longer dealing with part-time
hackers, we are dealing every day with organized, well-funded, effective groups of
“squirrels” intent on stealing our corporate “bird seed.” These cyber criminals also
communicate well and share information freely among themselves. Interestingly,
this is contrary to the culture we have bred in the information security profession.
We tend to keep ourselves and our organization’s information locked up in a silo;
we have been taught that sharing vulnerabilities and problems we have experienced
is a bad thing. The actuality of the situation couldn’t be further from the truth.
Through this book, I will share experiences, something we must all learn to do if we
are to keep pace with our adversaries. The journey from good to great is not enough.
Unfortunately, our adversaries are already great at being bad.
Later in my career, I took a job where I had to live in New Jersey for a couple
of years. When I shared this story at a local conference, an attendee told me that,
in Jersey, they would have had a different approach to solving the squirrel story.
He told me that he “knew a guy who knew a guy that could make the squirrel
disappear—If you know what I mean…” Ah, what a difference cultures bring to
problems. The diversity of solutions to a single problem (in this case, tongue in
cheek, hopefully) shows that we must be open and ready to embrace many sugges-
tions and solutions.

The Big Question: How Did I End Up in Info Security?


OK, I’ll date myself. As a young engineer, I drew my designs on paper. You know
that white flat stuff we used to use? Every morning, I stood in front of my drafting
board with a new sheet of white vellum, sharp pencils, my slide rule, a company logo
pocket protector, and endless possibilities. Life was good and the world was in order.
My efforts were only bounded by one rule: never draw more in the morning than
you can erase in the afternoon. I did everything to keep the universe in balance.
But we’re not here to talk about the good old days. Let’s bring it back to security.
Our designs (or data) were committed to paper. Data security was basically locking
My First CISO Lesson ◾ 11

the room where all the drawings were kept. If you were authorized to enter the print
room, you could check out a drawing, signing a log to acknowledge your actions.
All revisions or changes you made to the design were noted on the drawing, and
the drawing was eventually checked back in. If needed, you could make a copy
of the drawing. All critical drawings were microfilmed and the copy was kept off
site in case of disaster. Simple, manual, and easy to understand. And…we always
knew where the data were and if they were secure. I like to refer to this as the “good
old days” from a security perspective. However, it had productivity problems, and
needed to change to meet new business demands and the pace of industry in general.
Computerization came charging into engineering. As we began to explore
Computer-Aided Design, we realized that even though we printed out the draw-
ings (and locked them in the print room), we now had an electronic version of the
drawings that somehow had to be secured. We started with one generic sign-on for
all the engineers with no password, and slowly worked our way into each person
having a unique account name and password. By the way, once we had the design
on the computer, we printed it out and put it in the print room. Paper was still the
official copy and archive.
As always happens, business continued to change. Production needs to build
products faster and more flexibly drove the development of computer-controlled
equipment, which was electronically linked to the digital designs. While the early
machines kept the programs on rolls of black paper tape with ASCII format holes
punched in them, it was only a matter of time until the business wanted online stor-
age. As an engineer, one of my early projects was to connect production machines
via a thick coax-based cable to a central PC-based server. Today, that is about a
two-hour job to connect and format the equipment. I’m almost embarrassed to
say I spent six months on the project. Now, we had connectivity from the “office”
to the “factory floor.” With the changes in manufacturing such as Kanban and
Just-in-Time, the business also wanted the inventory levels linked real time to the
manufacturing processes.
Because of the dynamic environment, we had to look at setting up a type of file
level security to put a “wall” between production and designs, which were still in
development. Multiple levels of folders with unique access control lists soon came
around, and eventually we needed someone who specialized in this file level access.
At this time, there was no Internet: Securing the electronic frontier was simply a
matter of unplugging the modem we used for file transfer. There were good tools
from the computer companies to manage access to files and manage user IDs. No
distributed computers or PC networks, but that was all about to change.
The Internet hit us all. A project to create the first company website was a major
project driven by high-priced consultants. We put in our first firewall in about
1990. It was not very sophisticated; it was simply a packet filter. Packet filters acted
by inspecting the “packets” that are transferred between computers on the Internet.
If a packet matches the packet filter’s set of filtering rules, the packet filter dropped
it. It was simple and effective, but just a beginning.
12 ◾ The CISO Journey

Business and academia drove continuous change. More features and function-
ality brought additional risks. The cycle continued to spiral. Interestingly, in the
early days of my career, I thought the job would be more of an administrative func-
tion. The primary job was to design and administer access to information to protect
the information from loss or accidental corruption. How wrong can one guy be?
Over the years, I developed rules of Information Security. I adopted some from
peers, learned them through sometimes-hard lessons, and noticed that they were a
recurring theme at every turn. They are as follows:

◾ A weak foundation amplifies risk.


◾ If a bad guy tricks you into running his code on your computer, it’s not your
computer anymore.
◾ There’s always a bad guy out there who’s smarter, more knowledgeable, or
better-equipped than you.
◾ Know the enemy, think like the enemy.
◾ Know the business, not just the technology.
◾ Technology is only one-third of any solution.
◾ Every organization must assume some risk.
◾ When preparation meets opportunity, excellence happens.
◾ There are only two kinds of organizations: those that know they’ve been com-
promised, and those that don’t know yet.
◾ In information security, just like in life, evolution is always preferable to
extinction.
◾ A security culture is in place when talk is replaced with action.
◾ Never Trust and Always Verify.

Rather than walk through my entire life, I am going to organize the next sec-
tion in line with my rules of information security. In each section, we will discuss
the circumstances that prompted me to add a rule, and discuss current industry
best advice on the subjects.
My hope is that I can pass on some advice, lessons learned, or stories that will
strike a chord with you. Enjoy my life experiences and cyber stories. Good luck in
your career!
2
THE B USINES S OF
B EIN G CISO

The office of the CIO is large—one of the largest I’ve ever seen.
The couch on which I am sitting is comfortable enough to sleep
in. The view outside the window is impressive, and somewhat
distracting. We’ve been here for a little while discussing why, in
particular, this Fortune-500 executive should bother with bring-
ing me on as a consultant to help with, of all things, enterprise
security. And we’re talking because the case being made is that the
help is needed, not necessarily on a technical or operational level,
but in terms of the company’s business strategy.
In other words, I’m not here to configure firewalls.
It’s actually going surprisingly well, even though I am admit-
tedly somewhat intimidated. I only incorporated my “company”
earlier that year, after a few years of operating under my individual
banner. The custom-tailored suit I’m wearing is the most expensive
article of clothing I have ever owned, which is good, but my shoes
in this company show their off-the-shelf origin, and it shows.
For heaven’s sake, why am I thinking about my shoes?
Concentrate, Barak!
I have already decided that no matter what happens, the CIO
is one of my favorite people ever. Gregarious, smart, witty, hilar-
ious—I can’t help but like him as we go through an increasingly
uncomfortable vivisection of my career experiences and the rea-
soning behind why he should allocate a budget to this effort, then
rapidly switching to favorite war stories, clearly a trust-building
experience.
There’s a pause in the conversation.

25
26 W H Y CIS O s FA IL

“OK, Barak. So just tell me one thing,” he switches gears. I


tense up. My brain goes on alert. He looks directly at me, with a
smile, but do I detect a glint in his eye?
“Why are you so expensive?”
Truth is, I’m not. I know that. In fact, I’ve before charged twice,
in terms of hourly rates, what is in this proposal. I know he’s testing
me. This is not a real question—it’s a validation question, a device
designed to assess my reaction, regardless of the content. During
later years, I came to learn that he would often ask these sorts of
off-the-wall questions, just to see how someone would respond,
and gauge their reaction. It helped him judge their character.
My sense is that how I respond may determine the fate of our
relationship.
I take an almost uncomfortably long, 2-second break to con-
sider my answer. Then it comes to me, and I retort with what is,
admittedly, a bit of relish.
“Because I’m Jewish.”
The room, it seems, rocks slightly as we laugh ourselves into
initialing the contract.

Let me go old style on you for a moment.


Roughly three decades ago, the notion of a paperless office came
forcefully into being, as well as common definition. In some ways,
it was the first truly significant “computer revolution,” in the sense
that it entered the common person’s technology awareness as a way
of efficiently running a business. With advances in computing and
networks, it seemed that in just a few short years, companies would
no longer need to depend on paper (soon to be joined by phones, mail,
and other stone-age relics) at all. It made sense, but the resulting cycle
fit the classic technology hype cycle almost to a “T”; it took many
more years than predicted to get there, and when it finally did hap-
pen, nobody seemed to notice. The transition turned out to be almost
too gradual (Figure 2.1).
Yet happen it did.
Eventually.
Today, of course, we live in a reality where the enterprise is, indeed,
living “in the network,” whether it is local and portable (the CEO’s
T H E BUSINE S S O F BEIN G CIS O 27

Visibility

Peak of inflated expectations

Plateau of productivity

Slope of enlightenment

Trough of disillusionment
Technology trigger Time

Figure 2.1 Gartner Research’s Hype Cycle diagram. (From Jeremykemp at English  Wikipedia,
https://commons.wikimedia.org/wiki/File:Gartner_Hype_Cycle.svg; Gartner Hype Cycle, https://
creativecommons.org/licenses/by-sa/3.0/legalcode.)

laptop and mobile devices), localized (the office networked file sys-
tem), co-hosted in some data center usually belonging to somebody
else, or (increasingly) virtually in the cloud. Today’s big advances that
aim to disrupt and enhance the mechanisms of business creation and
growth are the cloud, big data analytics, mobile computing including
BYOD (bring your own device, also known as the bane of IT depart-
ments everywhere), and Internet of things (IoT)—a term which is set
to become the number one term used in security product marketing
in 2017.
Or somewhere close to it, anyway. It is, after all and on top of being
a fascinating technology development, a very handy bogeyman.
Whereas in that incredibly distant past of the late twentieth cen-
tury, a top executive could limit access to sensitive information simply
by locking it in their office safe, thereby also guaranteeing, more-or-
less, that unauthorized access is at least pretty noticeable, today they
must rely on an army of people (the IT folks) to manage a kind of
digital safe whose keys are not even in that executive’s pocket. He
or she can simply access it like anybody else. The keys are in the IT
department.
And not only are those keys not physical (passwords aside), they are
often practically impossible to understand.
Heck, when I write security policy these days, which I occasion-
ally still do (what can I say? embrace the weird), I always find myself
28 W H Y CIS O s FA IL

having to mentally shake off the cobwebs when inserting clauses


related to locking away sensitive documents… mostly because many
new companies often don’t even have locks on internal doors, let alone
safes or even heavy furniture.
Worse, our modern executive has to make a lot of other assump-
tions, which if they are smart (and most executives did not get to
that position by being stupid) they know are complete bunk. They
are expected to trust that the IT department will set up access in a
way that reflects a proper and nuanced understanding of the business
requirements behind granting such access to particular individuals;
react at any given time to changes in the business environment that
they have no visibility into nor the experience to interpret in any rea-
sonably contextual sense (check that list again: cloud, big data, ana-
lytics, BYOD, IoT… the list goes on); ensure that this virtual safe is
properly guarded at all times; and so on. I won’t even go into special
business scenarios, such as the surreptitious changing of the safe code
due to a suspicion that an insider may have been able to gain access to
it in order to make copies of documents to take with them to their new
employer, which happens to be a direct competitor.
I can go on, but you get the point. Any sane person in senior man-
agement knows, with unshakable confidence, that as much as they
may adore and trust their IT administrators, there is no way they
can expect them to make the right access decisions, day in and day
out, to critical data. It is a source of continuing tension between the
business leaders—CEO, COO, CFO, and to name a few—and their
company’s technology hierarchy.
This partly explains the emergence of the CIO as a force in the
executive committee. A good CIO will translate business require-
ments into technology solutions, hopefully implement them in trust-
worthy fashion, and, by virtue of being at the table, be able to do so on
an ongoing basis. They serve as a bridge between the business and the
dark forces that lubricate its machinery. It also, handily, gives the CIO
a forward career path, perfectly illustrated in the trajectory of a long-
time customer of mine who went from VP of IT to CIO to COO and
subsequently President of his Fortune-500 firm.
But a good CIO is there to provide functionality, to translate
changing business requirements into technology decisions. Their risk
view, by the very nature of their highly demanding role, is driven by
T H E BUSINE S S O F BEIN G CIS O 29

questions such as “how do I make this happen cheaper/better/faster?”


and “what sort of things are out there that can help me with making
it easier for the business to grow?”
These are critical questions, and they deserve the CIO’s full atten-
tion. Thus, except in a general sense around efficiency and reliability,
they are not typically in the business of assessing indirect risks to the
business inherent in such usage or, for that matter, lack of usage.
Which is where the CISO comes in.
In many ways, today’s CISO finds themselves in a position not dis-
similar to that of the CIO in the roarin’ 90s. As discussed earlier,
they are often technologically minded, sitting as it were in the eye of a
gathering storm, and thrust with a major responsibility from multiple
sources that often appear to be in conflict with each other. Worse, the
CISO often has to interpret these conflicting demands without the
appropriate business training or background, which tends to lead to
either a highly conservative or highly risky decision-making process,
and often both, depending on their personality and the issue at hand.
How many times have you heard a variation of the following ques-
tions and statements in the context of a security conversation?
“Are we compliant?”
“Are our systems secure?”
“This deal has to close by Friday, we have to do it, so just figure out how
to do it with minimum risk.”
“If we don’t do this, we won’t be in business anymore, so figure it out.”
The problem with these kinds of statements is that they are anchored
in a lot of hidden, assumed context. For example, the question “are
we compliant?” means different things when asked by a sales VP,
a CTO, or a general counsel. The first is interested in whether it is
possible to produce the necessary reassurance to prospects in a man-
ner that would be acceptable and remove sales barriers; the second in
the level of technology (and technology implementation) adherence
to a given standard; the third in whether any liability (business or
even personal) is present. It only takes a simple misunderstanding of
the specific context of the conversation to lead to significant friction
down the road.
Even more interestingly, it is entirely possible that the answer is
legitimately different in each of these contexts, even if the underlying
reality is the same!
30 W H Y CIS O s FA IL

For example, the following answers may all be true at the same time.

Question: Are we compliant?

• Answer (to the VP of Sales): Yes!


• There is a current audit document validating compliance
that can be shared with a prospect.
• Answer (to the CTO): No!
• There are certain known deficiencies that were not shared
with, understood, or discovered by the auditor, but are
known internally to the team.
• Answer (to the general counsel): Maybe?
• The interplay between the existing contractual commit-
ment and the known current security posture may leave an
unknown liability on the books, depending on the inter-
pretation of negligence and the specific statements made
and artifacts included related to information security in
the contract.

Lacking the proper business background and business operational


context, it will be very difficult to reconcile these positions without
frustrating the various audiences. The path from here to losing cred-
ibility is rather short.
The modern CISO also has to contend with another challenge,
which is the extended sphere of (data) control. In the past, informa-
tion was fairly easily contained—even in electronic form, it was typi-
cally on company-owned servers in company-controlled co-hosted
cages or data centers. But the rapid emergence of cloud computing
has changed all that. Even the most paranoid organization tends to
rely on at least a few such services, such as (say) ADP for payroll and
(say) Salesforce for customer relationship management (CRM), and
the improved technical operational efficiency inherent in cloud ser-
vices is tempting an increasing number of companies to move ever
more of their backoffice functionality to the cloud.
Then you add remote connectivity, any number of employee-owned
end-user devices like smart phones, and the idea that company data
has boundaries quickly becomes more pretense than reality. If you’re
lucky, you can track access to stuff you really care about, but even that
is debatable. After all, it’s hard to ever tell whose fingers are actually
T H E BUSINE S S O F BEIN G CIS O 31

typing behind the screen, and it’s already possible to ask your fridge to
read your corporate emails aloud to you while you cook.
Such expansion, while terrific for the IT department’s ability to
successfully master and scale ever-more complex business needs and
environments, can introduce many headaches to the security orga-
nization. Not only is data now stored and handled elsewhere, it is
often very difficult if not impossible to draw clear boundaries, not
just around the data itself, but also between the various responsibili-
ties around management of the associated infrastructures, which in
themselves are virtual.
In our practice, we see this all the time, especially when we work
with cloud-based service providers. Take, for example, the issue of the
“invisible NOC.”

Say again? What is that?


The invisible NOC (Network Operations Center) is composed of
the personnel at the cloud company—say, Amazon—who manage
the underlying cloud infrastructure and in particular, the virtualiza-
tion infrastructure. Let’s focus on those folks that have access to the
hypervisors, those central management components that drive all vir-
tual environments, allocate available resources, and otherwise allow
the concept of virtual computing to exist at scale.

Why do they matter so much?


Well, if you have access to the hypervisors, then you have access to
anything those hypervisors manage, with no limit and no account-
ability. Or at least not to the supposed downstream owner of the vir-
tual machines themselves.

You know, the cloud customers.


This is, if you will, a known level of abstraction. As a cloud customer,
you are never fully in control of your own virtual devices and whatever
you place on or transition through them. Don’t think encryption pro-
tects you, because the people running the infrastructure can always see
keys in memory if they so choose. You must assume that the cloud pro-
vider hires trustworthy personnel to fill these technical operations posi-
tions, that they have proper controls and auditing mechanisms to catch
them if they make mistakes or go rogue, processes for handling such
32 W H Y CIS O s FA IL

behaviors and notifying you if something bad happens, and so on and so


forth. This is not a new concept: your telecommunications provider (say,
AT&T) controls the piping through which you send your data, and the
devices that enable it on each end. Generally speaking, they could easily
read anything you sent through them, but we trust them not to do so.
But to go back to the public cloud, and while I realize that I will
bring down the wrath of many with the following statement, I believe
that it is a fair argument to suggest that Amazon’s (or Google’s, or
Microsoft’s) NOC is one of the best in the business, simply by virtue of
it being able to operate successfully for so long on such a massive scale.
But the truth is, you never really know, the cloud provider’s terms
and conditions are typically identical for all cloud customers, and (as
a matter of law) companies are generally not liable for criminal acts
undertaken independently by their employees.
Now let’s go back to our hypothetical cloud-based SaaS (software-
as-a-service) provider. They have decided, sensibly, that their real value
lies in the application they provide, rather than the associated data
center operations. They elect to rent their computing infrastructures
from a cloud provider—again, let’s use Amazon here, since AWS is
today by far the most popular.
This allows them to do a lot of neat tricks, like spin up fully func-
tional, highly scalable software quickly, and add bells and whistles
rapidly as well. They can even spin up their platform directly from
fresh code, a concept known as “platform as software,” often from
a well-known cloud-based software management repository such as
GitHub. Used properly, all of this abstraction can reduce deployment
cycles and recovery times dramatically.
Thus, this SaaS vendor, even if they are themselves very small, can
make their offering very tempting to the enterprise customer who is
looking to solve big problems, often of a legacy nature. So they attract
such customers fairly early on in their business cycle, and inevitably, at
some point in the acquisition cycle, the enterprise customer’s security
team must get involved.
Here is what typically happens next.
That enterprise security team has to validate and verify hundreds of
vendors at any given time. The enterprise (or agency) CISO must find a
way to balance the risks inherent in vendor management with the busi-
ness (and regulatory) requirements driving these new vendor requests.
T H E BUSINE S S O F BEIN G CIS O 33

As we discussed earlier, they are generally incentivized to err on the side


of caution; after all, if a vendor screws up, it will be the CISO who could
get canned for “failing to properly review” that vendor in advance.
So a standardized process is created to support vendor validation
efforts. The folks tasked with creating it usually have even less busi-
ness context than the CISO (who often doesn’t have it either), and
are even more enthusiastic in their efforts to create a “comprehensive
process” for validating vendors.
Then legal gets involved, and requirements continue to grow.
You get the picture. By the time everybody is satisfied that the
process is robust, it has grown to take the form of multiple (and often
contextually ridiculous) contractual clauses and a 600-question RFP
that makes roughly seven million (give or take a few) generalized
assumptions about technology vendors that are often quite removed
from reality—especially for SaaS providers.
The kicker is that these documents are intended to be embedded in
the contract, and ultimately become contractual artifacts with legal,
binding force.
The service provider—in many cases, a rapidly growing startup,
often with only a handful of employees and barebones backoffice opera-
tions—now has to somehow answer these questions, and finds that the
other side is not very attentive to their pleas for sanity. They must attest
to physical controls for environments that they not only do not man-
age, but do not even have any visibility into. They must approve rights
to audit, for an environment they cannot access themselves, thereby
already breaking the contract by the simple act of signing it. They must
agree to personnel drug screening requirements that are entirely inap-
propriate and counterculture for their business. And the list goes on.
But do you know what never seems to bother the enterprise cus-
tomer? In all of these questions, surveys, attestations, contractual
requirements, and so on, there never seems to be any focus on the
invisible NOC—a group of people which the service provider relies
on but has no knowledge of, no ability to monitor, and no capacity to
review their actions (or even be aware of those actions).

Isn’t it fascinating?
Of course, in the context of business liability, the enterprise coun-
sel’s answer to that is “the cloud provider is represented by the SaaS
34 W H Y CIS O s FA IL

vendor.” Good luck with that line when the cloud gets broken and all
you have for a remedy are the very limited resources, warranties, and
embarrassingly small (if any) cyber-insurance coverage of that vendor.
They’ll probably go bankrupt first, anyway.

A small number of enterprises have enlightened security leaders


that understand this, and take a different route. They independently
review and accept certain cloud vendors every year, and then have
a shortened approval process for cloud-based service providers that
are located inside those clouds. For example, an enterprise may “pre-
accept” AWS with a dedicated VPC (virtual private cloud) as a cloud
infrastructure, allowing any service provider in AWS to be accepted
as well, as long as they remain there.
That’s a much more reasonable approach, but is unfortunately not
very common yet, and for a simple reason: the CISO that engages in
this healthy business practice is also assuming a personal risk of such
pre-acceptance.
This problem becomes more acute when it comes to data, and in
particular when we add yet another layer of abstraction—the plat-
form-as-a-service (PaaS) provider. These cloud-based service provid-
ers handle customer data as incidental to their primary service, which
is to provide a virtual platform. Customer data indeed transitions the
PaaS virtual systems, but PaaS personnel do not interact with it, and
their platform does not make decisions based on any (human) knowl-
edge of the data; rather, it acts as instructed algorithmically to per-
form by the customers with respect to the data.
The easiest conceptual example of that is a data proxy, a system
which provides hookups for any other system in order to facilitate data
migrations from one external system to another. Based in the cloud,
this is a pure PaaS play: the platform has all the capabilities required
to handle data transformations, but the platform vendor and, in par-
ticular, their personnel are “unaware” of how the customers utilize the
platform to do so. In many ways, this is like another cloud layer, see-
ing as clouds are also platforms. If you think of the cloud as a virtual
hard drive and CPU, then the PaaS is a virtual application server (and
a SaaS is a virtual application).
How is such a service provider to address their customer’s security
concerns? They do not interact with the data directly, but rather as a
T H E BUSINE S S O F BEIN G CIS O 35

side effect of what the customer instructs the platform to do, and, even
then, have no real concept of the nature of the data that traverses the
system boundaries. Heck, the best ones will insist on not implement-
ing any direct data control that implies knowledge of the underlying
data, if for nothing else than for (liability) self-preservation purposes.
Put another way, a PaaS vendor doesn’t know what data the customers
push through their platform, and doesn’t care about it, either, because
they rightly consider it to be none of their business (what I like to call
the “we don’t know, we don’t care” principle).
It is, in fact, the same exact principle that the cloud provider itself
(e.g., Amazon) follows. We give you a platform, but what you do with
it is up to you.
It’s just one more level of abstraction.
The transformations themselves also take place on somebody else’s
systems, that is, the cloud vendor. Faced with questions about data
protection, it can become difficult, even impossible, to answer them
in a satisfactory way, without some level of absurdity. For example,
how does this hypothetical PaaS vendor answer the question “do you
protect sensitive data at rest?” Why is this such a challenging ques-
tion? Because the vendor is fundamentally unaware of any distinction
between customer data, that is, sensitive and not sensitive. Further,
to add a capability to do so will, by necessity—since it would involve
the vendor becoming aware of sensitive customer data in order to
make a determination with respect to the application of security con-
trols—ultimately lower the overall security posture of the platform for
the customer. This is for a number of reasons, but I’ll mention the
most obvious: it violates the basic yet important principle of “need
to know.”
The PaaS vendor thus has to take a viewpoint, and will often find
that an actual attempt to be honest and discuss the very nature of a
public-cloud-based PaaS only leads to legal and sales barriers, even
when the truth is that they just treat all data the same way, and (hope-
fully) give customers additional security controls (such as encryption
key management) to apply to their data in any manner the customer
finds appropriate.
In other words, it is in both the vendor and the customer’s best
interests that the vendor provides controls and the customer applies
them as necessary. But the security questionnaire will practically
36 W H Y CIS O s FA IL

never account for this subtlety, and the enterprise legal department
even less so.
This expanded and highly abstracted sphere of data control is
probably the biggest overall security issue in the modern world of
cloud. These issues are rarely resolved in actuality in contract, at least
not without a very delicate and informed touch, and that requires a
significant amount of knowledge on the side of the enterprise counsel
and their security chief, as well as the vendor’s security leader, who
must be able, knowledgeable, and experienced enough to support
legal negotiations to a successful resolution that will not introduce
hidden risk and liability down the road.
With that said, there are some useful open-ended questions that
should be asked by any enterprise of every cloud vendor that they are
considering. Note that this is intentionally short and open-ended, since
the goal here is to get an insight into the security mindset of the vendor,
rather than dictate by implication a list of expected security controls.

Short Essay
Basic Questions to Ask Your Cloud SaaS/PaaS Vendor

1. Do you use (insert list of internally pre-approved cloud


providers here) as your cloud provider?
a. If not, which cloud provider do you use?
b. If you use more than one cloud provider, name all of
them and their function.
2. During your initial selection and up to this point in time,
what measures have you taken to check your cloud pro-
vider’s security and compliance posture?
a. Do you validate your cloud provider’s security and
compliance posture on an ongoing basis? How? Please
provide evidence of the most recent review.
3. Do you have a formal internal information security
program?
a. If yes, does it include:
i. Security policies? (please list them)
ii. Business Continuity Plan (BCP)?
T H E BUSINE S S O F BEIN G CIS O 37

A. If yes, what is the frequency of testing, and


when was it last tested?
B. If not, do you plan to develop one? When will
it be complete?
iii. Disaster Recovery Plan (DRP)?
A. If yes, what is the frequency of testing, and
when was it last tested?
B. If not, do you plan to develop one? When will
it be complete?
iv. Incident Response Plan (IRP)?
A. If yes, has it been triggered in the last 12
months? Please share any information you can
relate to the triggering event and its resolution.
v. Software Development Life Cycle (SDLC)?
A. If yes, what measures does it have to explicitly
address information security?
b. Do you have a formal security compliance program?
If so, please name the standards you comply with, and
include all current, internal, and external validation of
such compliance.
4. Do you have a formally assigned individual or group
accountable to information security in your organization
(e.g., CISO)? If so, please name them and their formal
titles.
5. Do you perform security testing in any portion of your
environment?
a. If so, please list the types of testing (e.g., penetration
testing, vulnerability scanning, code reviews, etc.),
their scope, and frequency.
b. What was the most recent date when each type of test
took place? Did you successfully remediate the find-
ings from the tests?
c. Does your testing process include post-remediation
validation? If not, please name the types of tests that
do not.
6. What customer data will you handle (store, process, or
transmit) on behalf of our company?
38 W H Y CIS O s FA IL

a. What customer data will get stored in your


environment?
b. If any data is stored, please describe how it is protected
from unauthorized access and leaks.
7. What type of access is necessary for this engagement (e.g.,
VPN to our DC, remote login)?
a. Which access control measures do you support?
b. Can we integrate any form of SSO or federated logins
into your environment? If so, which ones?
8. Is your environment fully or partially multi-tenant?
a. If yes, please describe how our company’s data is seg-
regated from other customers.
b. What security event logs will be available to us, and in
what form?
9. If a security incident occurs which potentially impacts our
company, how quickly will we be notified? What would
trigger such notification?
a. Do you maintain forensic audit trails? Which ones?
Will we have access to them?
It is worth reiterating that the goal here is not to cover every
possible control, or indeed to define an acceptable level of con-
trols. The nature of the answers to these open-ended questions
will tend to indicate the level of security thinking at the ven-
dor. For example, the SDLC question is intentionally vague,
and the answers will be indicative. Would the vendor list data
retention controls? How about third-party OSS library license
crosschecks? The answer to question 6 will be indicative, in that
a response along the lines of “we don’t know, it’s up to you” is
often a good one! (we don’t know/care).

With so much embedded risk, an experienced security leader


becomes essential. An ability to understand the differences between
different kinds of software and service providers, different operational
and strategic business drivers, and legal and liability challenges inher-
ent in such engagements will give them a unique risk management
perspective and allow them to inform the business initiative process
in a way that can be invaluable in the long term.
T H E BUSINE S S O F BEIN G CIS O 39

Properly understood in this role as a technology and data risk man-


ager, the CISO can contribute in many ways:
• They can steer the company away from potentially costly R&D
decisions. In one example, a lead developer in a large multi-
national requested our advice with respect to a new, major
m-commerce feature release, which would involve a signifi-
cant intake of behavioral PII into the general e-commerce
platform. Aware of upcoming privacy regulations in the EU,
one of our recommendations was to implement a way to allow
any consumer to request the removal of all their PII from
the company’s systems—we called it the “big red button”
library—as a way to address the soon-to-be regulated “right
to be forgotten.” This library could be called with an identi-
fier, and automatically remove all PII related to that identi-
fier. The developer was delighted—they had not been aware
of this potential issue, and at that stage in the design process,
implementing it would be trivial. Alas—and as an unfortu-
nate demonstration of the potential internal conflict between
security and the business—2 weeks later we were informed
that legal instructed the development team to not implement
such a feature, and worse, to make it virtually impossible to
remove any consumer’s PII from the company’s systems with-
out a massive manual undertaking. Their argument was that
based on U.S. law, this would allow the company to avoid ever
having to remove such data because it would be prohibitively
costly to the business. That decision, with the new General
Data Protection Regulation (GDPR) rules coming into effect
in the EU, is set to become very expensive.
• They can reduce structural technology business risk while removing
growth obstacles, for example, by independent review and pre-
acceptance of popular cloud platforms, maybe with a defined
set of embedded controls and configurations (also known as
“swim lanes”).
• They can help draft legal language that makes sense in abstracted
contexts. This is especially true in the cloud provider space,
where boundaries of liability and responsibility can get pretty
murky. One adjunct to this is for the security leader to be very
40 W H Y CIS O s FA IL

customer-friendly, and become an integral part of the sales


process, providing customer education and reassurance, often in
direct conversation with their counterpart on the customer side.
• They can participate in M&A processes to try and uncover hid-
den or unexpected deal blockers. I was once invited to partici-
pate in due-diligence meetings related to a multi-billion
dollar merger. I was introduced as the CIO’s advisor, and
was expected to listen, and possibly note anything that the
team may have otherwise missed. In fact, the CIO’s request
was phrased thusly: “you always have good questions. Maybe
you’ll have one for us here, too.” Well, long story short, I did
at some point have a question, about the possibility of risk and
regulatory costs related to the combining of the two compa-
nies’ rather different cultures and practices around data use,
and in particular, the vast troves of consumer-sensitive data
they were both managing. I was informed later that this issue
became central for a short time and the regulators did ulti-
mately get involved, but thankfully, the team on “our side”
was aware of the issue in advance and was prepared to address
it, which helped smooth the transaction process.
• They can assist through the power of negative inference thinking.
Alright, I fully admit that the latter point is a teaser.

So what is this “power of negative thinking” concept?


Let’s go back to business school for a minute. Having gone through
a fairly respectable MBA program back in Israel before I came to the
United States, I even managed to retain a couple of things. One of
them was the strong bias toward action–reaction decision chains.

What do I mean by that? Well, generally speaking, business culture


(at least in the west) seems to be focused on actions and reactions. Put
another way, the most common question one gets asked is “what do we
do now?” (action), often followed by “how do we answer this develop-
ment?” (reaction). This action bias often leads companies to do great
things, but just as often, it can lead them into seeing ghosts that aren’t
there, and more importantly, completely miss massive market trends
building right under their noses.
T H E BUSINE S S O F BEIN G CIS O 41

Why is that? Because if the new trend represents a significant


enough shift from the existing model, it may not register on the mar-
ket analysis needles until it’s too late. There will be little, if anything,
to which to respond. This is how large companies grow complacent,
and then upstaged by youthful startups.
It’s merely the entire foundation for the existence of Silicon Valley.
But consider the CISO, and especially their training. In particular,
good CISOs are uniquely qualified to handle these sorts of “negative
information” trends. Why? Because they are trained to spot trends
both when there is an abundance of data, and also when there is a
notable lack of abnormal activity. For a CISO, either one of these
scenarios is suspicious. The latter may indicate a particularly stealthy
compromise attempt (using the electronic version of “there is noth-
ing to see here, move along” approach), one that attempts to nor-
malize patterns as much as possible so as to be the least likely to be
detected. This particular issue is going to become much bigger in the
near future, as behavior-based systems will begin confronting behav-
ior-based attacks that try to fool them into accepting bad behavior
as good, but that is a topic for another book. Incidentally, that’s why
good hackers can be so valuable to companies who hire them as part
of their computer defense strategy; they can seemingly “sniff out”
these kinds of patterns instinctively.
Now imagine being able to shape one’s experience in this sort of
detection into a business tool. Give your good CISO the training and
foundation to translate this ability into the business realm, name them
as a board advisor, and then let them provide input into the quarterly
board meetings. Just let them tell you what they see.
Who knows? They may see something nobody else does, precisely
because it is designed to be invisible.
Even if not, at the very least you will have discovered a potential
source of new business leaders that can help your company deal with
an unexpected, rapid shift in your market or the economy at large.
1
S ECURIN G C YBERSPACE I S
EV ERYBODY ’S B USINES S

In this chapter, you will learn the following:


• Why a standard definition of the practice of cybersecurity is
important
• How exploitable gaps occur in a real-world cyberdefense
• The importance of teaching cybersecurity as comprehensive
process
• The role of professional societies in shaping the discipline of
cybersecurity
• The general structure and intent of the CSEC2017 Project
• The practical applications of the CSEC2017 Project.

Introduction: The Current Situation Is Out of Control

It is a well-documented phenomenon that there is a global problem


securing cyberspace (Accenture, 2019; Rivero, 2018; Hatchimonji,
2013; Symantec, 2014; Trend-Micro, 2015; PRC, 2017; NIAC, 2018).
However, the price of that failure might not be so clear. To use a cou-
ple of global concerns to illustrate the problem, first, let’s look at the
skyrocketing cost of cybercrime. In 2015, cybercrime cost the world
$500 billion. By 2018, that expense had escalated sixfold to $3 trillion
(Microsoft, 2018). And, by 2021, the price is expected to double
again to $6 trillion (Microsoft, 2018). Needless to say, an annual loss
that exceeds the combined gross domestic product of Great Britain,
Germany, and France combined is going to impact every business in
every industrialized country in the world (Figure 1.1).
Additionally, there are advanced persistent threats in cyberspace
that target our critical infrastructure, and since the infrastructure
underwrites our entire way of life, the prospect of harm to it is a threat
to our national survival (NIAC, 2018; Cummins & Pollet, 2009).
1
2 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

Only 16% of
CISO’s say
Security breaches are growing:
employees are
11% increase in the last year,
held
67% increase in the last 5 years
accountable for
cybersecurity

$13.0m Average
People-based aacks have cost of
increased the most cybercrime in
(Malicious insider & 2018
Ransomware) 72% increase in
the last 5 years

$4.0m Cost of
business
disrupon Business consequences are
$5.9m Cost of expensive
informaon
loss

Accenture 2019 Cost of Cybercrime Study: 355 companies, 2,647 senior leaders, 11 countries in 16 industries

Figure 1.1 Global problem of securing cyberspace.

A potential attack on any major element of our infrastructure is so


strategically significant that it has been dubbed as a “Digital Pearl
Harbor.” The basis for the concern is that much of the infrastructure
was designed before the need to protect it was even an issue (NIAC,
2018). So, the automated functions that perform the infrastructure’s
everyday tasks have no innate resistance to a cyberattack. Still, those
components are at risk only if they are remotely accessible (Figure 1.2).
There is an increasing propensity to hook infrastructure compo-
nents to the Internet for ease of maintenance and operation, which
makes the whole architecture almost impossible to defend. This is the
reason why the issue of cybersecurity is a serious part of any discussion
about our national interest.
What has been our society’s response? Unfortunately, the response
has been to dither (Brasso, 2016). Specifically, none of the sectors
in the United States’ national infrastructure domain have developed
SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 3

Internet
[Email attachments, pirated software, DNS/Routing modifications]

Trusted Insider
[Rogue employee, subcontractor, break-in, dual use software]

Physical
[Infections of Media (USB, CD), infected and malicious IT equipment]

Trusted Channel
[Stolen VPN credentials, Hijacked cell communications, P2P tapping]

External
[Mass vulnerability exploits, co-location exploitation, Rogue WiFi]

Cummins & Pollet, Red Tiger Security

Figure 1.2 Advanced persistent threat vectors.

an effective strategy or a coherent scheme to protect itself from a


concerted cyberattack (NIAC, 2018). And even worse, there is no con-
sistent agreement about what would constitute such an attack (Brasso,
2016). Yet a successful attack on any major element of the national
infrastructure could literally end society as we know it (NIAC, 2018).
Consequently, infrastructure cybersecurity now epitomizes the sort
of existential threat that nuclear war used to pose. Will such a thing
ever happen? In the words of Mike Rogers, the former head of the
National Security Agency, “It’s not a matter of if, but when!” (NIAC,
2018; Lois, 2015). Thus, it is critically important that we address the
significant issues in cyberspace.

The Challenge: How Do You Protect Something


that Doesn’t Actually Exist?

You would think that every organization’s top priority would be


the creation of a complete and comprehensive virtual asset protec-
tion scheme. However, cybersecurity is treated a lot like the weather;
everybody talks about it, but little is done to seriously address it.
For example, only 38% of the organizations that were surveyed by
4 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

Information Systems Audit and Control Association (ISACA) in


its “2015 Global  Cybersecurity Status Report” felt that they were
taking  substantive steps to address the problem of cyberthreat
(Laberis, 2016).
The Internet has the same potential impact on society as the inven-
tion of moveable type. The difference between these two revolutions
is that our culture took three centuries to accommodate to the pro-
found impacts of mass printed information. Whereas, we’ve had a
mere twenty years to adjust to the even more momentous impact of
immediate access to every virtual thing in the world. Accordingly, it is
not surprising that society’s mechanisms have had a hard time keep-
ing up (Figure 1.3).
A protection scheme that is unable to guarantee the reasonable
confidentiality, integrity, and availability of its protection objects has
not achieved its basic purpose. It should be noted here that there is no
exception to this rule. A loss of virtual value is a loss, no matter how
the exploit was actually carried out. So, it’s a moot point whether it
was an insider exploit or an electronic attack. It was still a loss.
The single characteristic by which a cybersecurity effort ought to
be judged is its ability to dependably and effectually prevent any type
of loss or harm to an organization’s virtual assets. In this respect, it is
axiomatic that the cybersecurity function is obliged to close off every

Banking/Credit/Financial–135 Breaches, 1,709,013 Records Exposed

Business—571 Breaches, 415,233,143 Records Exposed

Educaon—76 Breaches, 1,408,670 Records Exposed

Government/Military—99 Breaches, 18,236,710 Records Exposed

Medical/Healthcare—363 Breaches, 9,927,798 Records Exposed

Annual TOTALS—1,244 Breaches, 446,515,334 Records Exposed

2019 SANS Top New Attacks and Threat Report

Figure 1.3 2018 security breaches.


SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 5

Top 10 Data Breaches of All Time

Company Accounts Hacked Date of Hack

Yahoo 3 billion Aug. 2013

Marriott 500 million 2014-2018

Yahoo 500 million Late 2014

Adult FriendFinder 412 million Oct. 2016

MySpace 360 million May 2016

Under Armor 150 million Feb. 2018

Equifax 145.5 million July 2017

EBay 145 million May 2014

Target 110 million Nov. 2013

Heartland Payment
100+ million May 2008
Systems

Figure 1.4 Top ten security breaches of all time.

potential avenue of attack for all of the virtual assets that it is held
accountable for. And ten years of data loss makes it crystal clear that
we are getting worse at the task, not better (Figure 1.4).

We Must Re-evaluate Our Assumptions

In 1929, Lieutenant Colonel J.L. Schley wrote in the Military Engineer,


“It has been said critically that there is a tendency in many armies to
spend the peace time studying how to fight the last war.” And this has
never been truer with the fight to protect cyberspace. On the surface,
the justification for our current approach seems simple enough. The
virtual world is enabled by computers, which have an explicit set of
rules associated with them. These rules are dictated by the unyield-
ing architecture of the machine. Therefore, it seems obvious that we
should base our cybersecurity protection paradigms around the well-
established scientific principles of computer engineering and network-
ing architecture, which has been the reasoning since the beginning of
the field. However, perhaps we have misunderstood the meaning of
the term “cybersecurity.”
6 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

Cybersecurity is a combination of the words cyber, meaning


computer and security. We understand the reason for the cyber part.
Virtual information is kept and transmitted electronically by com-
puters so, it seems like common sense to hand the responsibility for
cybersecurity to the technical part of the organization. The problem
is that security is actually its own independent concept and it carries
a different set of requirements. Security implies the act of safeguard-
ing something. Cybersecurity, as the term is presently interpreted,
does protect some things. For instance, it is well documented that
the effective percentage of successful electronic exploits has decreased
over the past decade. Even so, it is one thing to protect a virtual asset
from unauthorized electronic access, while it is another thing entirely
to ensure that the same asset cannot be lost or harmed due to any type
of credible exploit or attack.
In this respect, the security part of cybersecurity expands the pro-
tection mission to encompass the responsibility to safeguard every
virtual object of value. Thus, cybersecurity’s role goes from simply
regulating the coming and going of data through a highly restricted
point of electronic access, like a firewall, to assuring that the virtual
asset cannot be harmed by any foreseeable means. The latter require-
ment is a much more rigorous test. But it is still an inescapable fact
that, a loss of value is a loss no matter what the cause is (Figure 1.5).

550 million the Largest component of the


55% of organizaons total cost of a data breach is
number of phishing lost business: abnormal
do not make protecng emails sent out by a turnover of customers,
part of their strategy1 single campaign during reputaon losses, diminished
1st Qtr 20183 goodwill5

3,418,647,753 the total number of records 34% of organizaons


containing personal and other sensive data see careless/unaware
compromised between January 2017 and May employees as the
20192 biggest vulnerability6

79% of business leaders say new business models introduce


technology vulnerabilies faster than they can be secured4

1. EY Global Informaon Security Survey 2018-19 (GISS); 2. Chronology of Data Breaches, May 2019, hps://www.privacyrights.org/data-
breaches; 3. DarkReading, 26 April 2018, New Phishing Aach Targets 550M Email Users Worldwide; 4. Ninth Annual Cost of Cybercrime Study,
AccentureSecurity; 5. Ponemon Instute’s 2018 Cost of a Data Breach Study, 18 Sept 2018; 6. EY Global Informaon Security Survey 2019-19
(GISS)

Figure 1.5 Organizational responses to cybersecurity.


SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 7

There are two highly credible types of attacks that are unavoid-
ably part of the overall attack surface: human and physical exploits.
The willingness of an organization to ignore these plausible lines of
attack will preprogram failure into the protection mission. Current
research shows that electronic exploits constitute less than one-third
of the threat. The rest of the protection problem involves such real-
world factors as insider threats and social engineering or even natural
complications like fire or flood. So, the question remains, who should
be responsible for deploying and coordinating a defense against those
types of exploits?
In many organizations, human or physical types of threats are
often not included in traditional cyberdefense planning. Most active
cyberdefense solutions do not even consider the need to embody
tightly integrated, well-defined, and uniformly applied behavioral
controls as a fundamental part of the overall cybersecurity process
(Laberis, 2016). As a result, well-executed attacks against the non-
electronic attack surface are almost certain to succeed. The question
is, what is the reason for such a clear disconnect in our planning?

The Adversary Changes Things

The goal of the adversary is to break into the system, not use it. And
those adversaries are not constrained by conventional rules of engage-
ment. Besides the traditional task of ensuring that the system operates
as intended, system developers and administrators are now expected
to ensure that its day-to-day functioning is fully safeguarded from
any foreseeable kind of malicious exploitation. In the case of a deter-
mined adversary, the scope of the protection perimeter is now opened
up to any means necessary to achieve the ends of a wide range of
hacker types. If the adversary’s aim is to subvert or acquire a vir-
tual asset, then the easiest way to accomplish this would be through
the path of least resistance (PRC). As far back as the 1970s, Saltzer
and Schroeder codified this as the Work Factor principle (Saltzer and
Schroeder, 1974). In essence, the adversary will adopt the approach
that is the easiest to execute and the most likely to succeed. Sun Tzu
characterized this thinking best when he wrote, “Attack weakness not
strength.” Or in practical terms, the form of the hack will be dictated
by the shape of the soft spots in the cyberdefense.
8 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

If the organization has constructed a strong electronic defense, a


smart adversary will launch anything BUT an electronic attack and
the data supports this. In 2006, the predominant percentage of loss was
from exploits that could be classified as “electronic” (PRC, 2017). Fast
forward and the preponderance of the losses are due to exploits that are
classified as “behavioral” (PRC, 2017). This change in tactics illustrates
how the adversary has simply shifted their line of attack to accommo-
date our improved capability in the electronic realm. And since the
nontechnical attack surface is so much wider, it is also, most probably,
the reason why our loss statistics continue to grow at exponential rates.
From a terminology standpoint, the exploits we have been talk-
ing about are nontechnical hacks. Both human-centered and physi-
cal types of attacks fall into that category and, as the term implies,
nontechnical hacks that do not target the technology directly. Rather
than electronic types of approaches, nontechnical hacks increasingly
target existing behavioral or physical weaknesses in the organization.
Thus, in real-world terms, nontechnical hacks are aimed at the human
attack surface. The term human attack surface simply denotes every pos-
sible way in which intentional behavior that is executed in the physi-
cal space could compromise an asset or its confidentiality. Microsoft
estimates that by 2020, the human attack surface will encompass 4–6
billion people (Microsoft, 2018).
Because human behavior is distinctive, creative, and unpredictable,
there are an infinite number of ways that a nontechnical hack can be
executed. The most popular approaches include such familiar exploits
as insider and social engineering attacks. But nontechnical impacts can
also be the result of humble everyday operational errors like procedural
malfunctions and even simple worker negligence (Whatis, 2018).
It is hard to estimate the percent of actual harm that nontechni-
cal hacks represent. Damaging exploits, such as industrial espionage
or theft of proprietary trade secrets, are rarely reported, and simple
human negligence or inadvertent error tends to get missed or covered
up. Therefore, it is impossible to accurately describe the impact of such
a set of occurrences. Nevertheless, it is believed that the overall extent
of the problem is most certainly far greater than what is currently
estimated (Laberis, 2016).
There are two logical reasons why nontechnical hacks go unreported
or, for that matter, unnoticed. Both of them illustrate the challenge
SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 9

organizations face when it comes to building a complete and effective


cyberdefense. First, companies, and particularly top-level decision
makers, simply don’t associate human behavior with virtual losses
and so the threats that malicious insiders and bumbling employees
represent tend to fly under their radar (Laberis, 2016). Nevertheless,
nontechnical hacks are now the dominant PRC (2017). And since
the adversary is becoming more and more reliant on their use, we
will have to learn how to close off all the alternative paths. The abil-
ity to identify, classify, and counter nontechnical exploits will have to
be amalgamated into every organization’s overall understanding and
approach to cybersecurity going forward.
Second, human behavior is impossible to accurately predict or
effectually monitor. More importantly, an insider is part of the orga-
nization; therefore, they are trusted to some extent. Accordingly,
it is almost impossible to spot a capable insider who is planning to
undertake an attack, and because humans are creative, their harmful
actions are almost impossible to assure by automated means (Laberis,
2016). Yet, most of our present-day cyberdefenses are still exclusively
oriented toward countering electronic types of attack, which is also
reflected in the loss statistics.
At present, 71% of annual losses are due to failures in the physi-
cal and human attack domains, while electronic breaches account for
roughly 29% (PRC, 2017). Specifically, the leading cause of record loss
(36%) over the past decade is attributable to physical exploits (PRC,
2017). A physical exploit is any hands-on theft, harm, or loss. A sto-
len laptop containing sensitive information is one example. Human
behavior is the second leading cause of record loss (35%). Human
behavior exploits include such categories as insider theft, social engi-
neering, or human error (PRC, 2017). While the lowest percentage of
losses (29%) fall into the area of the classic technology-based attacks,
unfortunately, these are often the only kind of attacks factored into an
organization’s cybersecurity planning.

The Three-Legged Stool

Cyberdefense rests on a three-legged stool: electronic, human, and


physical. The practical starting point for good cyberdefense is to
begin to assimilate the three important areas into the overall strategic
10 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

planning function; however, one issue is that the three component


domains have traditionally operated independent of each other. So,
the question is, how do we start the process? We start by knocking
down the stovepipes. Stovepipes, where teams work independently of
each other and do not share information, are the reason that credible
threats like insider attacks or social engineering need to be called out
and addressed in the formal protection planning process (Figure 1.6).
The people who should be involved in constructing the cybersecu-
rity defense may not be aware of the aspects of the problem that they
do not touch because of the blind men and the elephant syndrome. In
that old fable, six blind men are asked to describe an elephant based
on what they are touching. To one, it’s a snake, to another it’s a wall,
and to another it’s a tree, etc. But in the end, “Though each was partly
in the right, all were entirely wrong.”
So, the need to counter threats that arise in other areas is over-
looked. Understandably, the job of network security is to secure the
network, not necessarily the software applications, just as human
resource personnel do not configure firewall rules or restrict access
control to servers as part of their mandate. The present stovepiped state
of the practice is leveraged by at least three mutually limited views of

…feels …feels
like a …feels like a
snake! like a tree!
wall!

Figure 1.6 Blind men and the elephant.


SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 11

the world, which puts the cybersecurity function into an unavoidably


dysfunctional state. Although there are established elements of the
field that can capably protect the part of the elephant that they touch,
none of the conventional elements are an entirely effective solution in
and of itself. And if every practical aspect of the solution is not fully
integrated into the response, then the PRC gaps are bound to manifest.

Learning to Play Better with Others

Exploitable gaps are created when the important actors in the


cyberdefense process do not collaborate. As we have seen, most of
the necessary set of actors are probably unaware of the actual require-
ment to cooperate. For instance, the failure to lock and monitor the
computer room or to thoroughly vet the system manager will always
invalidate any elegant security solution. This is because direct access
to the machine trumps every other form of countermeasure.
These situations are sources of the types of exploitable gaps; how-
ever, the design of substantive steps to limit every form of direct
physical access to the server, such as locks and employee monitoring
and supervision, requires participation of the relevant players from the
human resources and physical security areas. Often, these experts are
not involved in either the planning or the day-to-day operations of the
cybersecurity function.
Every factor has to be considered in order for a cyberdefense to be
gap-free. But, because the planning for cybersecurity is often seen as
a strictly technological exercise, the organization is not able to deploy
the full set of controls necessary to completely and adequately protect
its assets from every conceivable source of harm. Accordingly, the chal-
lenge is clear. The profession must find ways to ensure that the real-world
practice of cybersecurity incorporates a complete, accurate, and highly
effective set of well-defined and commonly accepted controls – ones that
are capable of closing off every feasible type of adversarial action.

Creating a Holistic Solution

The term holistic was adopted to describe a state of comprehen-


sive cybersecurity. Holistic simply means that every type of threat
has been identified and countered by a formal control mechanism.
12 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

In practical terms, holistic solutions describe organizational situations


in which all likely threats have been effectively countered by an actual
and fully integrated set of electronic, physical, and human-centered
controls and are enabled by a systematic planning process. Therefore,
good cybersecurity practice involves strategic architecture and design.
The architectural process must consider all reasonable avenues of
exploitation and all of the necessary controls and countermeasures
are implemented and enforced. The aim of the countermeasures is to
ensure a complete and effective cyberdefense. This isn’t just a matter
of putting together a list of controls. There has to be a specific organi-
zational mechanism in place to rationally integrate every one of these
controls into a complete and effective cyberdefense system.

The Importance of Knowing What to Do

We will only be able to implement a holistic solution when we are able


to bring all of the essential players together. Since the consolidation
of protection responsibilities is likely to incorporate a range of skills
and interests, there must be a universal agreement about the elements
that constitute correct and effective practice. To be fully effective, the
definition must amalgamate all of the essential concepts of cyberde-
fense into a single unifying practice model; one that has real-world
currency.
Best practice is not something that is empirically derived. The term
“best practice” simply designates the things that we know as a result of
universal lessons learned over time. Best practice is classically embod-
ied in “Bodies of Knowledge” (BOK) which is founded on expert
opinions about the best way of doing something. The purpose of the
rest of this book is to explain how a common body of knowledge is
derived and conveyed, as well as how it can be a difference maker for
educators in designing proper curricula and courses.

Enabling Common Understanding

Every profession is built around a common understanding of the


appropriate and effective practices of the field. A formal statement
of the critical underlying knowledge requirements is the necessary
point for building an academic discipline and should serve as the basis
SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 13

for understanding what needs to be studied. The basic knowledge


requirements tell the educator and student what they need to know
and do, and it helps them understand how all of the elements of their
field fit together as they relate to a real-world understanding of the
basic responsibilities of the cybersecurity professional.
Up to this point, there has never been a legitimate commonly
accepted definition of the critical elements that would constitute the
knowledge required to do cybersecurity work. This key missing defi-
nition was what motivated the production of the National Institute for
Standards and Technology workforce framework (NIST 800-181).
NIST prepared the model as a definition of the standard roles in the
cybersecurity workforce and is very useful in that respect. It demar-
cates the limits and job categories of every practical area of work in the
profession. It also describes the common knowledge, skill, and ability
(KSA) requirements for each area. However, while NIST 800-181
is an excellent first step, its application is still limited to the federal
government space.
The government has provided outstanding leadership in the defini-
tion of the field. But it has a different role and function than classic
institutions of education. As a result, NIST 800-181 still does not
represent the essential commonly accepted body of knowledge that
educators need to build curricula and courses. Therefore, an officially
sanctioned body of knowledge was still the missing link in the formal
education process.

Education Is the Key

Education has been the societal entity responsible for embedding


new ideas in a culture. Academic scholars conduct research to add
to the body of knowledge; however, the practitioner societies (asso-
ciations) have traditionally developed and documented the essential
concepts of the academic fields and their experiences working in
organizations. Skilled and experienced practitioners are the entities
who are typically most current on the issues that organizations face
and the logical people to provide a body of knowledge for cyberse-
curity. The culmination of the work of the leading cyber associations
is the CSEC2017 model, which is discussed in the rest of this text.
CSEC2017 should be considered to comprise the single authoritative
14 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

statement of the knowledge elements that unify the various elements


of the field of cybersecurity into a single common vision, and in that
respect, CSEC2017 is the first step in defining a stand-alone field of
study for cybersecurity.

The Body of Knowledge and Educational Strategy

Along with the coordinated management of the classroom delivery


of content, any emerging discipline requires a formally planned and
implemented, broad-scale academic strategy. A clear-cut educational
approach is the underlying condition that is necessary to impart knowl-
edge in every organized discipline of study from dentistry to mechanic’s
school. Yet, up to this point, the elements of the field of cybersecurity
have not been embodied in any form of all-inclusive strategic direction;
particularly where the human attack surface is concerned.
A standard educational delivery approach is made difficult without a
communal understanding and acceptance of a credible body of knowl-
edge. All of the participants in the teaching process have to be on the
same page in order for the message to be sufficiently well coordinated.
So logically, the first requirement for formulating a cogent educational
approach is common acknowledgment of what appropriate learning
content is for a given study. The requisite knowledge has to be actively
identified, catalogued, and disseminated. For example, computer sci-
ence didn’t just show up in college catalogues in one day. It evolved
over time as an amalgam of fundamental ideas from the fields of math-
ematics, electrical engineering, and even philosophy. Subsequently,
the official contents of that body of knowledge had to be sanctioned
as correct by the relevant practitioners in order to make the study of
computer science into a formal educational discipline. Then after that
recognition, the body of knowledge had to be formally promulgated to
all pertinent educational providers in a systematized fashion.
In academe, the formal mechanism for promulgating BOK are the
learned societies that are generally acknowledged as being the legiti-
mate overseers and sanctioners of that particular academic discipline.
Every legitimate body of knowledge has to be accepted as accurate by
the profession it characterizes and is typically obtained from expert
advice about lessons learned in the real world. Professional societies
exist and serve as the developers and sanctioners of the fundamental
SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 15

ideas in their respective fields. Thus, it is the professional societies


who are responsible for the promulgation and accreditation of a rec-
ognized body of knowledge and professional practice. Examples of
professional bodies include well-known groups such as:
• The American Medical Association (AMA) for Doctors
• The American Dental Association (ADA) for Dentists
• The American Bar Association (ABA) for Lawyers
• The National Society of Professional Engineers (NSPE) for
Engineers
In the case of computer science, interest groups, which are termed
“learned societies,” have promulgated curricular guidelines for their
areas of interest, and each of these societies now sponsors a particu-
lar academic discipline. The Association for Computing Machinery,
or ACM, sponsors computer science; the Institute of Electrical and
Electronic Engineers (IEEE) sponsors software engineering; the
Association for Information Systems (AIS) sponsors business infor-
mation systems; and the International Federation for Information
Processing (IFIP) expands the sanctioning of best practice for each of
these areas into the international arena (Figure 1.7).

Professional Societies

Figure 1.7 Professional associations.


16 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

Because computing comprises more than just the science of


the computer, over time, other professional and academic interest
groups have come together to address the issues in their particu-
lar areas. These groups are also involved in establishing guidelines
for the BOK as they apply to their specific educational interests.
At this present point in time, standardized recommendations
for curricula are available for the disciplines of computer science
(2013), computer engineering (2016), information systems (2010),
information technology (2017), and software engineering (2014)
(ACM, 2018).

Cybersecurity as an Academic Study

The four commonly recognized “societies” that sanction the aspects


of the field of computing from oldest to newest, are the ACM, the
IEEE, the AIS, and the IFIP. Their role is to define the acceptable
knowledge for their respective areas of practice as well as maintain
standards of accuracy.

The Association for Computing Machinery (ACM)

ACM was founded in 1947 by the American computer scientist


Edmund Berkeley. Today, it is the world’s largest scientific and
educational computing society with a membership of over 100,000
(ISCTE, 2018). ACM is considered to be an umbrella organization
for all of the academic and scholarly concerns in computer science.
ACM officially coordinates scholarly activities related to that disci-
pline as well as serves as the formal spokesperson for the academic
groups under its care.
ACM’s activities include holding regular conferences for the pre-
sentation and discussion of new research in computer science as well
as the publication of academic journals in subspecialty areas. This
includes convening the Task Force that produced the CSEC2017
report. As the interest group for the study of computer science,
the ACM also published CS2013, “Curriculum Guidelines for
Undergraduate Programs in Computer Science.”
SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 17

The International Society of Electrical and Electronic Engineers (IEEE)

As the name implies, IEEE sponsors activities related to the field of


electrical and electronic engineering. IEEE actually has its origins
in the 1880s, which far predates the computer. However, the interest
groups that comprise today’s IEEE were not formed into the pres-
ent entity until 1963. Currently, IEEE has over 395,000 members in
160 countries, and through its global network of geographical units,
publications, web services, and conferences, IEEE remains the world’s
largest technical professional association (IEEE, 2019).
The IEEE is responsible for the development of engineering stan-
dards for the computer and electronics industry. IEEE has tradition-
ally been the entity focused on professional application of engineering
techniques and tools to improve the software industry. Specifically,
relevant to the study of cybersecurity, the IEEE fosters the appli-
cation of conventional engineering principles and methods for the
software industry. As a result, IEEE publishes both undergraduate
and graduate curricula for the discipline of software engineering. The
discipline was formally sanctioned in 1987 (Ford, 1994). The cur-
rent IEEE curriculum recommendations for the field of software
engineering are SE2014, “Curriculum Guidelines for Undergraduate
Degree Programs in Software Engineering” and GSwE2009,
“Curriculum Guidelines for Graduate Degree Programs in Software
Engineering.”

The Association for Information Systems (AIS)

AIS was founded in 1994. It is the professional association that devel-


ops and promulgates knowledge and practices related to the manage-
ment information systems profession. The society itself is mainly an
academic association and is comprised of teachers and scholars who
foster best practice in the development, implementation, and practical
assessment of information systems.
AIS involves participants from more than ninety countries
(AISNET, 2018), which represent three regions of the globe: the
Americas, Europe and Africa, and Asia-Pacific (AISNET, 2018).
The association publishes academic curricula for the study of business
18 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

information systems, IS2002, Curriculum Guidelines for Undergraduate


Degree Programs in Information Systems, and the IS2010, Curriculum
Update: Curriculum Guidelines for Undergraduate Degree Programs in
Information Systems. It also publishes MSIS2006, Model Curriculum
and Guidelines for Graduate Degree Programs in Information Systems
(ACM, 2018).

The International Federation for Information Processing (IFIP)

IFIP is a nongovernmental entity responsible for linking the various


national information technology associations working in the field of
information processing. It serves as the umbrella interest group for
all of the national societies in the field of computing. IFIP Technical
Committees and Working Groups contribute to, and often lead,
progress in the state-of-the-art knowledge and practice in informa-
tion technology/information processing fields.
IFIP was established in 1960 as an outcome of the first World
Computer Congress held in Paris in 1959. It operates under the aus-
pices of UNESCO (IFIP, 2018). IFIP represents IT Societies from
over fifty-six countries, spanning five continents with a total member-
ship of over half a million people (IFIP, 2018).

The Importance of Unified Recommendations


about Areas of Vital Interest

Occasionally all the societies come together to develop a single unified


set of recommendations in the case of a topic of vital mutual interest. The
first document of that type was the, Joint Curricular Recommendations
for Computing Curricula (ACM, CC2005). CC2005 was developed to
define the disciplines that were considered to be justifiably a part of
the general study of computing. It was an important topic in the late
1990s because the out-of-control proliferation of disciplines that were
centered on computer study and were both confusing and dysfunc-
tional in education in general. Hence, CC2005 was significant in that
it drew the line around and clarified the academic studies that could be
considered to be the components of overall computer education.
After CC2005 was published, it became increasingly evident that
a sanctioned definition of the elements of the emerging discipline of
SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 19

cybersecurity was also required. Thus, the societies once more orga-
nized a Joint Task Force to formulate the first set of globally accepted
curricular recommendations for cybersecurity education (CSEC,
2017). The guideline is entitled the, “Cybersecurity Curricula 2017,
curricular volume,” or CSEC2017. The aim of CSEC2017 is to be,
“The leading resource for comprehensive cybersecurity curricular con-
tent for global academic institutions seeking to develop a broad range
of cybersecurity offerings at the post-secondary level.” (CSEC 2017
Mission Statement, p. 10).
The recommendations of the CSEC2017 body of knowledge pro-
vide educators and their students with an authoritative understanding
of the complete set of knowledge elements for the field of cybersecu-
rity. The CSEC2017 document is specifically dedicated to providing
an authoritative overview of the elements of the field of cybersecu-
rity for a broad array of educational applications. It should be noted
that the CSEC2017 thought model is authoritative, in the sense that
the computer societies have made the commitment to make them so.
Within that thought model, the knowledge elements that are speci-
fied for the discipline can be explicitly tailored to the teaching and
learning process. Therefore, the CSEC2107 has practical educational
application in every curriculum and classroom.

Circumscribing the Field: Background and Intention of CC2005

CSEC2017 is an overview report however, it isn’t the first. The first


of these types of joint overview reports was published in 2005 by the
convened group of sponsoring societies and is called “Computing
Curricula 2005,” or just CC2005 (ACM, 2005). The goal of CC2005
was to “Provide perspective for those in academia who need to under-
stand what the major computing disciplines are and how the respec-
tive undergraduate degree programs compare and complement each
other.” (ACM, 2005, p. 1).
In general, the contents of CC2005 were intended to summarize
the basic similarities and dissimilarities in focus and content of the
various curricula that comprise the discipline of computing. The Joint
Task Force behind its publication represented. “An unprecedented
cooperative effort among the leading computer societies and the major
computing disciplines” (ACM, 2005, p. 1).
20 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

In order to be thorough and consistent, the Joint Task Force had to


inspect and analyze the five discipline-specific curriculum recommen-
dations comprising the ACM Computing Curricula Series (ACM,
2005). This widescale examination was deemed necessary because,
“Computing is a broad discipline that crosses the boundaries between
mathematics, science, engineering, and business and embraces impor-
tant competencies that lie at the foundation of professional practice”
(ACM, 2005, p. 2). CC 2005 is mainly relevant to the discussion of
a common body of knowledge for cybersecurity in that it laid down
five underlying purposes that guide the presentation of all forms of
computer education content (Figure 1.8).
Shared Identity Is Important: Because of computing’s profound
impact on society as a whole, there is a responsibility for scholars
and practitioners to specifically articulate what computer study is.
Therefore, the first aim of CC2005 was to convey the diverse choices
of study that are available to students, educators, and their communi-
ties. In view of this, the first goal of CC2005 was to articulate the
communal identity and purpose of all computer disciplines. This is
important to what we are discussing here in that cybersecurity suffers

1. Shared Identity is Important—clarifying features for the study is


critical to long-term development of the discipline

2. Separate Identity is Important—each computing discipline has


its own identity that contributes to the shared identity

3. Everyone Needs to Understand the Contents of the Report—


most readers will not be computer educators

4. Distinctive Knowledge Elements—the report catalogues every


knowledge item that is germane to the study of computing

5. Combining the Common Learning Elements into a Single Body


of Knowledge—creating a useful template for educators

Figure 1.8 CC2005’s five underlying principles of computer education content.


SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 21

from the problem of diffuse identity. Thus, the role of the societies in
clarifying the appropriate features for the study is critical to the long-
term development of the field.
Separate Identity Is Important: Each computing discipline has
its own identity. Therefore, the second purpose of CC2005 was to
acknowledge and clarify the individual identities of each of the com-
ponent disciplines that contribute to the shared identity of computing.
Although there are different views of the field, this does not exclude
any one of those views from the overall solution. All education has
to have a focus, but the different focuses have to be integrated into a
single concept in the larger sense. The value of the individual disci-
plinary lens is that it provides the depth of understanding necessary to
ensure complete mastery of a given essential topic.
Everyone Needs to Understand the Contents of the Report: It
was acknowledged that most of the people who read the report would
not be computer educators. Thus, the CC2005 report was tailored
to address a range of constituencies who might want to understand
the contents of a comprehensive academic computing degree. So, it
was not technical in any way. Therefore, it must be understood that
CC2005 is a social manifesto of sorts. It doesn’t so much make rec-
ommendations about what needed to be taught in each field, as much
as it explained the variation in computer education programs as a
whole.
Distinctive Knowledge Elements: The report essentially cata-
logues every knowledge item that would be germane to the study of
computing. This is one of the two groundbreaking aspects of this proj-
ect and it is the consideration that links CC2005 with CSEC2017.
The CC2005 report ignores the usual teaching and learning issues
and focuses instead on the definition of a set of standard learning ele-
ments. The fact that CC2005 essentially catalogues and presents all
of the necessary learning elements for the effective study of comput-
ing makes it groundbreaking. It is the focus on the appropriate set
of standard elements for the study of cybersecurity that is the chief
contribution of CSEC2017.
Combining the Common Learning Elements into a Single Body
of Knowledge: The lack of a common understanding of the diverse
elements of the practical process of the study of cybersecurity is at
the heart of our failure as a society. Thus, the earlier synthesis of the
22 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

details of computer education into a single vision provides a meaning-


ful and useful template to guide educators and practitioners in the
development of complete and correct cybersecurity solutions. In that
respect then, the creation of an insightful, consensus-based overview
of the computing disciplines is a useful template for the comprehen-
sive set of recommendations for cybersecurity educators that are at the
heart of this text.

Defining the Elements of the Discipline of Cybersecurity: CSEC2017

The CSEC2017 Joint Task Force on Cybersecurity Education (JTF)


originated in September 2015, and as we have said, the computing
societies occasionally create a single initiative to promulgate recom-
mendations in an area of vital interest, as is the case with this par-
ticular Joint Task Force report (JTF, 2017). The CSEC2017 mission
was twofold, “To initiate the processes for (1) developing undergradu-
ate curricular guidance; and (2) establish a case for the accreditation
of educational programs in the cyber sciences.” (CSEC, 2017, p. 10).
The recommendations in the report represent fully sanctioned, all-
inclusive recommendations about the content and structure of an
undergraduate cybersecurity curriculum. Additionally, the recom-
mendations represent a single conceptual model for the study of
cybersecurity. The CSEC2017 document is specifically not intended
to define a single monolithic study nor is it a prescriptive document
that is designed to create a lone program type. Instead, the CSEC
body of knowledge can be used either completely or in part to develop
relevant courses or to modify a broad range of existing programs and
course concentrations (CSEC, 2017).
Like CC2005, the CSEC2017 was intended to delineate the
boundaries of the discipline. In this case, it outlines key dimensions
of the curricular structure of the study of cybersecurity. Its aim is, “To
develop curricular guidance that is comprehensive enough to support
a wide range of program types and to develop curricular guidance
that is grounded in fundamental principles that provide stability”
(CSEC, 2017, p. 11). And this is embodied in the CSEC2017 rec-
ommendations. As defined in the CSEC2017 report and shown in
Figure 1.9, there are eight broad knowledge areas in the curricular
framework.
SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 23

Figure 1.9 Eight knowledge areas of the CSEC2017 report.

The knowledge areas represent the complete body of knowledge


within the field. Taken as a set, these distinctive areas constitute a
common definition of the discipline as well as the learning elements
that should be involved in the delivery of an acceptable cybersecurity
learning experience. Each knowledge area will be discussed in much
greater depth in the following chapters; however, for the purposes
of introduction, the following is an overview of the eight knowl-
edge areas of the CSEC2017 Cybersecurity Curricular Framework
(CSEC, 2017).

Knowledge Area One: Data Security

The Data Security knowledge area is the perfect area to lead off with.
Data Security defines what needs to be known in order to ensure the
security of data assets either at rest, during processing, or in transit
(CSEC, 2017). This is a well-accepted and commonly understood part
of the current discipline and there is no disagreement about its impor-
tance in the overall protection of electronic assets. Chapter 3 focuses
on the knowledge elements associated with data security protection
24 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

to include a set of commonly acknowledged subjects such as basic


cryptography concepts, digital forensics concepts, and methods for
secure communications including data integrity and authentication,
information storage security, and privacy (CSEC, 2017).

Knowledge Area Two: Software Security

Software assurance goes back to the very origins of the discipline


and predates concerns about security. In the 1990s, the methods and
techniques in this area focused on creating defect-free code and the
general area of practice was called “software quality assurance” or
SQA. Since most of the KSAs associated with SQA transfer to the
identification of exploitable flaws, the knowledge elements for this
area are well defined and commonly accepted as correct among both
academics and business people. Chapter 4 focuses on the knowl-
edge area regarding the assurance of the security properties of the
information and systems of which the software is designed to pro-
tect (CSEC, 2017). Thus, the CSEC2017 recommendations center
on such accepted areas of practice as security requirements, design
concepts and practice, software implementation and deployment
issues, static and dynamic testing, configuration management, and
ethics, especially in development, testing, and vulnerability disclo-
sure (CSEC, 2017).

Knowledge Area Three: Component Security

Chapter 5 covers the Component Security knowledge area and is


somewhat novel in that it is not an element of most of the predeces-
sor BOK for cybersecurity. However, it is not surprising to see it here
given the inclusion of computer engineering in the CC2005 set of
disciplines. Component Security’s body of knowledge focuses on the
design, procurement, testing, analysis, and maintenance of the tangi-
ble components that are integrated into larger systems (CSEC, 2017).
Thus, the elements of this area include such well-accepted hardware
aspects as identification and elimination of vulnerabilities present in
system components, component life cycle maintenance and configu-
ration management, secure hardware component design principles,
security testing, and reverse engineering. Finally, there is a healthy
SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 25

dose of supply chain management security knowledge elements due


to the industry’s commitment to commercial off-the-shelf integration
of components.

Knowledge Area Four: Connection Security

This area is what is colloquially known as network security and is


discussed in Chapter 6. The security of networks is another qual-
ity that is both commonly accepted as well as an essential aspect of
good cybersecurity practice. Networks and networking have been a
fundamental element of the information technology universe since
the late 1960s, with ARPANET and other primordial computer
communication systems, as networking had reached a high degree
of sophistication prior to the advent of the Internet. But the secu-
rity of networks became a primary concern with the introduction of
that groundbreaking technological advancement. The knowledge in
this area focuses on the security of the connections between compo-
nents including both physical and logical connections (CSEC, 2017).
Thus, the recommendations entail assurance practices for networked
systems, networking architecture, and standard secure transmission
models, physical component interconnections and interfaces, software
component interfaces, and of course the common types of connection
and transmission attacks.

Knowledge Area Five: System Security

The System Security knowledge area begins the move off of the
technology and into the area of standard organizational processes.
Chapter 7 focuses on the System Security knowledge area, primar-
ily on those common embedded organizational practices that ensure
the articulated security requirements of systems, which are composed
of interconnected components and connections, and the network-
ing software that supports those interconnections (CSEC, 2017).
Consequently, the knowledge elements in this area embody recom-
mendations that spell out the necessity for a holistic approach to
systems, the importance of security policy, as well as organized iden-
tification and authentication management processes; this area also
contains recommendations for system access control and operational
26 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

system monitoring processes, as well as the standard recovery, system


testing, and system documentation best practices.

Knowledge Area Six: Human Security

This is a brand-new and very novel element of the body of knowledge


and is the focus of Chapter 8. The Human Security knowledge area
represents the first serious attempt to provide recommendations with
respect to the human attack surface. This area is terra incognita in
the traditional study of cybersecurity, and although it might not be
as mature as areas one through five, it represents a pioneering step in
the effort to compile a complete and accurate body of knowledge for
the field.
The first five knowledge areas comprise what might be considered
essentially hard, technology-focused elements that encompass gener-
ally well-known and commonly accepted axioms regarding the prac-
tice of data, software, component, and system assurance. The Human
Security area attempts to make benchmark recommendations about
the assurance and study of human behavior as it relates to the mainte-
nance of a state of cybersecurity. This is a new area and one which will
probably be susceptible to refinement over a period of time. However,
the loss statistics make it clear that the focus on protecting individu-
als’ data and privacy in the context of their role as employees and
in their personal lives is a significant area of teaching and research
(CSEC, 2017). The recommended knowledge elements in the Human
Security knowledge area include identity management, social engi-
neering prevention, assurance of workforce and individual awareness
and understanding, assurance of broad-scale social behavioral privacy
and security, and the elements of personal data privacy and security
protection.

Knowledge Area Seven: Organizational Security

Organizational security is historically the most well-known and


commonly discussed aspect of all of the nontechnical areas and is
discussed in Chapter 9. The general content and focus of this area
is embodied in the recommendations of the National Institute of
Standards and Technology’s workforce framework (NIST 800-181)
SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 27

as Knowledge Area Seven, “Oversee and Govern” (Newhouse, 2017).


The Organizational Security area encompasses all of the relevant
processes and behaviors for the rational oversight and control of the
overall cybersecurity function. This is understandably a very large ele-
ment of the CSEC2017 model since the controls embody all of the
traditional countermeasures that are associated with the general pro-
tection of the organization as a whole. This includes the deployment
and oversight of controls to ensure proper monitoring and response to
intrusions on the technological attack surface, as well as the entire set
of standard behaviors associated with the human attack surface.
The purpose of the knowledge that is embodied in the Organizational
Security area is to assure the organization against all relevant cyber-
security threats, as well as manage the inherent risks associated with
the successful accomplishment of the organization’s mission (CSEC,
2017). Consequently, the elements in this area include a detailed set
of recommendations for the risk management process, the setting of
governance and policy strategies, long- and short-term planning, as
well as legal, regulatory, and ethical compliance.

Knowledge Area Eight: Societal Security

The Societal Security knowledge area is revolutionary and reflects the


growing awareness of the impact of virtual space on the average per-
son’s life. Chapter 10 deals with the knowledge items in this category
that, for better or worse, broadly impact every citizen in our society.
These knowledge elements are essentially still in need of refinement;
however, their inclusion opens the door to their integration into the
overall understanding of how virtual space needs to be channeled into
institutional actions that are beneficial to the global community as a
whole. This includes thought models for approaching the problems
of cybercrime, the legal and ethical dictates associated with good
citizenship, as well as social policy, personal privacy, and how that
relates to the formal mechanisms of conventional cyberspace (CSEC,
2017). The specific recommendations promulgated in this area center
on the general behaviors to prevent or alleviate cybercrime, make and
enforce laws in cyberspace, ensure ethical thinking when it comes to
functioning in cyberspace, as well as the elements of what constitutes
proper cyber policies and privacy regulation.
28 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

Real-World Utilization of the CSEC2017 Body of Knowledge

As a matter of practical application, the range of requisite skill sets


comprising the discipline of cybersecurity span the gamut from
the technical to the procedural. As we have discussed, there have
always been familiar technical areas that are part of the everyday
study of cybersecurity. However, there are also related processes
and behavioral aspects of the field that have been beautifully cap-
tured in the CSEC2017 body of knowledge. This specific set of
eight highly integrated knowledge areas are all required to under-
write the strategic and operational practice of the profession of
cybersecurity.
Therefore, the practical instantiation of a formal cybersecurity
study should incorporate an inclusive range of elements, all of which
are designed to impart the requisite technical and behavioral knowl-
edge. Besides the ability to design effective strategic and procedural
controls, the behavioral learning elements also call out the critical
thinking and analysis capabilities necessary to conceptualize effective
and practical real-world cybersecurity systems (CSEC, 2017). There
are also requisite skills implicit in cybersecurity work, which includes
the ability to function well in teams, communicate effectively with
nontechnical audiences, and understand the wide range of resourcing
aspects of projects (CSEC, 2017).
Finally, because cybersecurity impacts everybody, it is also nec-
essary that cybersecurity professionals are able to work effectively
within a wide range of cultural circumstances. Specifically, the U.S.
Chief Human Capital Officers Council (CHCO) has developed a list
of nontechnical competencies that should be considered to be part of
the cybersecurity skill set. As shown in Figure 1.10, the list includes
the following skill sets (CSEC, 2017, p. 78):
• Accountability
• Attention to detail
• Resilience
• Conflict management
• Reasoning
• Verbal and written communication
• Teamwork.
SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 29

Conflict
Management
Resilience Reasoning

Verbal and
Attention to
Written
Detail
Communication

Cybersecurity
Accountability Skillset Teamwork
Competencies

Figure 1.10 Cybersecurity skill set competencies.

It should be noted that the CSEC2017 report makes it clear that


adaptability is the key behavioral quality that every practitioner will
need to exhibit. In essence, the cybersecurity professional must be able
to easily accommodate to changes to, “Environmental conditions and
situational contexts” (CSEC, 2017, p. 79). Accordingly, that capability
is particularly essential to the CSEC because given the rate of tech-
nological growth, it will be necessary for every cybersecurity profes-
sional to know how to use emerging technologies as well as embrace
the inevitable change that will occur (CSEC, 2017).

CSEC2017 Framework Areas of Application

Finally, the CSEC2017 provides a particularly useful recommendation


about the academic areas of study, called the application areas, where the
practical application of cybersecurity knowledge is important (CESC,
2017, p. 80). The application areas are a practical way for the develop-
ers of the CSEC2017 to associate the embedded competencies of their
model with potential real-world career applications. The application
areas themselves define the depth of coverage associated with each of
the core ideas in the CSEC2017 (CSEC, 2017). It allows individuals
to associate the CSEC2017 recommendations with the existing work-
force models that will be thoroughly discussed in the next chapter.
30 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

Public Policy

Enterprise
Procurement
Architecture

Applicaon
Areas of the
CSEC2017
Operaonal Framework
Management
Security

Soware
Research
Development

Figure 1.11 Application areas of the CSEC2017 framework.

As shown in Figure 1.11, the seven application areas included in


the CSEC2017 Report are (CESC, 2017, pp. 80–81) as follows:
Public Policy: Decision makers must pass laws, develop regula-
tions, and set policies that affect the development, deploy-
ment, and use of information technology; regulators will
control the applications of these mandates; and relevant public
and private officials will develop de facto public policies that
will impact cybersecurity solutions. These individuals need
to be capable of understanding what a cybersecurity protec-
tion system is capable of accomplishing and what it can’t do.
This also means that decision makers must understand every
aspect of the cost of security in both budgetary and human
terms (CESC, 2017, p. 80).
Procurement: Those who acquire information technology, and
who hire the people who will work with it, must understand
SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 31

the inherent risks of supply chains as well as both the business


continuity and risk management implications. The responsi-
bility is to know what is required of the constituent people,
systems, infrastructure, procedures, and processes in a cyber-
security solution in order to provide the desired level of secu-
rity (CESC, 2017, p. 80).
Management: Managers need to work with issues associated
with threat and concomitant risk. They must understand that
compliance and business continuity issues are factors in their
day-to-day oversight. Managers must make certain that the
people who are using the systems that fall under their areas
of accountability are properly authorized. Also, managers
must be well versed in the ins and outs of effective identity
and authorization management. Technological evolution will
require that those managers understand the purpose of tests
and reviews and all other forms of assurance. Finally, manag-
ers need to have a basic understanding of both incident man-
agement and accident recovery (CESC, 2017, p. 81).
Research: Scholars who are dedicated to advancing knowledge
in the field of cybersecurity must understand the purpose
and application of the fundamental principles of the field.
Those include such well-known aspects as access control and
trust management. The actual requirement for scholars and
researchers will vary widely depending on the specific focus
of their study. But in all respects, their research will be based
on a well-defined and commonly accepted understanding of
the field (CESC, 2017, p. 81).
Software Development: All individuals directly associated with
the system development, maintenance, and the acquisition
needs of the software process need to understand the basic life
cycle concepts of good software engineering. This includes the
life cycle areas of requirements specification, design, coding,
and assurance. They also must understand that these factors
are often controlled by laws, regulations, business plans, and
organizational factors (CESC, 2017, p. 81).
Operational Security: It is essential that day-to-day cybersecu-
rity practitioners are familiar with the fundamentals of security
operations. Additionally, system administrators, system security
32 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

officers, and all other information security personnel must


understand how to translate requirements into procedures and
configurations. Finally, cybersecurity workers need to under-
stand the basics of system maintenance (CESC, 2017, p. 81).
Enterprise Architecture: Last but not the least, because the
enterprise architecture has a direct impact on the security
of the infrastructure, enterprise architects, designers, and
planners must be familiar and capably work with the pol-
icy, procurement, management, and operations application
knowledge specified in the CESC (2017, p. 80).

Thirty Review Questions: Introduction to the CSEC Standard

1. Why is cybercrime an important societal issue?


2. What are the two specific reasons why our national infra-
structure is vulnerable?
3. What is the single logical criterion for judging the success of
a cybersecurity effort?
4. Why is it important to understand the difference between
“cyber” and “security?”
5. What is an “attack surface?”
6. Besides electronic, what other two areas of security comprise
the attack surface?
7. How does the adversary change the demands on IT’s tradi-
tional assumptions?
8. What is a “nontechnical hack?”
9. What causes “exploitable gaps?”
10. What does a “holistic” solution to cybersecurity contain?
11. Why is it difficult to create a unified vision of the essential
concepts of cybersecurity?
12. What must be defined to ensure a unified understanding of
the elements of the field?
13. What is the role of standard bodies in underwriting this
understanding?
14. Why is education the key to a fully capable practice of
cybersecurity?
15. What is a unified body of knowledge? Why is it necessary for
the education process?
SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 33

16. What is the role of the “learned societies” in creating BOK?


17. How is an academic study created? What other fields require
BOK?
18. What are the four societies that guide the practice of
computing?
19. Why are joint recommendations from those societies important?
20. What are the eight commonly accepted domains in the body
of knowledge of cybersecurity?
21. Why is there a gamut of skill sets involved in the practice of
cybersecurity?
22. What are the three common organizational areas that must
work together?
23. What are the strategic abilities that are required to conceptu-
alize effective controls?
24. What are the affective skills implicit in cybersecurity work?
25. Why is cultural understanding important to cybersecurity work?
26. List the seven nontechnical competencies associated with
cybersecurity work.
27. Which one of these areas is the key behavioral quality that
every practitioner will need?
28. What is the purpose of the application areas in CSEC2017?
29. What do the application areas define?
30. What are the seven application areas and why are they
important?

You Might Also Like to Read

• Bonney, Bill, Gary Hayslip, and Matt Stamper, CISO Desk


Reference Guide, CISO DRG Joint Venture Publishing, San
Diego, CA, 2019.
• Brooks, Charles J., Christopher Grow, and Philip Craig,
Cybersecurity Essentials, 1st Edition, Sybex, London, 2018.
• Friedman, Allan and Peter W. Singer, Cybersecurity and
Cyberwar: What Everyone Needs to Know, Oxford University
Press, Oxford, 2014.
• Gregory, Peter H., CISM Certified Information Security
Manager All-in-One Exam Guide, 1st Edition, McGraw-Hill
Education, New York, 2018.
34 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

• Harris, Shon and Fernando Maymi, CISSP All-in-One Exam


Guide, 8th Edition, McGraw-Hill Education, New York, 2018.
• Hasib, Mansur, Cybersecurity Leadership: Powering the Modern
Organization, 3rd Edition, Amazon Publishing, Seattle, DC,
2014.
• Shoemaker, Daniel and Wm. Arthur Conklin, Cybersecurity:
The Essential Body of Knowledge, Cengage Learning, Boston,
MA, 2011.
• Shoemaker, Daniel, Anne Kohnke, and Kenneth Sigler, A
Guide to the National Initiative for Cybersecurity Education
(NICE) Cybersecurity Workforce Framework (2.0) (Internal Audit
and IT Audit), Auerbach Publications, Boston, MA, 2016.
• Stallings, William, Effective Cybersecurity: A Guide to Using Best
Practices and Standards, Addison-Wesley, Boston, MA, 2018.
• Zinatullin, Leron, The Psychology of Information Security:
Resolving Conflicts between Security Compliance and Human
Behaviour, IT Governance Publishing, Ely, Cambridgeshire,
UK, 2016.

Chapter Summary

• The development of the Internet is the most significant


advance in technology since the invention of moveable type.
We need to adjust to the impacts of that change.
• The sole characteristic by which a cybersecurity effort should
be judged is whether it is able to effectively prevent loss or
harm to the assets that are under its protection.
• The presence of the adversary imposes a different set of
demands on the protection process.
• The most logical way to subvert a cybersecurity defense is
through the PRC. An approach that does not target the tech-
nology directly is a called nontechnical hack.
• A nontechnical hack is an action that targets behavioral
weaknesses, rather than electronic ones.
• The human attack surface comprises every possible way
that human behavior might compromise an asset or breach
confidentiality.
SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 35

• Because nontechnical hacks are rarely defended against, they


have become the PRC.
• A complete cyberdefense rests on a three-legged stool; elec-
tronic, human, and physical controls.
• The generic term “holistic” was been adopted to describe a
state where every aspect of threat has been considered and
countered.
• Every profession is built around common understanding of
the proper practices of the profession.
• An officially sanctioned universal body of knowledge is the
foundation of every new educational endeavor.
• Formal authorization of a body of knowledge is always the
responsibility of the group that is acknowledged to be the
overseer and sanctioner of the academic study.
• The recommendations of the CSEC2017 body of knowledge
provide educators and their students with an authoritative
understanding of the complete set of knowledge elements for
the field of cybersecurity.
• These recommendations represent on a single concep-
tual model for the study of cybersecurity. There are eight
generic knowledge areas. Data Security, Software Security,
Component Security, Connection Security, System Security,
Human Security, Organizational Security, and Societal
Security.

Keywords

Architecture – the design and implementation of an underlying


framework of processes
Best Practice – a set of lessons learned validated for successful
execution of a given task
Controls – a discrete set of human or electronic behaviors set to
produce a given outcome
Critical Asset – a function or object that is so central to an opera-
tion that it cannot be lost
Cybersecurity – assurance of confidentiality, integrity, and avail-
ability of information
36 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E

Infrastructure – a collection of large components arrayed in a


logical structure in order to accomplish a given purpose
Reliability – proven capability to perform a designated purpose
over time
Strategic Planning – the process of developing long-term plans of
action aimed at furthering and enhancing organizational goals

References
Accenture Security, “Ninth Annual Cost of Cybercrime Study”, 2019. www.
accenture.com/_acnmedia/PDF-99/Accenture-Cost-Cyber-Crime-
Infographic.pdf#zoom=50, accessed October 29, 2019.
Association for Computing Machinery (ACM), “Curricula Recommenda-
tions”, 2018. www.acm.org/education/curricula-recommendations,
accessed 18 December.
Association for Information Systems, “About AIS”, 2018. https://aisnet.org/
page/AboutAIS, accessed December 2018.
Brasso, Bret, “Cyber Attacks against Critical Infrastructure Are No Longer
Just Theories”, Fire-Eye, 29 April 2016. www.fireeye.com/blog/
executive-perspective/2016/04/cyber_attacks_agains.html, accessed
December 2016.
CSEC2017, Joint Task Force (JTF) on Cybersecurity Education,
“Cybersecurity Curricula 2017, Curriculum Guidelines for Post-
Secondary Degree Programs in Cybersecurity, a Report in the
Computing Curricula Series”, ACM/IEEE-CS/AIS SIGSEC/IFIP
WG 11.8, Version 1.0, 31 December 2017.
Cummins, J., and Pollet, J., All Hazards Approach for Assessing Readiness
of Critical Infrastructure. 2009 IEEE Conference on Technologies for
Homeland Security, Boston, MA.
Ford, Gary, “A Progress Report on Undergraduate Software Engineering
Education”, Software Engineering Institute, CMU/SEI Report
Number: CMU/SEI-94-TR-011, May 1994.
Hatchimonji, Grant, “Survey Results Reveal Both IT Pros’ Greatest Fears
and Apparent Needs”, CSO Online, 18 September 2013. www.csoon-
line.com/article/2133933/strategic-planning-erm/survey-results-reveal-
both-it-pros--greatest-fears-and-apparent-needs.html, accessed January
2017.
Institute of Electrical and Electronics Engineers (IEEE), 2019. www.ieee.
org/about/index.html, accessed October 29, 2019.
International Federation for Information Processing (IFIP), “About IFIP”,
2018. www.ifip.org/index.php?option=com_content&task=view&id=
124&Itemid=439, accessed December 2018.
ISCTE, University of Lisbon, 2018. http://iscte.hosting.acm.org/, accessed
October 29, 2019.
SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 37

Joint Task Force for Computing Curricula, “Curricula 2005, The Overview
Report”, The Association for Computing Machinery (ACM), The
Association for Information Systems (AIS) The Computer Society
(IEEE-CS), 30 September 2005.
Laberis, Bill, “20 Eye-Opening Cybercrime Statistics”, Security Intelligence,
IBM, 2016. https://securityintelligence.com/20-eye-opening-cybercrime-
statistics/, accessed October 29, 2019.
Lois, Jason E., “It Can Happen to You: Know the Anatomy of a Cyber
Intrusion”, Navy Cyber Defense Operations Command (NCDOC),
Story Number: NNS151019-05, 2015, Release Date: 19 October 2015.
Microsoft Security Team, “The Emerging Era of Cyber Defense and
Cybercrime”, 2018. https://cloudblogs.microsoft.com/microsoftse-
cure/2016/01/27/the-emerging-era-of-cyber-defense-and-cybercrime/,
27 January 2016.
National Infrastructure Advisory Council (NIAC), “Surviving a Catastrophic
Power Outage”, Department of Homeland Security, 11 December 2018.
Newhouse, William, Stephanie Keith, Benjamin Scribner, and Greg Witte,
“NIST Special Publication 800-181, National Initiative for Cybersecurity
Education (NICE) Cybersecurity Workforce Framework”, NIST.
SP.800-181, August 2017.
Privacy Rights Clearinghouse, A Chronology of Data Breaches, PRC, San
Diego, CA, 2017.
Rivero, Nicolas, “The Biggest Data Breaches of All Time, Ranked”,
Quartz, 2018. Downloaded from https://qz.com/1480809/the-biggest-
data-breaches-of-all-time-ranked/.
Saltzer, Jerome H. and Michael D. Schroeder, The protection of information
in computer systems, Communications of the ACM, 17, 388–402, 1974.
Symantec, “A Manifesto for Cyber Resilience”, 2014.
TechTarget, “Human Attack Surface”, Whatis.com, 2018.
1 Business Strategy and
Value Preservation
The superior man, when resting in safety, does not forget that danger may come.*
Confucius

1.1 CORPORATE STRATEGY IN AN ERA SEEKING SUSTAINABLE SUCCESS


So far the twenty-first century has already seen a litany of corporate failures and financial scandals
that have had a significant impact on the reputation of the corporate world, and perhaps more tell-
ingly on broader society. The early part of this century highlighted the dangers of excessive opti-
mism with the boom and bust of the dotcom bubble, and it also identified continued weaknesses and
deficiencies in corporate behavior resulting in the demise of corporate giants such as WorldCom,
Enron, and Arthur Anderson. At the time such events were heralded as valuable lessons and served
as warnings for future generations. Less than a decade later, the dangers of excessive optimism were
again highlighted, this time by the occurrence of what is now commonly referred to as the great
financial crisis that affected the planet on a global scale and its impact is still being felt in many
geographic regions (UNCTAD 2010).
These events have clearly shaped how society, in general, now views the corporate world and
indeed how it views the working of capitalism and the capitalist system. As a consequence, stake-
holders all over the world are now placing increased pressure on organizations to focus on their
stakeholder obligations, with a view to delivering sustainable value to stakeholders in the long term.
This has resulted in more and more organizations recognizing their obligations in this regard, and

* Per The Best Confucius Quotes, April 2015, James Alexander, Crombie Jardine Publishing Ltd, Bath, UK.

3
4 Corporate Defense and the Value Preservation Imperative

many are now duly focusing their attention on the concept of sustainability and the delivery of
long-term stakeholder value.
There now appears to be an increasing recognition that any such long-term obligation can only be
delivered once the concept of sustainability in its broadest sense has been successfully incorporated
into how the organization does its business. This means that long-term sustainability must be embedded
into the organization’s vision and become a common feature of consideration at strategic, tactical, and
operational levels within the organization itself. It means addressing it within the corporate strategy.
Traditionally, the concept of corporate strategy was considered to be concerned with helping
to ensure that the organization was capable of providing sustainable above average industry per-
formance, thereby allowing it to perpetually deliver superior returns and help create wealth for
its shareholders. The global financial crisis however clearly exposed systemic weaknesses in the
prevailing corporate strategy on an international scale. The subsequent fallout from this seismic
event has resulted in the reputation of the corporate world being severely tarnished in the eyes of
many stakeholders. The resulting negative impact has been felt not only by shareholders but also by
management, staff, clients, business partners, suppliers, regulators, local communities, and indeed
society in general, who all have eventually suffered as a consequence of flawed corporate strategies.
The corporate world now faces multiple pressures to reform the manner in which business is
conducted and how individual organizations are managed. Stakeholders are now demanding higher
standards of corporate citizenship in terms of integrity, ethics, and accountability. They are also
demanding an improved strategic direction in order to provide them with greater protection and
assurance going forward. Increasing pressure in the form of proxy advisor demands and pressure
from stakeholder activist groups have prompted a rigorous search for an improved approach to cor-
porate strategy, one that is aimed at helping organizations to foster an age of long-term sustainability.

1.1.1 CORPORATE STRATEGY: A HIGH-LEVEL PERSPECTIVE


Corporate strategy is typically concerned with the overall scope and direction of an organization’s
strategic activities. It is concerned with the big picture, the complete strategic scope of the enter-
prise, and how its various business activities operate together in order to help achieve particular
strategic goals and objectives. Corporate strategy is commonly used to help develop a long-term
plan for a company’s success, the main purpose being to help ensure that the business can outlast
the competition over the long term, regardless of the type of internal or external conditions that may
present themselves. It is regarded as the roadmap to be followed by the organization and can also
impact on its culture and be a driver of corporate behavior.

1.1.1.1 The Strategic Agenda


Corporate strategy will be dictated by the organization’s strategic agenda. Typically, the board of
directors set an organization’s strategic agenda after giving due consideration to the relevant orga-
nizational conditions. The strategic agenda should be set to address the organization’s aspirations
in relation to issues such as growth, performance, and change. The board, in association with the
executive management, should provide the vision and leadership required to determine the appro-
priate path that they consider will best deliver on the organization’s aspirations over time.
An organization’s aspirations should represent a reflection of its culture and the expectations of
the organization as a whole. Corporate culture is commonly referred to as the smell of the place or
how things are done around here. An organization’s culture reflects the common shared values and
ideals that are embedded within the organization. Values include the beliefs that are shared through-
out the organization. They drive culture and strongly influence the behaviors, actions, and decisions
of the board, management, and staff. The organization’s aspirations are reflected in its sense of
raison d’être, its aim, its reason for being. Its aspirations reflect the purpose of the organization, its
ambitions, and the planned journey ahead. This journey ahead is best understood and described in
the organization’s vision and mission statements.
Business Strategy and Value Preservation 5

1.1.1.2 Vision and Mission Statement


The requirement for a vision and mission statement is aptly described in the following words by the
late Warren Bennis, an influential authority on leadership, when he said: “To choose a direction,
an executive must have developed a mental image of the possible and desirable future state of the
organization. This image, which we call a vision, may be as vague as a dream or as precise as a goal
or a mission statement” (Hindle 2008).

The vision: Ideally the corporate vision should help to immediately visualize the big picture
by providing a description of the organization’s desired future state. It represents a broad,
forward-thinking image that the organization should have for its purpose and intentions
before it sets out to achieve its goals and objectives. Typically a corporate vision should
be short and succinct, and represent an inspiring image of its mindset and aspirations. It
should describe where the organization wishes to go and what it is trying to create and
develop. Ultimately it should describe what it intends to achieve in the future and should
represent a source of motivation for the workforce.
Mission statement: A mission statement should typically be more detailed than the corporate
vision and represent a statement of rationale regarding the fundamental purpose of the
organization. It should help guide the decisions and actions of the organization and it is
therefore important that it is stated clearly so that it is understood by all, and can serve as a
constant reminder to its stakeholders of the purpose of the organization’s existence. It can
be used as a reference point to evaluate the current activities or to help resolve trade-offs
or disputes between different stakeholders. The mission statement should broadly outline
the aims of the organization and what unique contribution the organization provides to its
stakeholders. The lack of a clear mission statement diminishes the organization’s ability to
verify that it is progressing on its intended course.

The vision and mission statements help provide a background to the organization’s strategic objectives
for the future, without specifying the measures that need to be taken to help achieve the desired goals.
In this way, they help to provide a context within which the organization’s strategy can be formulated.

1.1.1.3 Managing Corporate Strategy


The clearer the organization’s vision and mission statement, the easier it is for the strategic manage-
ment of the organization to clearly oversee the setting and implementation of its corporate strategy.
The corporate strategy represents a statement of strategic intent for the organization by way of strate-
gic objectives. The strategy itself should be based on the principal findings of the strategic assessment
conducted by the organization’s strategic management. It should clearly outline the strategic choices
that have been made and the rationale supporting these choices. Corporate strategy refers to the high-
est business strategy of the organization. It should address the mix of markets the organization intends
to compete in and the way in which the strategic network should be coordinated and integrated.
The board of directors and the executive management team are expected to bring considerable
professional experience and diversified business insight to their contribution on the organization’s
corporate strategy. Their sound judgment, specialist knowledge, and leadership qualities will be of
particular benefit when deciding on which services, products, and markets to compete, and in which
geographic regions to operate. Management of the corporate strategy process typically involves a
number of basic phases.

Strategy formulation: The corporate strategy is in effect the path that has been chosen in order
to arrive at the end vision. It therefore represents the roadmap by which the organization
intends to complete its mission. A clear formulation of the corporate strategy should help
the board and executive management to connect the ideas, assumptions, and decisions that
are driving the organization’s strategic agenda. It should help to provide a definite plan of
6 Corporate Defense and the Value Preservation Imperative

action going forward to achieve this end. In determining corporate strategy, due consid-
eration should be given to matching the organization’s strategic activities to the organiza-
tion’s environment, its available resources (e.g., people, processes, and technology), and the
extent of its capabilities. Due consideration should also be given to the values the organiza-
tion wishes to espouse and the expectations to be set for its various stakeholders. The strat-
egy formulation process should help set the organization’s strategic objectives and help to
identify and select an appropriate business model. It should clearly state the organization’s
strategic goals and outline the strategic measures and initiatives required to achieve these
objectives. These strategic goals should be tangible and achievable in order to be helpful in
guiding all of the organization’s business activities going forward.
Strategic planning: Corporate strategy is typically implemented via a strategic plan; however,
there are many examples of organizations whose failure was attributed to its inability to
successfully execute its strategy in practice. Successful strategy implementation requires
a carefully planned approach, a very high level of discipline, and involves the effective
implementation of critical business activities in order to make it work. It is unreasonable
to expect the attainment of strategic goals without the adherence to a carefully planned
approach and the implementation of the required tasks. The strategic planning process
should consider the corporate culture, the resources available to the organization, and the
projected timescales required to achieve the stated strategic objectives. The strategic plan
should guide and direct the subsequent tactical and operational planning exercises, in order
to help ensure that these plans are in alignment with the organization’s strategic objectives.
The resulting plans should identify tasks that are specific and measureable and will notice-
ably contribute toward the achievement of the strategic objectives. Many strategies fail due
to poor or inadequate planning, and the quality of the final plans is generally a reflection
of the quality of the planning process.
Strategy execution: Once a clear strategic plan has been formulated, the executive management
is then responsible for ensuring the effective and efficient implementation of that corporate
plan. Execution of the corporate strategy via implementation of the strategic plan is critical
to success and should never be underestimated as it is never guaranteed. Indeed, many stra-
tegic commentators suggest that execution is the key to competitive success, as making the
plan work can be an even bigger challenge than formulating strategy, or creating a strategic
plan. There are many factors that can hinder successful execution, including internal politics,
resistance to change, and the occurrence of hazard events. Execution involves putting the plan
into action by translating planned tasks and activities into the completion of verifiable actions.
It involves the effective performance of the necessary tasks outlined in the plans and this
requires considerable organization, and employing resource management and change man-
agement practices. This is perhaps best achieved using a top-down approach that incorporates
the full chain of command so that the required action steps are performed at strategic, tactical,
and operational levels. The executive management team needs to collaborate with the line
management to help ensure timely, effective, and efficient performance of the required tasks.
Strategy review: Once a strategy is executed according to the plan, there is a reasonable expecta-
tion that it will prove to be successful; however, a successful outcome can never be assumed
or taken for granted as there is many a slip between the cup and lip. The strategy needs to
be a living breathing concept that needs to be continuously monitored and assessed. The
success or failure of a corporate strategy cannot be adequately assessed without a process
to review how well the strategy is performing in practice. This should involve comparing
the actual results against the benchmark of intended milestones and outcomes. A strategy
review process represents an evaluation of the corporate strategy and substrategies, and an
appraisal of the execution of the strategic plan. The process of strategy review is equally as
important as the processes of strategy formulation, strategy planning, and strategy execution
as it evaluates the logic and rationale of the original strategy and appraises the effectiveness
Business Strategy and Value Preservation 7

and efficiency of the implementation of this strategy. It enables the organization to focus
on the appropriateness of the current strategy and to question the soundness of previous
assumptions, which may no longer stand up to scrutiny due to changing circumstances and
the dynamic environment of the twenty-first century. It allows an organization to re-evaluate
the validity of the previous strategic choices and the extent to which ongoing performance
has helped achieve the desired results. It also allows an organization to measure the variance
that exists between the original desired results and the organization’s actual results.

In certain cases, a strategy may prove to be successful from the very beginning, and the organiza-
tion may be prepared to ratify it and endorse it going forward. In other cases, it may be determined
that there is a considerable room for improvement and that the existing strategy needs to be modi-
fied or adjusted accordingly. The extent of this modification will need to be considered on the back
of the results of the strategy review. In certain scenarios, the results may indicate that a serious
corrective action is required. In such cases, the existing strategy may be rejected as a failure, and it
may be determined that a new strategy is required and needs to be formulated.

1.1.2 SHORT-, MEDIUM-, AND LONG-TERM ORIENTATIONS


An old Chinese proverb states that a journey of a thousand miles begins with a single step and so
it is with corporate strategy. When considering the topic of corporate strategy, it is important to
bear in mind that although an organization’s vision may reside in the distant future, the corporate
strategy should present a roadmap that will guide the organization toward the achievement of this
long-term vision. This involves not only clearly identifying the organization’s long-term strategic
objectives, but also setting achievable strategic goals in the medium and short terms. Ideally short-
and medium-term goals should be aligned to long-term strategic objectives so that the achievement
of short- and medium-term goals act as stepping stones to the accomplishment of the longer-term
strategic objectives, and in the process, fulfilling the organization’s mission statement and ulti-
mately realizing its corporate vision.

1.1.2.1 Short- or Long-Term View: A Sprint or a Marathon?


Although the adoption of a long-term focus in order to realize the corporate vision is indeed a wor-
thy ambition, in the modern world it has to be acknowledged that a short-term focus is necessary in
order to ensure immediate day-to-day survival. Short-term gains are required in order to achieve a
long-term growth; however, excessive short-terms gains can sometimes lead to the detriment of the
long-term growth and stability. It must, however, be accepted that to be successful in the long term,
an organization also needs to have a certain degree of short-term success.
In the wake of the great financial crisis, many economic commentators are of the opinion that the
world’s financial markets are somewhat addicted to the short-term view, which in turn leads to an
unhealthy obsession with the achievement of monthly revenue targets and quarterly earnings. In this
light, short-sighted remuneration and compensation structures also often intensify this obsession.
In fact, there is a prevailing notion that during the build-up to the global financial crisis, the busi-
ness world in general became preoccupied with the pursuit of short-term gains and lost sight of the
long-term bigger picture. This resulted in the development of what are often referred to as strategic
blind spots that were later to negatively impact on wider society, both economically and socially.

1.1.2.2 The Way Forward


What is required is a balanced view whereby the organization has a clear understanding that there is
no disconnect between an organization’s present and future, so that they are intrinsically connected
and do not exist in a vacuum. First, however, there needs to be an acknowledgment that short-term
gains can indeed result in a long-term gain; however, excessive short-term gains can in fact result in
a long-term pain. It must also be acknowledged that, in some cases, short-term pain is required in
8 Corporate Defense and the Value Preservation Imperative

order to achieve a long-term gain; however, excessive short-term pain can in and of itself also lead
to a long-term pain.
This acknowledgment can help an organization appreciate that what is required is a blended
approach, where one eye is focused on the medium to long-term horizon and the other eye is focused
on addressing short-term issues that need to be handled in the present. Although sustainability is
generally associated with the long term, its achievement requires focusing on the short-, medium-,
and long-term horizons, and an appreciation that there are times when short-term instant gratifica-
tion is required to be sacrificed in order to help ensure longer-term gratification.

1.2 CORPORATE STRATEGY AND VALUE CREATION


Although one organization’s vision and mission statement may differ considerably from that of
another, generally speaking, the vision and mission statements are concerned with contributing
value to the organization’s primary stakeholders. Corporate strategy is subsequently concerned with
actually delivering this value to these stakeholders over the short, medium, and long terms.

1.2.1 THE VALUE CONCEPT IN CORPORATE STRATEGY


The concept of value is an inherent aspect of the twenty-first century capitalism. The promise of
value is therefore an integral part of any corporate strategy, and addressing this value proposition
is an essential element of corporate strategy. Developing a value proposition is based on a review
and analysis of the benefits that can be delivered by the organization to its stakeholders, less the
associated costs. The residual balance represents the value proposition to its stakeholders. In order
to address the value proposition, it is important to clearly understand the concept of value.
It is said that value is like beauty, as it is in the eye of the beholder, and it is often equated with
a sense of worth that in turn can act as an incentive to take a desired action. The notion of value is
increasingly being measured in both quantitative and qualitative terms in order to reflect both its tan-
gible and intangible nature. Value may have different meanings in different contexts and to different
stakeholders in terms of intrinsic as well as extrinsic value. In the final analysis, an organization’s
understanding of stakeholder value is best determined through engagement with its stakeholders.

1.2.1.1 Business Value as a Strategic Concept


In the realms of strategic management, the term business value is perhaps a somewhat informal
concept, without any agreed consensus. The term is generally used to include various forms of value
that can help determine the corporate health of an organization. More recently, the term business
value is being expanded beyond the traditional, financial, and economic value to also encompass
numerous other forms of perceived value. Although historically the notion of value was predomi-
nantly associated with monetary contribution, not all forms of value are directly measured in pure
monetary terms and a broader notion is now emerging.
As well as value that may be quantified in financial terms, value may also manifest itself in what
is described as utility value. Utility value represents the qualitative aspect of value, and it reflects
value as perceived in the minds of stakeholders such as consumers and users through its capacity to
meet individual human needs. Utility value is therefore recognizable by its demand and in business
it is realized through its consumption.
Value in the broader sense is therefore increasingly based on its worth to the stakeholder and the
stakeholder’s assessment of its worth. Stakeholder value may not necessarily be assessed from a
single source such as its monetary benefit, but may also be assessed in terms of what it can provide
to the stakeholder and how it can help the stakeholder to achieve their various objectives. Value may
therefore be measured in terms of physical, emotional, and intellectual stimulation. Consequently,
the value of a product or service and the price of a product or service are not necessarily one and the
same thing. In the famous words of Warren Buffett, “Price is what you pay. Value is what you get.”
Business Strategy and Value Preservation 9

Business value therefore can embrace both tangible and intangible assets such as the organiza-
tion’s balance sheet value and the value associated with its business model and other intellectual
capital. Indeed, the concept of business value can also embrace the theory that an organization’s
value can best be viewed as a network of relationships with stakeholders who are both internal and
external to the organization itself. In this context, business value is concerned with the value embed-
ded in these relationships over time.

1.2.1.2 Value Delivery and Realization


In business, value needs to be considered in terms of the value delivered to the various stakeholders
of the organization. Value delivery refers to how the organization provides benefits to its stakehold-
ers in the short, medium, and long terms. Organizations are concerned with questions such as what
benefits are we providing, how are we providing these benefits, and who are we providing these
benefits to? Follow-on questions may include how can we improve on our delivery of value? Value
delivery can therefore be considered to be a source of potential competitive advantage.
Value realization on the other hand can refer to the organization’s own return on its investment
(financial or otherwise). Value realization involves putting in place the appropriate set of activities
that are required to help ensure the expected delivery of value. The objective is to ensure that the
full projected value is attained within the expected timescales. Hence the realization of value is a
critical element of any successful corporate strategy. For example, once value realization starts to
occur in the form of increases in cash flows, profitability, net worth, and so on, additional strate-
gic options may begin to present themselves. Such options can include the opportunity of further
growth through acquisitions, newfound interests from potential capital partners, additional strategic
alliance opportunities, and enhanced exit strategies. Each organization must clearly establish its
own value realization metrics in order to monitor the process effectively.
From a shareholder perspective, value may be realized through annual dividend income, or via
an attractive sale or other liquidity event that provides the opportunity to transform equity into cash
or other valuable liquid assets. This may involve taking-up options, or the sale of stock or other
assets in the organization, whether in whole or in part, at a value that is determined by the market,
which may be in excess of the shareholders’ initial investment, and thereby yielding a healthy return
on that investment. Other stakeholders may realize value in nonfinancial ways such as through cor-
porate social responsibility and environmental initiatives. Over time, the organization’s capacity to
realize sustainable value for its stakeholders is a function of the organization’s ability to create and
preserve value on an ongoing basis.

1.2.2 THE VALUE CREATION FOCUS


What does the term value creation mean? The International Integrated Reporting Council (IIRC)
describes the value creation process as follows: “Value is created through an organization’s business
model, which takes inputs from the capitals and transforms them through business activities and
interactions to produce outputs and outcomes that, over the short, medium and long term, create
or destroy value for the organization, its stakeholders, society and the environment” (IIRC 2013a).
An organization can therefore create value over time through conducting a wide range of business
activities that in turn produce outputs. These activities can occur within the many different environ-
ments in which the organization operates, both internal and external to the organization itself. This
involves developing and managing relationships with its key stakeholders* with whom it interacts,
and on whom it depends for its survival. Value can be maximized by fulfilling the needs of these
key stakeholders while also considering the interests of society in general and the impact on the
environment. The extent to which these needs and interests are addressed will determine the type
of value that is created.

* The nature of the stakeholder relationship is addressed in Chapter 3, Section 3.3.3.


10 Corporate Defense and the Value Preservation Imperative

1.2.2.1 The Business Model


An organization’s business model describes how the organization intends to go about creating value
for its stakeholders. The business model lies at the core of an organization, and its long-term suc-
cess will be determined by the resilience of its business model over time. An organization’s chosen
business model represents its business approach and the fundamentals of its business processes and
key business activities. It reflects its system of inputs and outputs that in turn lead to outcomes that
create value and help the organization to achieve its goals and objectives, and help to fulfill its mis-
sion statement in the longer term.
Organizations that operate in a number of different market segments may employ more than one
business model; however, due consideration needs to be applied to appreciating the level of inter-
connectivity that exists between these business models and their business activities. The business
model typically includes addressing a number of issues.

Key business activities: The business model should clearly identify and outline the key busi-
ness activities that the organization intends to operate. Generally an organization’s key busi-
ness activities involve the processes by which the organization intends to convert its inputs
to outputs. These outputs generally take the form of either products or services that can pro-
vide value to the organization’s key stakeholders. When considering its business model, the
organization should clarify how it intends to differentiate itself in the marketplace in terms
of such issues as its unique selling point (USP) (e.g., product differentiation, market segmen-
tation, supply chain, and distribution channels) to be used to deliver its products or services
to its stakeholders. It should focus on how the organization intends to convey its message
to its key stakeholders and how it intends to communicate with them on an ongoing basis.
The inputs: The essence of the business model is the conversion of inputs into outputs in
order to create value. The business model should clearly identify and outline the key inputs
required by the organization, which when applied through the business process will con-
vert into value-added outputs. These key inputs represent those ingredients that the orga-
nization depends on in order to deliver value. The performance of its business activities
provides the organization with its source of differentiation by converting its key inputs
from raw materials into its finished end product. Key inputs are derived from various types
of capital whereby business activities draw on many types of capital in one form or another
as inputs into the value creation process. The key inputs and how they relate to the various
capitals from which they are derived represent a critical aspect of the organization’s busi-
ness model. How the corporate strategy links key inputs to capitals, opportunities, risk,
and financial performance is critical to the success of the strategy.
The capitals: The business model should clearly identify and outline the types of capitals the
organization depends on for its success. Organizations typically depend on different types
of capital whether they are considered tangible or intangible capitals. There is no currently
universal agreement on the different types of capitals, and they may be classified in differ-
ent ways by different organizations. One example is the six types of capitals identified by
the IIRC as follows: financial capital, manufactured capital, intellectual capital, human
capital, social and relationship capital, and natural capital (IIRC 2013b). These capitals
represent stores of values in various forms that become inputs into the organization’s busi-
ness model. Such capitals can be used to release value in the form of producing outputs
and outcomes when they interact and are combined, transformed, and leveraged through
an organization’s business process. Value is therefore created by the resulting increase,
decrease, or transformation of the capitals.
The overall stock of the value stores, which is provided by the capitals, is not fixed over
time, but rather they are in a continuous state of flux as they are increased, decreased,
or transformed through the activities and outputs of the organization. Consequently such
Business Strategy and Value Preservation 11

interactions can in fact enhance, modify, or otherwise affect the overall capital stock.
Although in theory the organization’s aim is to create value in its capitals, in practice this
may also involve the depletion or destruction of the value stored in some capitals while at
the same time increasing it in others. In general, this can result in an overall net increase
or decrease in the overall stock of the capitals.
Ultimately whether the net effect is perceived as either an increase or decrease may
well depend on the perspective of the stakeholder concerned. In many instances, returns
in financial capital may be dependent on interrelationships among other forms of capital
in which stakeholders have different interests, for example, society and the environment.
Also, not all of the capitals required by the organization are necessarily owned by that
organization. Certain capitals may be the property of the organization, whereas certain
others may be owned, belong to, or be an entitlement of various other stakeholder groups
who in turn share in both the value created and their associated costs.
As noted earlier, there are different types of capital that organizations typically depend
on for their success; however, not all organizations are equally dependent on the same capi-
tals; therefore, different capitals will have different relevance to different organizations.
Although it is likely that most organizations will interact with all of the capitals mentioned
earlier, to a certain degree, some of these interactions may be considered immaterial in
terms of the organization’s business model.
Whether certain capitals are increasing or decreasing can affect the availability, qual-
ity, and affordability of those capitals. This is a particular issue of concern for capitals
of which there is a limited supply, and capitals that are not possible to be renewed. It is
important to bear in mind that the availability and supply of certain capitals can be seri-
ously impacted by the extent to which organizations, both collectively and individually,
interact with these capitals. Ultimately, such issues can in turn have a serious impact on the
long-term viability of an organization’s business model.
Innovation: The business model should clearly identify and outline the organization’s USP
over that of its competition. An organization’s long-term success or failure may well be
determined by how the organization addresses the age-old requirement to be innovative.
The business model should clearly address the organization’s attitude to innovation and its
approach to responding to change. The flexibility of its strategy, the agility of the business
model, and the organization’s capacity and capability in adapting to change can have a pro-
found impact on the organization’s long-term viability. This may be of particular relevance
when faced with sourcing inputs and capitals, and adapting business activities. Logically,
the key to a long-term success lies in the extent to which the organization can foster an
innovative mindset throughout the enterprise so that it becomes embedded in the corporate
culture and is continually present in day-to-day activities.

1.2.2.2 The Value Creation Process


The concept of value creation lies at the very heart of corporate strategy and the business model. The
value creation process itself involves initially taking the business inputs and putting them through
the business model in order to eventually produce desired benefits in the form of business outputs
and outcomes at the other end of the process. This process can involve applying the organization’s
business processes in order to combine or transform the organization’s capitals, thus producing both
positive and negative effects on these capitals with the intended result of the creation of value for
the organization and its key stakeholders. The nature of those effects will determine the extent of
the value created and the outcomes for the different stakeholder groups.
Generally speaking, value can be created over short-, medium-, and long-term time horizons, and
it can be created through the use of different capitals and created for different stakeholder groups.
Creating value will often involve a trade-off between the effect on different capitals, some positive
12 Corporate Defense and the Value Preservation Imperative

and some negative. Such a trade-off should consider the effects both individually and collectively.
Assessing the nature of the value created involves considering the nature of the interdependences
that exist between the capitals and their relationships with the various stakeholder groups. It is
doubtful that long-term sustainable value can be created by solely focusing on increasing one indi-
vidual capital at the expense of all of the other capitals. The value creation process is typically
concerned with a number of issues.

Value drivers: The value creation process is concerned with determining the organization’s
value drivers. Typically it is the organization’s value drivers that distinguish it from its
competitors as they have a critical role to play in the organization’s ability to create value
over the short, medium, and long terms. Value drivers can vary by types of business; they
can be generic, industry specific, or organizational specific and their range can vary from
one organization to another. They reflect certain key elements, characteristics, or attributes
that make an organization attractive to its stakeholders. Such elements consist of those
unique activities, capabilities, and core competencies that enable an organization to pro-
vide a perceived competitive advantage in the perception of its stakeholders.
Value drivers may be tangible or intangible as both can contribute to the creation of
value by an organization. They may reflect tangible assets owned by the organization or
intangible assets that help to increase the overall desirability of the organization in the eyes
of its stakeholders. In the twenty-first century, intangible assets are now increasingly being
perceived as primary value drivers. Value drivers reflect those factors that are identified as
having the most significant impact on the future value of the organization and those factors
that can be most effectively managed and controlled. Therefore identifying and managing
value drivers can help an organization to focus its attention on the key activities that are
most likely to help in achieving its short-, medium-, and long-term goals and objectives.
Outputs and outcomes: The value creation process is concerned with determining the organiza-
tion’s required outputs and preferred outcomes. From a value creation perspective, there is a
subtle but important distinction between an output and an outcome. The organization’s busi-
ness model represents a series of processes and activities that convert inputs to outputs. As
outputs tend to be process driven, they therefore refer to planned deliverables whereby the end
product typically tends to be tangible in nature and therefore can be accurately anticipated in
advance, and precisely and objectively measured in quantitative terms on completion.
Outcomes, on the other hand, refer to the impact that the outputs may have on the stake-
holders, both internal and external. Stakeholder reaction is typically reflected by its impact
on the organization’s capitals. Outcomes therefore relate to the ultimate payoff, the value
added to the stakeholder as a direct or indirect result of the outputs. Therefore outputs have
an impact on outcomes, but it is important to appreciate that they are not the same thing. As
outcomes tend to be reaction driven, they are by their very nature less predictable than out-
puts and hence more difficult to anticipate as they can take place over multiple time frames.
Although an outcome may be less predictable, it is still measureable in terms of its impact
(financial and nonfinancial) on the organization’s capitals. This measurement may be more
subjective and qualitative when dealing with nonfinancial capitals. Although outcomes can
result in the anticipated, planned, or intended consequence of an output, it must also be
understood that it can also result in an unanticipated, unplanned, or unintended consequence.
As an outcome represents the occurrence of a change in circumstance for a stakeholder,
which is a result of targeted outputs, it is important to understand that such a change can have
either positive or negative consequences, which means that an outcome can present either a
potential upside or a potential downside for the stakeholder and in turn the organization itself.

Although the traditional corporate strategy and the setting of strategic objectives have been pri-
marily concerned with focusing the potential upside and intended positive outcomes, an emerging
Business Strategy and Value Preservation 13

contemporary view focuses on an appreciation that corporate strategy must also include a sufficient
focus on the potential downside and unintended negative outcomes. A balanced corporate strategy
should therefore incorporate a degree of both value creation and value preservation.

1.3 DEFENSE OF THE REALM: THE VALUE PRESERVATION IMPERATIVE

In business as in many other aspects of life, the reality is that the nature of uncertainty means that
an organization’s activities can either have a positive or a negative impact on the value it delivers to
its stakeholders. Over a prolonged period of time, this value experience may include numerous fluc-
tuations as a result of both positive impacts and negative impacts. Successful organizations however
depend on their ability to both create and sustain value over the short, medium, and long terms.
Over the long term, value is compounded by both creating and preserving value.
Once an organization has succeeded in creating value, it then faces the dual challenge of continu-
ing to create value on an ongoing basis while simultaneously ensuring that it can also preserve the
value that is created. Therefore, a focus on value creation alone is not considered to be sufficient, it
must be accompanied by a focus on value preservation. In any event, successful organizations learn
to continuously monitor the dynamics between value creation and value preservation. Unfortunately
in many unsuccessful organizations, although value creation quite rightly received due consider-
ation in corporate strategy, there is far less evidence to suggest that value preservation received a
similar consideration. In general, it would appear that the requirement to preserve value is much less
appreciated and therefore is often neglected.

1.3.1 THE CONCEPT OF VALUE PRESERVATION


What precisely is meant by the concept of value preservation? If on the one hand value creation is
primarily concerned with delivering a potential upside, then on the other hand value preservation is
primarily concerned with protecting against a potential downside. Indeed, there are some who would
argue that a dollar of value preserved is indeed a dollar of value created. Logically organizations that
exhibit an ability to preserve the value they have created over an extended period of time tend to be
successful, whereas organizations that are unable to preserve their value tend to fall by the wayside.
An inability to successfully preserve value will inevitably result in a decline in, or destruction of,
value. The value preservation concept therefore lies at the heart of lasting sustainability.
The value preservation imperative represents an organization’s obligation to its stakeholders to
take adequate steps to preserve value. It represents the measures (formal or otherwise) taken by
an organization to defend itself and the interests of its stakeholders from a multitude of potential
14 Corporate Defense and the Value Preservation Imperative

hazards (i.e., risks, threats, and vulnerabilities), the occurrence of which could be detrimental to the
achievement of the organization’s objectives. To successfully deliver on this obligation, an organiza-
tion requires an appropriate program for self-defense.

1.3.1.1 The Threat of Value Reduction and Destruction


In business, organizations are constantly faced with the threat of value reduction, and often it is the
extent of any value reduction that can determine the organization’s ultimate fate. The existence of
such a threat is simply the reality of doing business. The root cause of such threats can vary consid-
erably, as can their timing and scale. Ultimately there are an unlimited number of events or series
of events that can occur over the short, medium, and long term, which can result in the reduction or
destruction of stakeholder value. Protecting and defending against the loss of stakeholder value is
the kernel of the value preservation imperative. This includes an obligation to take adequate steps
to anticipate, prevent, detect, and react to hazard events in order to avoid, mitigate, and manage any
potential exposure in a timely manner. Although the extent to which an organization was expected
to fulfill this obligation may once have been perceived as somewhat optional, this is no longer the
case as it is now considered a business imperative whereby stakeholders expect and demand increas-
ingly higher levels of due diligence in this regard.

1.3.1.2 Value Erosion, Depletion, and Decline


Organizations need to be wary that value can decline in a number of ways, ranging from its sudden
depletion as a result of an unexpected liability, its gradual erosion over time due to an outdated or
inflexible business model, or its complete destruction due to flawed strategic assumptions. Without
taking adequate steps to help preserve value, stakeholders of the organization may find their value
being eroded and the organization may find its value declining year on year. Such a decline in value
can be witnessed in many different ways, all of which can result in a negative impact for stake-
holders either directly or indirectly. For example, it can be witnessed in decreasing market shares,
decreasing revenues, increasing costs, decreasing assets, increasing liabilities, lower profits, higher
losses, lower share prices, and lower market capitalization.

1.3.2 THE CORPORATE DEFENSE NECESSITY*


In order to help preserve value, organizations are now expected to take steps to protect stakeholder
value, and the protection of stakeholder value is synonymous with corporate defense-related prac-
tices such as corporate governance, risk management, and compliance activities. Such practices are
considered necessary to help defend stakeholder value against the vagaries of any potential threats
that could result in value reduction or destruction. In the eyes of an increasing number of stakehold-
ers, once value has been created, it then needs to be protected and defended.
The cost associated with defending stakeholder value was traditionally considered to be part of
the inherent costs of doing business; however, more enlightened organizations are no longer regard-
ing this as a cost but rather as an investment in the organization’s own long-term sustainability. This
suggests that corporate defense-related practices can also represent an opportunity for the organiza-
tion to create a competitive advantage in the form of security over stakeholder value. It is anticipated
by some that such stakeholder value security will in time attract a premium that will be factored into
future stakeholder value calculations.

1.3.2.1 Defending and Safeguarding Stakeholder Interests


The calculation of stakeholder value involves an assessment of the extent to which stakeholder
value is being optimized, and this can include the extent to which stakeholder interests are being

* Failure by an organization to recognize this necessity will be seen by many stakeholders as representing a strategic
“Red Flag”.
Business Strategy and Value Preservation 15

safeguarded. In other words, there is an expectation that organizations are not only working toward
adding to, or increasing stakeholder value, but also taking measures to protect the existing stake-
holder value from decline. For example, shareholders expect the organization to take measures to
help protect the organization’s share price and its market capitalization.
In the twenty-first century, stakeholders are now demanding at least reasonable levels of due dili-
gence in this regard and are increasingly prepared to hold the organization to account should they be
considered negligent in their efforts. At a minimum, there is now an expectation that the organiza-
tion will take all appropriate measures to ensure that it has adequate corporate defense initiatives in
place. Organizations are expected to at least be able to provide reasonable comfort that stakeholder
value will not be diminished.

1.3.2.2 The Necessity for Improved Corporate Defense Measures


In the build-up to the financial crisis, there were clear signs that stakeholder interests were not being
adequately defended (Lyons 2006a), and the subsequent fallout from the related global economic
recession has highlighted common weaknesses and deficiencies in relation to organizations’ cor-
porate defense activities. Ongoing events continually expose how so many organizations in various
business sectors all over the world have failed to adequately defend the interests of their multiple
stakeholders. This has resulted in the reputation of the corporate sector being severely tarnished in
the eyes of many stakeholders.
Numerous national and international reviews have clearly highlighted the general failure to fully
appreciate and consider the potential threat to stakeholder value as a core issue. Many of these
reviews identified weaknesses and deficiencies in corporate defense-related activities as having a
significant contribution to the occurrence of this economic downturn and have particularly identi-
fied areas such as failures in corporate governance and the management of risk and compliance as
major contributory factors: “We conclude that dramatic failures of corporate governance and risk
management at many systematically important financial institutions were a key cause of this crisis”
(FCIC 2011). As a result, numerous stakeholder groups are now demanding improvements in the
corporate defense-related measures employed by their organizations to defend their interests. These
improvements need to start at a strategic level, beginning with looking at how the value preservation
imperative is addressed when setting the corporate strategy.

1.3.3 REIMAGINING CORPORATE STRATEGY


Historically, when setting strategy, business organizations have tended to treat the critical issues
of value creation and value preservation as separate issues. In retrospect, given the nature of
their symbiotic relationship, this has proven to be both an artificial and dangerous segregation.
Although, in general, corporate strategy does tend to formally address the issue of how the orga-
nization intends to create its value, the equally important issue of how the organization intends to
preserve its value generally does not form part of corporate strategy. A similar observation very
often applies to the foundations of the organization’s business model. The result has been a clear
distinction between the overall corporate strategy and a corporate defense substrategy, as generally
speaking the strategic echelons of the organization tend to consider the issue of corporate defense
as somewhat peripheral to corporate strategy and the business model. Consequently the board and
executive management tend to approach corporate defense-related matters with extreme caution
because they do not understand how corporate defense fits with corporate strategy. In fact, corpo-
rate defense matters can tend to become relegated so far down the strategic priority list that their
relevance becomes difficult to establish. In extreme situations, those involved in corporate defense
activities can feel as if they are regarded as almost like second-class citizens within the organiza-
tion. In such circumstances, corporate defense practices can become disengaged from core busi-
ness activities, and can very often exist in silo-type environments, whereby they operate as an
afterthought to core business activities. This type of attitude simply cannot be allowed to continue;
16 Corporate Defense and the Value Preservation Imperative

things have to change, and going forward the corporate defense strategy needs to be considered as
an essential element of the overall corporate strategy.

1.3.3.1 Re-Examine the Way We Do Business


In many organizations, what is now required is a fundamental re-examination of how their busi-
ness is conducted. This will involve a serious reframing of how they currently view the creation
and preservation of value in the context of their corporate strategy and business model. They will
need to redefine not only how their corporate strategy but also how the foundations of their business
model address the corporate defense conundrum. Their business fundamentals need to formally
incorporate the requirement for an adequate corporate defense strategy in order to help ensure value
preservation and facilitate the build-up of business value over time.
Logically it is much more difficult to build-up significant business value over time if while creat-
ing new value, existing value is being depleted or destroyed at the same time. It is important that
going forward when an organization addresses the challenge of defending stakeholder value within
its corporate strategy and that this is clearly stated in terms of strategic objectives and clearly identi-
fied as a strategic activity within its business model. Indeed, prudence would suggest that a sustain-
able corporate strategy and business model should balance the organization’s desire to increase its
value over time, with the stakeholder desire to defend the value that has already been realized. Long-
term sustainable success requires the two to go hand-in-hand, a concept that needs to be embedded
throughout the organization, and across all of its business activities. An appreciation of how an orga-
nization needs to address defending its stakeholder value has far reaching implications at strategic,
tactical, and operational levels and presents interesting challenges for the organization itself.

1.3.3.2 Corporate Defense Is No Longer Considered Optional


To establish a sustainable strategy and business model, an organization needs to actively and sys-
tematically embed corporate defense-related practices at the strategic, tactical, and operational
levels. Embedding the corporate defense concept into an organization’s DNA requires a basic
acknowledgment from the very top to the very bottom of the organization that good corporate
defense represents a business imperative, rather than some sort of prerogative or optional add-on.
Redefining strategy and the business model to incorporate the appropriate mix between the focus
on increasing value and defending value will have significant implications for the organization and
all of its stakeholders.

1.4 STRIKING A BALANCE BETWEEN OFFENSE AND DEFENSE

Military to civilian transition.


Business Strategy and Value Preservation 17

An old sporting aphorism states that offense wins games, defense wins championships. In business
speak, offense refers to the focus on bringing the dollar in through the front door, whereas defense
refers to the focus on preventing the dollar from leaving through the back door (Lyons 2014). In
other words, in the corporate world, offensive activities are associated with the organization’s focus
on upside rewards, whereas defensive activities are associated with the organization’s focus on the
prevention of downside loss. What is essential is finding the correct balance between taking larger
risks and reaping larger rewards. If organizations in the twenty-first century are to deliver long-term
sustainable value, they must learn to achieve a healthy balance between their focus on offense and
their focus on defense. Getting this balance right can help provide better opportunities for delivering
long-term sustainable value.
A commonly held view of economic theory is that the Western capitalist model is primarily
driven by the motivating factors of greed and fear. The former is the motivation to extend our-
selves in search of even greater rewards, whereas the latter is the motivation to protect what has
already been achieved lest it should be taken from us. Progress no doubt requires both, whereas
prudence and common sense would suggest that long-term sustainability requires a healthy blend-
ing of the two.
Unfortunately the search for balance, or the middle path, is not a new concept and is one that
goes back thousands of years. In the Western philosophy, especially that of the Greek philosopher
Aristotle, the golden mean represented the desirable middle between two extremes, one of excess,
the other of deficiency. Another famous Greek philosopher Socrates taught that man “must know
how to choose the mean and avoid the extremes on either side, as far as possible.” The search for
balance continues to this day.

1.4.1 THE TAO OF CORPORATE DEFENSE


In the Eastern philosophy, the Taoist tradition places great emphasis on the search for harmony
between opposing extremes or forces. Taoism refers to the concept of the yin and yang, which is
used to describe how seemingly opposing forces are inherently interconnected and interdependent
in the natural world. Each of these forces is present within the other and in turn gives rise to the
other. There are many examples of natural dualities such as dark and light, night and day, female
and male, wet and dry, and action and inaction that are cast as yin and yang in the Taoist thought.
In the corporate context, perhaps the duality of offense and defense can best be understood and
appreciated when viewed in this context.

1.4.1.1 Offense and Defense Viewed as Yin and Yang


Viewing offense and defense in terms of the Taoist duality can help provide a higher level of insight
into this complex relationship. Offense (yin) and defense (yang) are considered to be antagonistic
yet complementary principles that fit together seamlessly. They represent opposites that are bound
together and intertwined, and are capable of working together in a perfect harmony. Offense and
defense are considered to be the two halves within a greater whole and together they complete a uni-
fying circle. Their relationship is not static as every aspect of business has both offense and defense
aspects, and these continuously interact and never exist in a stationary state as the balance ebbs and
flows. It is therefore impossible to talk about offense or defense without a reference to the opposite,
as offense and defense are rooted together and one cannot survive without the other. It is therefore
important that they are not separated or addressed in isolation.
In essence, offense and defense actually transform each another, as each contains a portion of the
other within it. Offense contains within it the potential for defense, and defense contains within it
the potential for offense. They are finely balanced in a dynamic equilibrium, whereby a deficiency
in one can unbalance their relationship, and if one disappears the other is very likely to follow. In
short, when either offensive or defensive activities become the subordinate, the whole is likely to
suffer eventually.
18 Corporate Defense and the Value Preservation Imperative

Unfortunately, in the business world, this is rarely immediately apparent because offense elements
are clear and obvious, whereas defense elements are more hidden and subtle. Therefore extremes
in offense are far more regular than extremes in defense, although this can also occur. Ultimately,
however, extremes in either offense or defense can result in the development of an organization that
is putting its long-term sustainability in jeopardy.

1.4.2 THE CURRENT STRATEGIC IMBALANCE


Unfortunately, the financial crisis and indeed more recent corporate scandals continue to clearly
highlight the imbalance that currently exists between offense and defense in the corporate mind-
set. Recent events indicate that short-termism tends to focus disproportionately on the former, often
neglecting the latter. Such a mind-set has resulted in excessive risk taking in search of short-term
rewards at the expense of longer-term sustainability.
There were many reasons for the financial crisis, and the following strategic, tactical, and opera-
tional issues have strongly contributed to the unhealthy imbalance referred to earlier (Lyons 2012a):

• An overly narrow focus on pure financial metrics while ignoring important nonfinancial
issues
• A focus on short-term interests at the expense of broader, long-term stakeholder interests
• The lack of board-level appreciation of the necessity of having a formal, systematic
corporate defense program in place within their organization to help ensure that their
stakeholder interests are adequately safeguarded
• The lack of a seat at the C-suite table for a defense champion to challenge, scrutinize, and
add a degree of balance to the formulation of corporate strategy and policies
• The resulting lack of transparency and responsibility for corporate defense where account-
ability is fragmented and diluted at the executive management level
• The lack of coherent coordination of defense-related activities at a functional level, leading
to the development of silo-type structures that are not in alignment with one another but
rather operate in isolation, resulting in both ineffectiveness and inefficiency

Although a great deal of work has been undertaken since the financial crisis to improve corporate
behavior, there is sufficient evidence available to suggest that many of these issues still need to
be addressed as weaknesses and deficiencies in corporate defense activities remain commonplace.
Examples include the rogue trader Jerome Kerviel at Societe Generale, the cyber theft at SONY, the
health and safety issues in the clothing industry in Bangladesh, and more recently the Volkswagen
emissions scandal, to name but a few. This will require a notable correction to the current imbalance
in order to create a natural harmony between offense and defense.

1.4.2.1 Achieving a Healthy Balance


The challenge facing organizations is wide ranging; however, restoring a natural equilibrium
between offense and defense in the corporate mind-set will go a long way toward improving the
situation going forward. This requires joined-up thinking and perhaps can best be achieved by a
degree of tweaking and joining of the existing dots, rather than by a complete overhaul of the entire
system.
Correction of this current imbalance requires a broader stakeholder (shareholders, clients, staff,
business partners, local communities, and society) focus and a more holistic view of how best to
safeguard these stakeholder interests in the long term. Ensuring that there is a sufficient focus on
long-term sustainability (i.e., survival) will require a subtle shift in corporate consciousness. Such a
shift will necessitate a change of attitude in relation to the fundamentals of corporate health and a
clear appreciation of corporate health requirements in the short, medium, and long terms. This will
involve further educating the corporate world so that defensive behavior can be seen in a positive
Business Strategy and Value Preservation 19

light and as being necessary for the achievement of long-term sustainability, rather than being seen
as a necessary evil. Corporate defense is not about business prevention; it is about doing the right
business in the right way.
In far too many organizations there is a defense deficit. Corporate defense is more likely to be
implied in corporate strategy rather than being considered a core element of business strategy, and
more often than not there is an absence of any formal corporate defense strategy. Corporate strategy
must therefore incorporate a balance between offense and defense in order to arrive at a natural
equilibrium. This will require a subtle blending of these antagonistic yet complementary principles
that are inherently intertwined and mutually interdependent within a dynamic system. In essence,
the principles of offense and defense represent two sides of the same coin, and therefore cannot and
should not be addressed in isolation from one another.

You might also like