Don’t talk, act. Don’t say, show. Don’t promise, prove.
Justifying the Need to act
The purpose of answering the questions in this step is to explain why your organization should attempt to solve the problem.
Is the technical effort aligned with the outcomes that sync with your strategy?
In other words, will acting on the technical requirement serve the organization’s strategic goals and better the business outcomes? It is not unusual in cyberspace for an organization to focus on solving a variety of technical problems that are not necessarily in sync with its overall strategy and is not truly in line with the expected business outcomes. If that is occurring then the question becomes, is the effort justified (the expense, effort, and technical capabilities, or should the entire effort be reconsidered? If there is no true veracity to the current complete technical state of the infrastructure, how much quantifiable good will come from the investments that are being made?
A point of consideration here is to “know where you are, so you know where you are headed.” For technology this means that your organization has a very clear and concise visual inventory of the configurations that are present across the totality of your infrastructure. Most often, and there are hundreds of examples of this, an organization’s “inventory” does not look across the total infrastructure picture. This must include cloud, on premises, off premises, end points, and other potential points of compromise. But having that overall picture becomes problematic if it is attempted manually and the capabilities that are required to solve that problem can negatively impact the operational efficacy of the business as resources are pulled from one problem to try and deal with the total inventory and configuration issue. In addition, you should consider whether the problem fits with the true technical priorities; the items that actually increase the risk for the enterprise infrastructure. Not “everything” that is a potential point of compromise increases the risk with enough impact to merit the investment to remediate that issue. Having a focused and vectored technical configuration analysis and inventory of all applicable assets is what must guide that risk based decision making process.
What are the desired benefits for the company, and how will they be measured?
In most companies, the desired benefit from remediation in cyber space is expected to be an ability to better respond to potential threats and reduce the overall risk to the business. The reduction of time to effectively respond iis honestly more important than the immediacy of a reduction of risk, as risk is inherent in the nature of conducting business in a digitally enabled world. Effective response comes from an accurate picture of what is and is not under attack or an avenue of attack. Knowing that your organization can more effectively respond to an issue based on an accurate picture of the threat space means less investment in chasing technical indications that aren’t necessarily useful and an optimization of resources.
How can we ensure technology addresses the issues and align our resources for a future problem?
Assume that an indication of a compromise is found just by dumb luck. Someone in the organization must be responsible for carrying out the following remediation—whether that means installing new patches, updating technology, fixing accounts, adding firewall rules, or rebuilding an entire infection section of the infrastructure. Someone in the team is going to have to fix those issues and must respond to that need. There is no other option. The real question here now is how does one remedy this issue at the speed and scale of business while also making sure that there are no additional issues. The more connectivity that an enterprise has, the more potential compromise there is as a result of any singular exploit.
It is important at this stage to be positive of the technical and human resources that are now required. This can seem premature—after all, you’re actually still likely discovering the scope of the total problem, and the field of possible issues there could be very large, but it’s actually not too early in the process to begin exploring what technical resources you need to be better prepared in the future. In other words now that you are acting and addressing the issue, it is the time to plan for what is to come and to use the lessons learned during this response to employ technology that will empower the organization to be proactive in the future rather than reactive.
Now that you have laid out the need for a technical fix, and you have a line on the actual resources that are required you can plot out what fixes what. Having the most correct and accurate understanding of the complete technical picture and the concrete knowledge of what technologically allowed the issue to occur places the power in your hands to better maneuver in the next stage.