The Ten Commandments of Not Getting Pwned
The purpose of "Cyber Defense Doctrine that Manages Risks: a Complete Applied Guide to Organizational Cyber Defense" is to establish a set of core principles that organizations should adhere to in order to effectively manage cyber risks and enhance their cyber resilience.
The intended audience for these principles includes organizational leaders, information security professionals, and cyber defense experts who are responsible for managing cyber risks and implementing defense strategies within their organizations
Automation and Integration process
The document emphasizes the importance of automation and orchestration processes in defense doctrine:
📌Automation and orchestration processes reduce the need for human involvement in defense and operational processes, thereby minimizing the likelihood of human error and reducing the level of exposure of various bodies to personal information
📌The document suggests adopting the MITRE ATT&CK ontology to use advanced automated solutions for continuous and ongoing control and execution of response processes. This would limit human manual involvement to exceptional cases
📌proactive defense actions should be taken to preserve information. This includes maintaining effective capabilities for dealing with information leakage events, such as acquiring the ability to remove information that has been leaked to the Internet and Darknet
📌The document emphasizes that the Chief Information Security Officer (CISO) plays a significant role in protecting information and privacy, and must harness the various bodies within the organization to maximize the level of defense
📌The defense doctrine controls are incorporated into a framework that includes aspects of identification, defense, detection, response, and recovery. Through the implementation of cyber defense recommendations and information security, aspects that serve the defense of privacy are interwoven into the controls themselves
📌The concept of defense required to address advanced threats includes advanced approaches. Using these approaches will help the organization achieve advanced capabilities, such as validation and deception in order to gain time, exhaust the attacker, and even create deterrence against potential attackers
CISO Role
The CISO plays a critical role in protecting information and privacy within an organization. This includes understanding and complying with privacy laws, balancing different interests, managing risk, guiding defense strategies, and implementing controls effectively:
📌 Protection of Privacy Law: It states that any infringement on privacy must be carried out in accordance with the law and general principles of reasonableness and good faith.
📌 Balancing Interests: The CISO must strike the right balance between different interests to enable informed decisions within the organization. This includes considering aspects of privacy and compliance with principles such as Security by Design, Privacy by Design, and Threat Informed Defense
📌 Risk Assessment and Management: a process for risk assessment and management includes defining main defense objectives, identifying defense gaps, and building a work plan to minimize these gaps. The CISO plays a crucial role in this process
📌 Management Responsibility: The responsibility for protecting information primarily lies with the management of the organization. The CISO is a key figure in ensuring this responsibility is met
📌 Defense from the Adversary's View: The CISO should understand common attack scenarios and the effectiveness of defense recommendations against them. This understanding informs the weight and priority of defense recommendations
📌 Defense based on Potential Damage: The investment in protecting each defense target should be in accordance with its level of criticality for the organization's functioning. The CISO should guide this investment
📌 Defense based on Depth of Implementation: it encourages organizations to implement controls at different levels of maturity. The CISO should examine controls according to their implementation effectiveness
📌 Organizational Classification: a classification system for organizations based on the potential damage from a cyber incident. The CISO should understand where their organization falls within this classification system to guide their defense strategy.