Digility Ltd

CS4NSP Episode 1: Introduction – Security as an Enabler

Cyber Security for Non-Security Professionals. What is the essence of cyber security and risk management. Not the ways and means. What are the ends; what are the objectives; what are we trying to achieve? Why we need to focus on what we are trying to enable, rather than on what

Brief at the Start

Go straight to the full length version

Start with the things that you value, and focus on what you are trying to enable rather than what you are trying to prevent.

If you are reading this series of articles then you already know that it is important to understand more about cyber security, even if security is not your day-to-day responsibility. Too often the language used is hard to understand or relate to by the layperson. Also the focus in security is frequently on the bad things that might happen and what needs to be prevented. The purpose of this series is to help non-security professionals to understand enough that they can take on greater responsibility and are able to engage more effectively with security teams.

Any discussion about security always starts by identifying those things that are important to you. In your home, you instinctively recognise the items that you would be sad to lose or break. Cyber security is no different and identifying assets of value has to be the start point.

But just locking things up is not the right answer. It will undermine the value you can get from the asset, and make it harder for you to thrive as an individual or a business. Would you lock anything of value in your home up in a safe, irrespective of its purpose or relative value? Instead you should focus on what you want to enable, and then you can focus your security on preventing everything else from happening. The model we use is to define the PEOPLE we trust who need to use their DEVICES to access the ASSET within its protected ENVIRONMENT. We may also need to enable OTHER SYSTEMS to access the ASSET as well. By defining what we want to enable, we can prevent unneccessary and unauthorised activities, the THREATS, and reduce the RISK to the ASSET.

Get the Full Version

What is Cyber Security for Non-Security Professionals?

When I was leaving the Army, as part of my transition to the civilian world, I did a course called “Accountancy for Non-Accountants”, offered by the resettlement service.  It was not trying to create a financial management professional in five days; that would be absurd.  However, the world generally recognises that all businesspeople, particularly those in more senior positions, need a foundation understanding of financial management and terminology.  By the end, I could read a balance sheet, navigate a P&L, prepare a cash flow forecast, and understand concepts such as gearing.  I can have a reasonable conversation with a CFO, instruct an accountant, draft the financial elements of a business plan, and avoid appearing uneducated in the boardroom.  But if I parachuted into the dinner at the Annual FTSE 100 CFOs’ Convention, I have no doubt the most I could contribute would be an opinion on the wine we were drinking.

Why is it important

Hopefully we don’t need to explain why it is important for leaders and managers to have a foundation understanding of cyber security. Digital resources and capabilities run through all of our organisations in response to benefits and opportunities. In turn this creates dependencies that can be exploited by malicious groups. We all use these resources, and we all have a responsibility to protect and care for them, in the same way that we have a responsibility to husband our organisations finances. In fact, I would argue that everyone should have this basic grasp of the topic, because in our personal lives we are responding to opportunities and in turn creating risks.

But a basic understanding of cyber security is not being able to configure a firewall. It is not being able to list the layers of the TCP/IP protocol stack.  We know we need to increase awareness and understanding across the business, particularly at the board level.  But our language sometimes descends too quickly into concepts and terms that are either lost on the audience, or lose the audience altogether.  This shouldn’t be entirely surprising.  We learn about money at a very early age.  When combined with school-level maths, the fundamentals, such as the difference between credit and debt or profit and loss, don’t need much teaching.  Even in this day and age of contactless payments and Bitcoin, we can still easily visualise the concept of money in the digital world.  Exponential technological advances, the inexorable move to the cloud, and the rise of Artificial Intelligence models that surprise even their inventors are more complicated to describe.  But we need to find a way to help this wider community to understand.  

This series of articles are not just for large businesses. They are frequently at least able to delegate responsibilities to security professionals.  A more significant issue exists with small and medium-sized enterprises where there may not be something you could call an IT function’, let alone a security one. Here a lack of understanding amongst the non-security managers may well mean a lack of understanding across the entire company. 

While many of the examples presented related to businesses (large and small) our approach is as relevant to personal cyber security as well.  Assets might be an individual’s digital identity on social media rather than a Customer Relationship Management application, but there is a consistent need to take a conscious and structured approach to consider what you value, and how you need to control access according to relative value.  We will write a future article to explain more explicitly how this approach can be applied to an individual, Family Office or similar entity.

We have developed some fantastic hammers, but not everything a nail

Over the last few decades, there has been tremendous progress in developing a language and set of frameworks and methodologies that bring discipline and consistency to the cyber security profession.  This level of detail and complexity in the body of knowledge is vital.  Managing information and cyber risk effectively in a modern business is only possible with these tools.  However, there are better tools to communicate and discuss concepts with the wider stakeholders than the tools used to apply our trade.  A rocket scientist can talk eloquently to non-rocketeers about the fundamentals of getting a rocket into space and back without needing to describe the finer points of fuel mix and fluid dynamics in the engine chamber while also being able to get down into the dirty details of the mind-boggling complexity of making it happen.

One of our problems is that we try to use our professional tools to explain the situation to those outside of the profession.  We have developed security frameworks with phenomenal breadth and depth, which gives us confidence that we are considering all relevant areas from the most critical perspectives.  But they are huge.  The 2013 version of ISO27001 has fourteen categories of controls.  NIST 800-171 also has fourteen categories, though different from 27k.  The CIS Critical Security Controls framework (previously known as the SANS 20) has eighteen.  Stay with me if you are about to check out because of the sudden flurry of abbreviations; I was using them for effect.

These tools are excellent for programmes and practitioners, but they fail as an easy frame of reference to help the wider stakeholder group understand and visualise the situation.  Apart from anything else, they totally disregard Miller’s Magic Seven (+/-2) rule1.  Miller’s research found that people can maintain a decision-making grasp of up to five or six different concepts simultaneously, but this ability rapidly deteriorates above this.  It should not be a surprise if eyes glaze over when we describe the business case for a security transformation programme using ten to twenty dimensions.  Conversely (and again, exaggerating for effect), distilling the objective just to compliance with the chosen framework might not breach the Magic 7, but it doesn’t provide the granularity required to enable differential decisions.  

Ends, Ways and Means

The existing frameworks are also not ideal for discussing risk because they focus on the ‘ways’ and ‘means’ rather than ‘ends’.  Ways and means are important, and they are the essential building blocks of a programme.  However, they are not a good starting point when discussing what the business is willing to tolerate and the broad levers available to move within that tolerance.  

When engaging with the majority of a business, I believe it is more constructive to discuss to what extent a person can be trusted rather than leading the conversation with the intricacies of access control, identity management and HR vetting processes.  It is more intuitive to discuss the confidence we have that an application won’t be breached (and that is never 100%) rather than leading with penetration testing, vulnerability management and security operations.

Nothing that I’m saying will come as a surprise to many.  Many security CISOs and other security professionals reading this article will have developed personal methods and approaches to better frame the conversation about cyber security.  

Turning the conversation on its head

We continue to frame discussions on cyber security around what we are trying to prevent rather than what we are trying to enable… If, instead, we start with those activities we are trying to enable and define them with sufficient precision and minimal ambiguity, then we can apply security to enforce these enablers and prevent everything else.

My most significant concern is that we continue to frame discussions on cyber security around what we are trying to prevent rather than what we are trying to enable.  This is understandable – security is, after all, a controlling activity – but it focuses the conversation away from the business outcomes we seek to achieve.  This makes it harder for the audience to see the context, and increases the risk that security won’t be aligned with business priorities. If, instead, we start with those activities we are trying to enable and define them with sufficient precision and minimal ambiguity, then we can apply security to enforce these enablers and prevent everything else. 

Our approach

This series of articles outlines this approach and describes cyber security with structure and integrity for those whose day job is not dominated by the topic.  It keeps the number of lenses or perspectives within the Magic 7 while ensuring sufficient granularity to enable meaningful judgements and decisions to be made.  And it leads with the enabling outcomes rather than the tactical (and frequently technical) tools and procedures.

Throughout our approach we have held fast to a number of key principles.  There are sometimes exceptions that break one, but we have ensured these exceptions are conscious and deliberate.  The principles are as follows:

  • Start with what we are trying to enable, not what we are trying to prevent; and keep this at the top throughout;
  • Hold to the Rule of 7; if we start breaking this rule we need to reinforce it, and add detail in subcategories;

We start with value.  Things of value need to be protected by us and may be targeted by others.  We’ll call them Assets because assets are generally those tangible things with value.  An asset may be a document, database or application.  It is the thing of value, not its container, vault or transport system.  Value is a continuum, and different assets will have different values.  Risk can only be attributed to the asset because the asset is at risk, and only by looking at the asset in question can you understand the risk’s impact.

Assets need to be accessible to People, but only people that we trust sufficiently for the particular asset.  Trust is also variable, and establishing a lot of trust is generally more expensive than a little trust.  People access assets using Devices.  They may be laptops, desktop PCs, mobile phones, or other devices.  There will be some devices we have reason to trust and others that we have no reason to trust.  People use devices to access an asset within its Environment.  The environment might be a document store in a cloud environment, like SharePoint or OneDrive in Microsoft® 365.  It might be a supplier’s SaaS application that you have subscribed to.  It might be a corporate data centre.  Or it might be a computer sitting underneath someone’s desk.

The asset may also need to interface with Other Systems.  If so, there will need to be proportionate trust in that other system and the devices and people who access it, relative to the level of access that the other system has to the asset.

Figure 1 – Our model, focusing on what we are trying to enable

Summary and looking forward

So, our approach is founded on seven things.  Assets that are at Risk from Threats, which are protected in their Environment and need to be accessed by People using Devices, or by Other Systems.  This may appear overly simplistic, but in the next few episodes, I’ll dig deeper into how we use these constructs and how they can be applied intuitively and comprehensively, regardless of the complexity of your business.  In Episode 2, I’ll look deeper at Assets and Risk.  I’ll discuss trust and control for People, Devices, Environments and Other Systems in Episodes 3, 4, 5, and 6.  I’ll return to the model in the round in Episode 7 to explain how we apply it, using our cycle of DECIDE, DEFEND, DETECT and DEFEAT to manage the security posture and mitigate risk. And we finish off (for now) in Episode 8 to discuss some of the exception cases, such as how we manage privileged access that give a user the keys to the castle.

The intention is not to create cyber security experts. But we hope that it will help you to understand more than not to click on an unexpected link in an email, and something more useful as a manager or leader than how to add a rule to a firewall.


  1. Wikipedia – The Magical Number Seven, Plus or Minus 2 ↩︎
More Posts

How to Protect the Digital Achilles Heel of Military Capability

Our demographics and the moral value we place on life as a society mean our military must rely on it exploiting technological advantage. But the increased dependence on support from suppliers makes the supply chain an extended part of the networked battlespace, and their security and resilience are critical.

Microsoft’s and Google’s poor discipline is weakening herd immunity

Email was insecure by design, but additional standards have progressively improved that. However, our recent research has indicated that poor discipline at Microsoft and Google is putting all of that hard work at risk. As the dominant providers of email services to our businesses this puts all of us at risk.

Leave a Comment

Your email address will not be published. Required fields are marked *

1 thought on “CS4NSP Episode 1: Introduction – Security as an Enabler”

  1. Pingback: CS4NSP Episode 2: Show me the Value – Assets and Risks - Digility Ltd

Scroll to Top