Matryoshka, CISO | Lucidum

Strategy struggling CISO? Commiserate with Sisyphus

How do I start? Ask Prometheus

Do you finish every book you begin? I learned how to read a book, years ago, from Mortimer Adler’s How To Read A Book. Combine that with Adam Robinson’s What Smart Students Know and you have blueprints and tactics to extract maximum value out of nonfiction books.

With these tools in hand, it’s a rare nonfiction book that will capture my attention for every page. My goal is to deconstruct the book and extract every bit of useful knowledge from it. Sounds more like eating than reading, doesn’t it?

Of all the dry, overcooked, under-seasoned reading offerings, the NIST SP 800-53 is a centerpiece. The plot drags, there’s too little chemistry between the protagonist and the romantic interest, and… and I may have mixed my notes up. NIST’s guidance isn’t intended to keep you up at night, rapt with attention.

Using Adler’s and Robinson’s guidance, you can consume all the caloric value from NIST and neither waste time nor leave any meat on the bone.

Let’s start with the NIST’s plan-do-check-act approach to information security: Identify, Protect, Detect, Respond, and Recover. NIST is going to open your eyes to a dynamic and pragmatic approach to information security.

If you ever took martial arts lessons, you remember that learning to step well allows you to fight well. Learning to stand well, allows you to shoot well. Learning to hold the pencil properly yields legible handwriting.

NIST will show you how to turn on your strategic instincts and validate the ones you already rely on — and practiced with Bloom, CISO! Are you ready?

A third-party had just concluded a review of security maturation and efficacy, a report was compiled, and our grades were these:

NIST phase chart
NIST phase chart

Owing to our winning personalities, clever laptop stickers, and luxurious kitchens on every floor, the third-party rounded up our average. Final score:

That is not just hand waving and being too clever by half. This is how security works. Each layer builds upon its prior foundation. As the tower grows higher, more weight and pressure are placed upon the foundational flaws. Weak foundations, like unsteady legs on a boxer, presage disaster.

TRIVIA BREAK!

The Matryoshka “little matron” dolls are also called Russian nesting dolls. Within a single large doll is another, and so on until five, six, or more dolls are revealed in decreasing size. They are relatively modern, and their creation is attributed to Vasily Zvyozdochkin in 1890. Interestingly, a matryoshka set must be made from one piece of wood because the expansion/contraction properties, moisture content, and wood grains must remain together. Adding a unit from another set ruins the fit and can crack the pieces or stick them together.

Un-nested Russian Dolls

What do matryoshka dolls have to do with NIST and cybersecurity?

NIST phases, matryoshka dolls, and spyglasses are all ordered subsets of the prior set. Every smaller doll fit within the larger. The entire pirate spyglass collapses into the largest cylinder. Every phase in NIST is constrained by the Identify.

Let’s put this into action using an actual scenario….

When I was in school, a ‘C’ was a 70%. That ‘C’ or ‘average’ grade I was given in Identify is then a 70.

Out of 100% coverage, my Identify controls hit 70%.

This is probably average. Feels good to be average here — everyone I know is really struggling. I’ll take that average and call it a win.

Besides, how important can it be if everyone I know fails here but still seems okay?

“Would you please show me what you intended to deliver to the board had I not been hired?”

Then we move to Protect. It’s nested inside Identify.

So I am forced to ask myself: how well have I protected what I have not identified?

Was there a plan to protect my unknowns? How effective is it?

Math tells me my 70% Identify control, combined with my 70% Protect control yields a score of 49%. Seventy percent of seventy is 49%. I have lost my B+ average and I’m only 2/5ths of the way in. My ‘B’ grade in Monitor doesn’t help. Even assuming my ‘A’ grades are 100% does not raise this sinking ship. In the end, my real score is halfway to a C. I am nowhere near a B+. The cascade of failure has begun and now I am earning interest.

NIST phase chart

That is not just hand waving and being too clever by half. This is how security works. Each layer builds upon its prior foundation. As the tower grows higher, more weight and pressure are placed upon the foundational flaws. Weak foundations, like unsteady legs on a boxer, presage disaster.

Now let’s red team this approach.

What would you do if you wanted to build a better boxer? You would build strong legs.

What would you do if you want to improve all your scores and build a better cybersecurity program?

You would start with Identify.

NIST phase chart

Left of bang.

Shift left.

Inflection point.

Maximize return on investment.

Call it whatever euphemism clicks, I want to earn interest on a positive investment and stop earning vig on a loan to leg breakers.

In cybersecurity, because of the set and subset relationship, a ten percent improvement in Identify is inherited through the remaining controls without any direct intervention within those controls.

Did you identify a previously unknown Mac?

Now that JAMF is on it, it endpoint is caught up in the patching cycle improving Protect.

Identify a set of S3 buckets that were world-readable?

A group of engineers who had wiped the original operating system and installed Debian?

In every instance better Identify drives better Protect.

And: better Protect is constrained by not-so-good Identify.

Is this good strategy?

Does it answer the question, “What can I do now with my resources so that I’ll be in a position to make more, beneficial decisions?”

You bet it does.