BLUF - Buzzwords in the cybersecurity and technical fields attempt to capture innovative concepts which temp leaders to quickly adopt, regardless if the solutions they provide support their mission needs.
Leadership loves to lead and management is there to manage, but the one thing they should not be doing is providing solutions to cybersecurity professionals. On a weekly basis leaders, supervisors, c-suite officers love to chase buzzwords and insist we adopt the latest technology or concept. "GO TO THE CLOUD!" is a favorite one, or "we need to establish a DevSecOps environment" is yet another. These are terms passed down from others in pursuit of being on the forefront of technology, but more importantly, bragging to others that they're incorporating the buzzwords they're hearing.j
The spread of buzzwords can be from many origins. Trade shows, conferences, news and blogs, vendor marketing advertisements, or even casual conversation and emails can all spread these catchy terms that refer to a term or practice that most likely already exists. But because technology accelerates so quickly, buzzwords are used to capture progress even if nothing new has been created.
According to CSO Magazine, the top buzzwords for Cybersecurity for 2019 are:
Cyber - meaning anything with computers or internet
AI - artificial intelligence, but meaning "robots making decisions"
APT - Advanced Persistent Threat, but meaning any outside attacker
Threat Intelligence - information about threats, but meaning super secret info about threats
Next-generation - anything new
Cloud - someone else's computer or network
Data-driven - making decisions based on data; been doing this for years
Real-time - as opposed to needing extra time to consider a decision or action
Thought Leader - someone with a brain making decisions
(https://www.csoonline.com/article/3258551/10-security-buzzwords-that-need-to-be-put-to-rest.html)
Add to that mix these as well:
Blockchain, Chaos Engineering, BYOD (Bring Your Own Device), Big Data, DevSecOps, Behavior Analytics, Human Firewall, CI/CD, Orchestration, Quantum Computing, NOC/SOC, Zero Trust Security, Automation.
Many of these buzzwords are associated with a technology or concept which can be very useful in an organization's architecture or security enterprise IF it's applicable and of value. But the problem we're seeing is leaders direct teams to implement solutions without knowing if they are required to meet mission goals.
Instead, leaders need to be able to accurately describe the requirements instead of the solution.
"We need to connect this network to this network with these latency requirements"
"Our developers need a collaborative environment with the following tools"
"Our customer needs to transfer data up to 30GB to us in under 10 minutes"
"I need to make a decision on this contract based on previous statistics"
"We need to secure our web server from attacks on unmanaged ports and protocols"
"The requirement is to meet the following standard, policy or guidance"
"I need proof that implementing this widget/upgrade will not affect our production servers"
These are requirements.
With statements like this, IT and cybersecurity professionals can suggest a variety of solutions. The lead would then create courses of action (COA) based on cost, schedule and performance and the leader will choose based on those factors.
As an example, recently I've been told our program needs to "go to the cloud" in order to collaborate. So when I started I asked the program manager, "Just what are we being asked to do? What is the requirement?" His reply, "That's why we hired you." It's a simple process of associating a solution with a requirement, but when the requirement is to utilize a solution withing knowing the details of what success looks like, we find ourselves chasing our tail.
A better requirement would be something on the order of, "We need to establish a zero-client environment between office X, Customer Y and end users located at Z by March 2020 so they can share these files and utilize a Git source code repository on Bitbucket and deploying images to a private resource at Customer Y's CM server. Users will have token cards for 2-factor authentication and limited to specific parts of this environment, but not all of it" With something specific like this, we are able to determine vendors, specific locations and establish the security and IT requirements. At this point, we're able to offer solutions such as hybrid clouds, type 1 hypervisors, on-site SANS solution and multi-factor accounts based on a Kerberos authentication server in a RBAC model.
The exception to this is when you have a General or CEO saying for political reasons, "We must do X" or "Implement the following technology'" While we love to be subject matter experts and make recommendations for technologies, we need to also learn when the boss is making a solution the requirement.
In either case, cybersecurity professionals need to be fluent in these terms and technically competition in their pros and cons and which situations they benefit. This is a fast moving field and wrong answers can cost jobs, if not lives.
No comments:
Post a Comment