By John W. Link and Jo Lee Loveland Link
Abstract: Cybersecurity is operating in an environment of unpredictability, accelerated technology change, and threat complexity. All too often, Cyber responses are based on older, cumbersome, slower methodologies that miss critical elements to successful Cyber response. To meet emergent Cyber threats, Cybersecurity protection strategies must be holistic, agile, and adaptive. The Cybersecurity organizational culture must be resilient enough to work with a flexible, intelligent strategy to counter the inevitably turbulent environment. Current process/compliance-oriented Cybersecurity organizations are unable to adapt to changing, emergent conditions. The solution is the Agile Cybersecurity Action Plan (ACAP), which integrates a fusion of ideas from the Agile Methodologies, Adaptive Strategic Planning, Process Improvement, and Threat/Risk Management, with Cybersecurity Best Practices, including the Federal Cybersecurity Framework, to create a continuous cycle of iterative cyber strategies and responsive near real-time action plans. ACAP lays the foundation for an “Adaptive Cybersecurity Organizational Culture” that can successfully meet continuously emerging complex challenges.
Cybersecurity today is driven primarily by a “Castle Model” of defense – focused on building relatively static model of “locked doors” cyber defenses of firewalls, applications monitors, and rigid processes in hopes that, with some tweeking and remediation, these protections will hold. Compliance checklists itemize obvious “doors that must be locked.” Though useful, these checklists can produce some level of security and some illusion of completeness of security. The focus of cybersecurity culture is reporting on the checklist, not looking ahead to emerging threats.
Cybersecurity should not about just building better castles, but looking ahead to the emerging threats. Castles were undone by introduction of cannons and mobile warfare. This will likely be true of Cybersecurity because the “cyber barbarians,” whether state or non-state actors, criminals or hacktivists, are constantly looking for new technologies, human weakness, back doors and other weaknesses in the castle. Cyber-attackers are disturbingly creative and fast at technology adoption, since they do not have the same regulatory limitations such as FAR or DFAR. They are adaptive in use of social engineering to gain access. Cyber-attackers are as different in their methods as in their origins, and their methods are constantly evolving.
The Agile Cybersecurity Action Plan (ACAP) is a fresh, dynamic, and holistic approach to quickly align the organization’s Cybersecurity strategy, technical and organizational capability, processes, and policies to meet today’s rapidly changing universe of cyber threats and risks.
The ACAP Process: ACAP focuses on creating an iterative 90% (or better) solution strategy to the current and continuously changing Cyber Threat/Risk environment. The ACAP process uses a sophisticated paradoxical fusion of targeted concepts from several fields:
- Risk Management
- Adaptive Strategic Planning
- Process Improvement
- Agile Methods
- Cybersecurity Best Practices
- Creative Collaboration
ACAP also focuses on changing an organization’s cybersecurity strategy and culture — from all too often being narrowly “compliance oriented” and barely able to manage the former threat tempo — to an approach that adapts to emerging risks and threats on an iterative and rapid basis.
The heart of the ACAP Process is a threat/risk strategy workshop where a cross-functional, multi-level technical and leadership team that shares information and decisions to:
1) Create a continuously evolving Threat/Risk Profile
2) Rapidly reassess the organization’s Cybersecurity Infrastructure for effectiveness and ability to adapt: Technology, Monitoring and Response Processes/Plans, Staff Capacity and Policies against the Immediate and Near-future Threat/Risk Profile
3) Identify Systemic Deltas/Problems before they occur
4) Create an Action Plan to remedy the Deltas/Problems through cyber policy changes and upgrades of strategies, staff, processes and technology.
The ACAP process is then iterated in 1-6 month cycles, much like the Agile Development’s “Sprints” process or “as needed”, depending on emergent “threat technology.” For example if there is new generation of threat, the Leadership might initiate an ACAP session to update the threat/risk matrix and make the required technical or process changes before they encounter the new threat.
ACAP is an adaptive approach that focuses not on long term perfection, but on getting to “good enough, for now. ” Far from avoiding dissension the ACAP process leverages what Dorothy Leonard calls “creative abrasion.” ACAP recognizes the power of multiple intelligences and perspectives tackling problems cooperatively. ACAP process is iterated and updated with adaptive strategies and alternative scenarios to improve cyber response success. The value of ACAP is to create a culture where foresight and knowledge sharing is valued, Cybersecurity strategy is seen as provisional, adaptation to changing threats and risk is paramount and the focus is on rapid implementation.
Because ACAP is “framework-agnostic” the ACAP Process can be adapted to work readily with a wide range of existing and emergent models and processes (e.g. FISMA-DHS/NIST, SANS, ISO, ITIL, etc.) ACAP can utilize whatever security controls standards that are place or that the organization wishes to switch to. No de-confliction is needed with compliance requirements to create a solid baseline Cybersecurity strategy.
The ACAP process produces strategic agility in cybersecurity staffing, processes, policies and technology needed to respond to a rapidly changing cyber threat environment. But more importantly, the process will move the cybersecurity culture into the direction of greater speed and ability to adapt to the ever-changing, turbulent, and difficult-to-predict Cyber environment.
We welcome feedback to improve the ACAP process and the paper, and ideas and where to evangelize the approach. We are reaching out to identify partners, individuals or organizations, to work together with us to implement such an approach. A link to a draft of the ACAP Paper is below: