People might view cybersecurity as an extension of software development or of the tech industry. However, deeper exploration reveals this view to be inaccurate.
Software development, personal lives, and companies all share a common thread: the ongoing conflict to safeguard data while also facing persistent attempts to compromise it.
Throughout this article, we will cite the National Institute of Standards and Technology (NIST), primarily using the abbreviation.
Starting with the first published named: “An Introduction to Information Security”, and classified as code 800-12 Rev.1, this represents both a broad overview of computer security and guidance to secure hardware, software and information resources. [download pdf]
Published in 6/22/2017, the document relies heavily on the understanding of security controls. From cost point of view, security, and the relation between these two. These are classified into management, operational, and technology controls.
Down the rabbit hole
We will not go through all the document, still I will write down a few important points, keeping in mind, this ‘old’ document contains information that for security experts might sound as common sense.
Carefully considering the risks
Understanding that risk is unavoidable, so prioritizing vulnerabilities by impact level (high, moderate, and low) helps manage information overload and ensures that we address the most critical issues first.
Generally, impact is categorized as a loss of confidentiality, integrity, or availability. It’s important to note that this classification is multifaceted, incorporating the vulnerability’s network location, its impact on both authenticated and unauthenticated users, and the difficulty of reproducing it. Therefore, broadly speaking, any vulnerability affecting confidentiality, integrity, and availability (the CIA triad) at the same time has a high impact.
Here it’s iterated with a specific guideline, following a structured four-step cycle:
- Framing risk. Define what assets matter most and acceptable loss thresholds. In this phase we discuss risk tolerance levels mainly.
- Assessing risk. Identify threats, vulnerabilities, and potential impacts.
- Responding to risk. How we respond to risk is something worth writing down. Select appropriate controls: accept, avoid, mitigate, or transfer risks based on cost-benefit analysis and priorities.
- Monitor risk. Continuously track control effectiveness and emerging threats.
Continuous monitoring should not be optional
This is an important fact and one good reason we still have headlines for major data breaches all over the world. InfoSec (information security) should not be a one time only deal. Is not a static process, and it should involve constant monitoring and steps or guidance for when the inevitable happens.
Societal/cultural constraints
Cultural norms influence how people engage with a particular technology. People’s risk tolerance, privacy expectations, and technology adoption differ based on generational, cultural, and social aspects.
The shift to remote work highlights this: employees now expect to access company resources from personal devices and home networks. This makes it difficult for companies to balance security with both ease of use and productivity.
Information security needs and integrated approach
To achieve effective information security, a holistic approach is necessary, integrating technical, administrative, and physical security throughout the system’s life. While still fundamental, the traditional layered security approach has been updated to handle the challenges of cloud, remote work, and complex supply chains in modern threat environments.
The common sense follow-up of security frameworks such as zero-trust architecture is here to stay; this architecture assumes no inherent trust and verifies each transaction or module.
Conclusions
This is a fundamental resource that is useful to anyone interested in information security or cybersecurity, not to mention the fact that it’s mandatory to understand at least at high level for many cybersecurity certifications. After, many more handbooks where published under NIST; as technology, attacks, and security evolved, reflecting the increased complexity of software projects and information security, and also attack sophistication as well.
It’s recommended to examine the article in depth. It’s a straightforward read, with only a few specialized words that are clarified in the glossary. There’s a lot of talk about cryptography, but the math is left out of the conversation.
Photo source: Flickr.
