Oct 11, 2021
by Mollie Breen
You can find any number of “getting started” guides on cybersecurity on the internet or on social media. However, those intros are often too long, too technical, or too high-level to be helpful. So you either have to make do with something overly generic or spend hours piecing together information from disparate sources to create materials specific to your context.
At Perygee, we keep a living cybersecurity guide that helps get new employees up to speed and tracks our team-specific best practices. The framework below is generalized for how we think about sharing cybersecurity with others:
While there are some generally accepted definitions of cybersecurity, boil it down to what security means in the context of your team/company/course. For example, security decisions will be influenced by the corporate’s attitude to protection vs risk management. In the former, you may optimize for solutions that put restrictions on the network; in the latter, you may optimize for solutions that look for threats only in the most vulnerable places. Be sure to create this definition with terminology that everyone on your team can understand. At Perygee, we tailor our definition of cybersecurity to include the idea that cybersecurity is both technical and nontechnical practices, in part because we believe multiple perspectives achieve a more secure network overall.
After starting with a broad definition of cybersecurity, take your audience through a journey of applying cybersecurity to a specific topic area. The domain area might be a part of the network like operational technology, a tool used within the network like encryption, or a vertical like healthcare. Choosing the topic area depends on who the guide is for, but once you have chosen it, provide an overview of the relevant concepts, an example, and why it is important. So, for securing operational technology this includes subjects such as networking concepts & protocols and installation considerations like agent vs. agentless. Here is how we describe network segmentation relative to OT:
“Network Segmentation is splitting the network up into subcomponents. This is similar to creating a guest network on your home wifi that is public or has a simpler password, vs. the private network which ideally is kept more protected. In the past, OT was segmented from information technology (IT). More recently, OT and IT are converging. What’s important to note is 1) Security teams want to segment devices together that have to communicate often. The more subsegments you add and rules preventing cross-segment communications, the more secure your system is. However, this makes it harder to break out of those silos to communicate. 2) Network segmentation can be hard to track and limits visibility. This means security teams don’t always have all the information about who is talking to who on the network.”
We make an effort to both describe what network segmentation is in straightforward language, give an example that the audience might be familiar with, and apply it to the enterprise context we operate in. This achieves both an understanding of the new term and how one might begin to make decisions when faced with a similar scenario in the future.
As an industry, cybersecurity is unique for its offensive and defensive nature. Rather than provide a laundry list of possible vulnerabilities and attacks that someone should know, using the topic area you chose in #2, highlight relevant real-world events. Since hacking is often a fusion of multiple attack methods, you cover a lot of ground by focusing on a few important hacks and walking the steps the hackers took to exploit the system. For example, the Target Hack in 2013 exploited a user account using a phishing attack as well as escalating privileges, installing a back door, and moving laterally in the network.
Cybersecurity is a team sport, so no guide is complete without an understanding of who to work with and how to work together. Consider who is setting standards in the industry or putting out recommendations. Within operational technology, this includes the Cybersecurity and Infrastructure Agency (CISA), the National Institute of Standards and Technology (NIST), the National Security Agency (NSA), and MITRE. If you’re a security team within an organization, you might explain the dynamics between you and other teams in the enterprise. If you’re a security vendor, you would share other companies in your industry or ancillary spaces. If you’re teaching a class, you might explain the role that consumers and researchers play like disclosing vulnerabilities, updating devices, and changing passwords.
Customer stories won’t apply to every audience, but at Perygee we also share customer stories in our guide to shed light on specific user challenges. This is important because not every security challenge makes the front page of the news and no two security challenges are the same. Sharing these additional examples opens the audience to the more everyday pain points and motivation for your approach to cybersecurity.
There are a lot of resources one can use to continue to learn and go deeper in cybersecurity. Share a running list of conferences, webinars, online videos, newsletters, or podcasts. At Perygee, some of our favorites include Hacker Valley Studio, Deploying Securely, and Security Conversations. We also hold regular lunches to discuss security-related topics such as a recent attack or a comparison of encryption technologies.
A good guide should cover what security is, how it applies to a specific topic, case studies of attacks and vulnerabilities, and a survey of the broader ecosystem. The goal is to use this framework so that anyone can learn, apply, and improve in cyber regardless of background or time spent in the industry.