How transparency can lead to understanding the ‘cybertopography’

Continuing with the question of, “What does a DAA think about?,” I previously put forward three things Designated Approving Authorities routinely consider as they evaluate programs—context, transparency and overall organizational risk. That earlier column focused context; this column dives into the need for transparency. 

By transparency I don’t mean that all aspects of a program need to be available to everyone.  I do mean that a DAA needs to have sufficient understanding and confidence in a program and, especially, its team in order to able to make an informed decision.

As a DAA at the Defense Information Systems Agency, I had one part of my organization that routinely struck out on its own. Based upon its mission set, I could completely understand why it felt that it needed to have a greater degree of autonomy. It took time, willingness and effort from both sides of the table to understand the motivators, drivers and technology to eventually allow a greater degree of transparency and, in turn, a greater degree of confidence. By the time I left, I considered that program a leader in cybersecurity.

In our highly time-limited world, how do program/project leaders communicate the complex nuances of cybersecurity in a way that DAAs can readily understand? The communication needs to occur without an oversimplification that borders on triviality, a complexity that makes no sense to anyone outside a limited circle of acolytes, or a fear of censor when problems are exposed.

Many organizations have started down the right path. Properly implemented, the shift to continuous monitoring combined with the new risk management framework, a robust enterprise architecture, and an integrated visualization methodology provides a clear and achievable approach to increase transparency.

The National Institute of Standards and Technology’s Risk Management Framework (RMF) has become the best common information security framework for the federal government, its partners, and for any organization seriously interested in cybersecurity. By transforming traditional certification and accreditation, NIST is moving the process from a checklist-centric approach to one more grounded in operational realities.

The RMF needs to be used in concert with a robust enterprise architecture (such as the Department of Defense Architecture Framework or The Open Group Architecture Framework, a well-defined single security architecture, and a process-driven implementation of continuous monitoring is the best approach to allow programmatic transparency while supporting operational needs. As the phrase goes, the “devil is in the details,” and if not fully supported and honestly implemented by leadership, team members and the vendor community, the RMF could easily turn into a hollow approach, an approach that gives an illusion of security. 

Framed by contextual understanding and transparency based in a risk management framework, an enterprise architecture and a structured visualization methodology, a DAA can understand what I have come to call “cybertopography.” Topography is the configuration of the land, represented on a map by contour lines and relief shading. In turn, cybertopography is the application of cyber security analysis methodologies across the virtual world of an organization’s IT assets.

As one who has written two books on topics associated with understanding, I am convinced that simple spreadsheets, static reports and two-dimensional diagrams have significant limitations on what information they can readily convey. We think multidimensionally and our depiction of the risk vectors found within our own particular cybertopography needs to reflect that complexity. Visualization will help destroy the illusion of security and foster true cyber transparency.

Only recently have organizations looked at the cybersecurity aspects of a program with the same critical programmatic, metrics-driven eye that they use for budget and schedule. At program reviews, information assurance was often treated as an afterthought. Compliance had to be achieved to satisfy a paperwork drill. Systematic reviews were only conducted during the annual Federal Information Security Management Act review, during external control audits, if the program failed to achieve an authorization to operate or if it had a security breach. With transparency and an understanding of the cybertopography, DAAs can foster the right environment to allow true cybersecurity to be “baked in.”