Infosec Hierarchy of Needs

Ever pondered the natural order of reducing risk in InfoSec or the natural order of working towards compliance? It’s something I’ve been thinking about lately. Maybe it’s related to the recurring conversation my wife and I have on the topic of Maslow’s hierarchy of needs.

Maslow’s hierarchy helps us understand the essential nature of needs and why some needs are only achieved when we’ve built the right foundation by solving needs in lower tiers. Given that Maslow’s hierarchy has been so topical, it’s lead me to think about how we transition towards “solved” in information security. This is my version of a hierarchal need model applied towards information security.

Starting from the bottom

Starting from the bottom

Situational Awareness Situational Awareness gives us insight into what we need to protect. You can’t protect what you can’t see, as the saying goes. Defenders spend most of their time here. It’s so important that the majority of the SANS critical security controls focus on this tier.

Vulnerability Management Now we have insight into our vulnerabilities and need to close the gap. Time here is spent identifying owners (business, system, etc) and working with owners to resolve vulnerabilities.

Tactics Once we’ve cleared the cruft we can start to plan work instead of respond to unplanned work. This is where we solve short term needs and apply best practices.

Strategy We’ve reached our pinnacle. Sun Tzu said it best: “Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat”. One could argue strategy and tactics are on the same tier. I’ll argue that we can’t focus on long term goals until we’ve solved short term problems and issues in our tactics tier. This is where we focus on reducing risk and toil in the lower tiers.

You may have noticed I didn’t include anything compliance related. Are the needs of compliance the same? They absolutely compliment each other, however, they’re not the same thing. I’m sure that statement ruffled a few feathers. Let’s look at the hierarchy of needs for compliance to understand why they’re so different.

Requirements Compliance starts with digesting requirements. What do we have to do?

Strategy Now we know our requirements and it’s essential we work on strategy first. Our primary goal here is to define scope, it’s one of the few strategic opportunities in compliance. We’ll overburden the organization if the scope is too big. We can’t set the scope too small or we’ll risk scope creep in the higher tiers. Knowing when you’ve arrived at at the right fit comes with experience. As the saying goes: Listen to the advice of many, seek the advice of few, but row your own canoe.

Application We know our requirements and we’ve defined our scope, now we can plan the work and work the plan. This is where we spend most of our time.

Audit We’re getting close. The systems in scope meet the requirements, in our opinion. Now it’s time for another opinion.

Remediation No bueno. Turns out the auditors didn’t agree with our interpretation of requirements and there is more work to be done. Hopefully there’s a few minor adjustments.

Certification We see eye-to-eye with the auditors and we’ve received their stamp of approval. Break out the bubbly, we’re done here… till the next audit.

Retrospective It takes a mature team to know we’ve just received certification for a point in time. Take time to celebrate, but know, there will be another audit. All those hard lessons we learned with this audit, yeah, we’ll forget them soon. We should document what we’ve learned and dedicate time between the next audit to reduce blockers and toil for the next audit.