Before you begin developing (or fixing!) your cybersecurity program, make sure you know the fundamentals. This material, adapted from my first book, is stripped down to the essentials. You can refer to it again and again to refresh your understanding and review key principles.
What are the 4 Pillars of Cybersecurity?
There are 4 pillars of cybersecurity:
I addressed confidentiality in a post called “Defining and Understanding Privacy”. There I equated confidentiality with secrecy and examined the question of who, exactly, gets to define what is secret (aka confidential). Ultimately I arrived at a confidentiality scale that we will use in our work: there was top secret (board of directors’ eyes only); secret (board and executive committee’s eyes only); confidential (board and executives plus management team); and public (everyone).
For our purposes here, you need only remember the “Privacy is…” vs “ Confidentiality is…” as outlined in this table:
|Privacy is…||Confidentiality is…|
|a right of people||a property of data, any data, not just PII|
|a right to control access across a person’s physical,
decisional,informational, and dispositional
|an agreement on the rating of data|
|a right protected by law around the world||an attribute of data that can be regulated|
Integrity, our next term, is an easier topic to get your head around than confidentiality.
If you ask an accountant to define integrity, she may refer you to the American Institute of Certified Public Accountants 2013 publication titled “Information Integrity,” which sports the following definition:
Information integrity is defined as the representational faithfulness of the information to the underlying subject of that information and the fitness of the information for its intended use.
This is painstakingly accurate but also why I don’t ask accountants to define things for me. I have synthesized instead the following definition of integrity in the cybersecurity context:
Integrity is the set of practices and tools (controls) designed to protect, maintain, and ensure both the accuracy and completeness of data over its entire life cycle.
In short, you want to have a way to make sure that the numbers in your Excel spreadsheet don’t change on their own. If you are wiring $5,000, you don’t want it to morph into $50,000 without your approval. You want to be assured that the payroll is correct, and that your love letter addressed to Mary doesn’t suddenly start with “Dear Maria…” That would be a serious integrity problem. Trust me. I know what I am talking about!
How do you achieve integrity? You do it by implementing digital signatures, write-once-read-many logging mechanisms, and hashing. These conversations tend to be a bit too technical, so suffice to say that you need to know about them enough to understand your cybersecurity expert’s explanation and recommendation for your specific requirements.
Availability, pillar number 3, is the set of practices and tools designed to ensure timely access to data. If your computer is down, availability is compromised. If your Internet connection is moving at a snail’s pace, availability is compromised.
How do you ensure availability? In one word? Backup. In two words? Redundancy and backup.
Finally, term number 4: safety. It is the newest pillar in cybersecurity but one whose impact is potentially the most critical. This is where cybersecurity incidents could result in injuries, environmental disasters, and even loss of life.
You may be a user of a connected medical device, potentially putting you at mortal risk if that device is hacked. Or you may be in a connected car, plane, or train. Or you may be in charge of a business that is responsible for water purification for thousands of people or of a utility that millions of people rely on for life-sustaining services such as electricity.
The concept of safety steers the cybersecurity conversation away from the purely technical to more of a people-centric approach. Therefore, as you approach your own cybersecurity program development, keep this last pillar at the forefront of your thinking. Ask yourself how your cybersecurity decisions go beyond information security and potentially involve the prevention of physical harm to human beings or the environment.
How do you Measure Cybersecurity Success?
Here’s a key question: How do you measure the success of your cybersecurity efforts?
Ask yourself: How do you measure any security effort’s success? By the absence of incidents.
If you have a house that keeps getting broken into and you install an alarm system and the break-ins stop, ta-da! Success. No more break-ins.
If you’re riding in your bulletproof limo and you’re peppered by bullets? No problem! You keep on trekking. (I might advise that you reconsider your life choices, but that’s a different matter.)
Success in cybersecurity, therefore, will be the absence of incidents relating to confidentiality, integrity, and availability of digital information no matter where it is (stationary/stored, traveling/transmitted, or processed).
What about safety, you ask? Same metric. We want to look at the absence of incidents relating to the safety of any assets governed or affected by digital information. This is, by the way, one of the arguments used against including safety as a fourth cybersecurity pillar: ensuring zero effect on confidentiality. Integrity and availability imply—some argue—that you already have safety. I do see their point. Personally? I feel safer in the redundancy of including it!
It’s important to note that absence of incidents does not mean that the effect of your cybersecurity efforts can’t be quantified. There are tools that will quantify the number of attacks your business systems are currently enduring, likely many without your knowledge. That’s right, you may already be experiencing digital break-ins even if you are not aware of them. Establishing these baselines will be a key step, and we will discuss cybersecurity success metrics in a later post.