The State K.I.S.S. Principle

state kiss principle

The State’s Need for the KISS Principle

SecurityStudio is dedicated to serving state and local government.

In our work, we’ve witnessed firsthand the incredible challenges facing state cybersecurity [1] personnel. State Chief Information Security Officers (CISOs) are tasked with the mission of securing state information assets, but the challenge is nearly impossible. The challenge is hopeless with limited political/management support, obstructed visibility, inadequate resources, and constant distraction.

We must put state CISOs in the best position to succeed.

Specific cybersecurity challenges are different in each state, but there are common themes like:

  1. Technology Adoption – We continue to adopt technology faster than our ability to secure it.
  2. Personnel Support – Cybersecurity personnel are asked to do more than they’re capable of.
  3. Fundamentals – The fundamentals are fundamentals; it doesn’t matter where they’re applied.
  4. Complexity – This is always the worst enemy of information security.

The CISO’s mission may be “nearly” impossible, but we believe the mission can become reality. The path forward (now or later) is the KISS Principle (or something similar).

Introduction to the State KISS Principle

In our context, K.I.S.S. stands for “Keep Information Security Simple [2]”.

Complexity is the worst enemy of security. This is logical. It’s easier to secure three systems versus three hundred. A small organization is easier to secure than a large one, like a state. If complexity is our worst enemy, is it safe to say that “simplicity is our best ally”? We think so.

Simplicity is the key to achieving information security success in state government. Speaking of “success”, this is the first phase of the KISS Principle. There are six simple (not easy) phases to the KISS Principle.

Phase 1: Define Information Security Success

Try this, ask someone to define information security success for you. From the governor, legislators, CIO, agency heads, and citizens, the answers will be different. This is not necessarily a bad thing; this is a great opportunity to lead and unify.

At SecurityStudio we define information security success as “managing information security risk well”. This by itself is too vague without elaboration.

  • This is managing information security risk, NOT eliminating information security risk. Eliminating risk is impossible. Managing risk requires understanding risk (assessment), making responsible risk decisions, and acting on the decisions that were made. Just one more thing…

Measurement. We can’t manage what we can’t measure. SecurityStudio’s S2 platform is a risk measurement and management platform that will help.

securitystudio dashboard
  • Information security encompasses three domains, operational (or administrative) [3], physical [4], and technical. Information security is NOT an IT issue, it’s everyone’s issue.
  • Risk is the likelihood of something bad happening and the impact if it did. Likelihood and impact are dependent upon threats and vulnerabilities (or weaknesses). The goal is to minimize the likelihood and/or impact of compromise in line with what we deem “acceptable”.

Assuming success in all the above, the word “well” is defined by our decisions and resulting measurement (or score). This is information security success!

Summary

An example:

Information security success in (INSERT_STATE) is attained by achieving and maintaining an overall S2Score of 660 (or higher) while also maintaining S2Scores of 660 (or higher) across operational, physical, and technical security domains.

This definition of success is easily understood, objective, measurable, and comprehensive. Defining success isn’t all that difficult, making success reality is the hard part.

Socialize the definition of success so people can 1) understand it, 2) buy into it, and 3) hold each other accountable for it.

Phase 2: Simple Structures

Securing a complex organization (like a state) can be overwhelming. In some states, the CISO is responsible for controlling (or influencing) information security across agencies, departments, counties, municipalities, education, and much more. Without proper structure and simplification, this is an impossible proposition.

securitystudio score

We can’t boil the ocean, and we can’t tackle the state as a single mammoth entity either. A complex organization, like a state, is made up of many smaller, simple structures (or “entities”). There are three main entity types, aligned with our definition of information security:

  • Administrative Entity –maintains its own administrative authority over information security, meaning its own management structure, policies, or way of doing things. Typically, counties, education institutions, municipalities, and larger agencies.
  • Physical Entity –maintains its own physical control authority (building security and/or facilities personnel).
  • Technical Entity –maintains its own technical control authority. Typically, an entity with its own IT department or function (including “ghost” IT).

Some entities fit nicely into a single type; other entities are combinations of types. Defining entities can be a tedious task, but it must be done and it’s well worth the effort.

Phase 2 Tasks

Answer the following questions:

  • What are the entities under the purview of the state? Some are under the authority of the state, and some are supported (or influenced). Give each entity a name.
  • Define who’s responsible for each entity. We call these people “Risk Owners”.
  • Define the Risk Owner role, inform Risk Owners and provide basic training.

Risk Owners

Keep this simple. Risk Owners commonly have three responsibilities:

  1. Obtain quality risk information (assessments) for their entity.
  2. Make risk decisions on behalf of their entity.
  3. Ensure that risk decisions are carried out.

It’s common for a Risk Owner to not know they are a Risk Owner, and it’s also common for Risk Owners to not know what they’re responsible for. This role must be documented and communicated properly. If you need any assistance, SecurityStudio can offer many free resources (including templates).

Phase 3: Same Language

Not everybody speaks “information security” the same way. It’s important for every entity to use the same methodology and terminology when managing risk. Risk assessments must be done using the same (or similar) tool for consistent context and scoring throughout the state (between entities).

S2Org

S2Org was built to be the simple information security language.

s2org

Benefits of using the same language include:

  • It’s educational. Most people don’t appreciate the many facets of information security. Improved education leads to more buy-in.
  • Measurements are consistent. Consistent measurements allow for rollups, dashboards, and apples-to-apples comparisons. This puts risk into context.
  • It becomes cultural. The language becomes part of the culture and people participate more.

Phase 3 Tasks

The S2 platform makes all these tasks simple (and easy).

  • Choose your language. At this point, only the Risk Owners need to speak the language.
  • Conduct risk assessments. Completed by Risk Owners or delegated by the Risk Owner.
  • Compile results on a single dashboard or screen for context.
  • Report the results to all interested parties. The language is taught to others throughout this process and buy-in slowly starts.

IMPORTANT: Many people overthink this part of the process, we suggest you don’t.

Phase 4: Baselines

There are certain risks that are unacceptable to the entire organization, from top to bottom. Determining these risks will help establish the global baseline by which all entities should abide. Local baselines are set by the Risk Owners, where they decide the following:

  • What is the risk decision? The are only four options: accept, mitigate, transfer, or avoid. Undecided risks become accepted ones by default.
  • Who will enact the risk decision? Someone must be accountable, or it won’t get done.
  • When will the risk decision be enacted?
  • How much will it cost? This is the objective and justified budget we all covet.

The local baselines become road maps.

Securitystudio L3 assessment

Budget

Risk Owners have weighed in, deciding which risks are acceptable and which are not. All decisions were made using objective criteria and all budget items are tied to specific risks. Getting budget approval is more likely when decisions are quantified, distributed, and put into context. The classic “what will this money get us?” is an easy discussion.

There will be multiple budgets affected, depending on how things break down fiscally.

Ultimately, budget approvers/stakeholders (usually the legislature) can begin to understand:

  1. The current state of the state’s information security program.
  2. The future/planned state of the state’s information security program.
  3. When the state can expect to reach the future/planned state.
  4. How much the future/planned state will cost.

Some expenditures will be state expenditures, and some will be local. Costs can be distributed, and resources can be pooled, saving money in the end. In addition to the four important metrics (above), we can communicate what our most significant risk is now.

Phase 4 Tasks

Four simple, but certainly NOT easy tasks in Phase 4:

  • Establish global, or universal standards of what’s acceptable and what’s not.
  • Coach Risk Owners to make good risk decisions, then let them.
  • Finalize roadmaps with Risk Owners.
  • Establish and obtain budget.

At this point, distributed risk management will start becoming operationalized and people will begin to see the vision.

Phase 5: Progress

This is all about execution. Joint, coordinate progress is made building the state’s information security program together. All entities have roadmaps, and execution continues until the end of the roadmap.

Many things will happen at once during this phase (CISOs are used to this anyway). Every entity should be busy managing to their roadmap, and the CISO has visibility into it all. As things are completed, scores (S2Scores on S2) change. Current status can be provided to any/all interested parties.

Phase 5 Tasks

Manage the roadmap process, ensuring that people complete what they agreed to complete. If/when roadmap projects and tasks don’t get completed, the Risk Owner should be held accountable.

Phase 6: Improvement

This phase is about review and improvement before beginning the cycle again. Review the successes and challenges in the first cycle, Phase 1 through Phase 5. Adjust and run the entire process again. The second, and each successive time through the cycle gets easier because the processes become operationalized and cultural.

In each cycle, risk assessments are completed in Phase 3. These assessments are like stakes in the ground where the state (and entities) measure themselves from. In each pass, the stake gets set again with newer, more relevant risk data.

Phase 6 Tasks

There are only two tasks in Phase 6:

  • Conduct a formal review of the entire KISS Principle as it was applied. In the review, focus on simplification and resist the urge to add more things.
  • Suggest and make improvements, as necessary.

That’s it. Start at Phase 1 again. The six phases of the State KISS Principle. At each phase, complex concepts were simplified. The work was not easy, but nobody said it would be. What was removed (even if just a little) was confusion and complexity.

Conclusion

SecurityStudio is here to help those who serve in our state governments. We focus on our mission, to fix the broken information security industry, before all else. Our mission forces us to look at things from the perspective of those who are served (usually individual people) and those who serve (our information security compatriots).

The truth is complexity in state government has never been greater, and state cybersecurity personnel are asked to do more than they’re capable of.

These things are the purpose behind SecurityStudio’s S2 platform.

s2 state government

Contact us to see a demonstration, register trial accounts, and/or arrange for a proof of concept (POC).

ss logooo

We are always here to serve. SecurityStudio CEO Evan Francen, email: efrancen@stg-securitystudio-staging.kinsta.cloud.

To learn more about SecurityStudio, our tools, or our #MissionBeforeMoney, visit us online at https://securitystudio.com.

[1] “It’s easier to go through your secretary than it is to go through your firewall.”

[2] “Your firewall doesn’t help when someone steals the server.”

[3] “It’s easier to go through your secretary than it is to go through your firewall.”

[4] “Your firewall doesn’t help when someone steals the server.”

s2core

Estimate your score or book free demo today

/by