Preface
This book focuses on how organizations can improve their security posture and build robust and predictable security operations. It is written from the viewpoint that the best way to do that is with something called agile security operations, focused on processes rather than organizational structure, and a strong focus on incident response as one of the key processes that we either prepare for, execute, or improve in well-executed security operations.
This book may turn some received wisdom about security operations on its head. Specifically, in this book I develop and apply a methodology for agile security operations that is primarily focused on the process, rather than the structure, of a security operational capability. I discuss how these processes interact with each other using a map of the incident response process. The word agile is used because security operations need agility – the capability to quickly predict and adapt to a rapidly changing set of circumstances.
Agile has, in some contexts in the software development world, evolved into a complex and prescriptive framework for how to develop software. That is not how I operate here. Agile security operations are most certainly not a security or operations variety of agile or scrum, which are primarily software development methods. In the context employed here, agile security operations really focus on the tactical aspects of how teams do security, and how they embed, as a team, into a wider organization.
This book does not specifically adhere to one method of agile that is used in software development, nor does it get overly prescriptive in the practices and methods, although there is enough information here to do so if you want. Security operations, and how they are best done, are specific to each business and need to be carefully tailored and designed to meet the needs of that business. It is important that you adopt a framework that incorporates the idiosyncrasies and context of your business and implement what works for you.
This book will not focus in detail on the latest technology, gadgetry, tools, or clever attack approaches that are common to cybersecurity. In fact, in this book, I care little about such things at all (although they are interesting). This book instead focuses on tactics: the ethos and the way of thinking you need to successfully thwart cyber adversaries in your organization, as well as the processes that drive a credible security capability.
I run my teams, and wrote this book, from the viewpoint that what matters most in security teams is their grasp of context, key concepts, systems, and operations, and the many ways in which they influence the business. To the extent that this book hands down tools, those are the ones that matter most. In security, as elsewhere now, technical tools and approaches are subject to constant and rapid change. The grasp of the technical intricacies of tools is a threshold variable: teams need enough proficiency with the tools to be effective, but beyond that point, it is what they do with them that matters in how much they can influence and improve the security posture of the business.
Despite decades of hawking strategy and best practice by consultants, security has not markedly improved in many businesses, and from the viewpoint of the executive, matters have probably gotten worse.
Companies the world over are now making significant investments in security. Yet the ongoing drumbeat of cyber-breaches suggests that these investments matter less than should be the case. This situation needs to change. It can, if we improve our processes, work on embedding security teams into the organization, and develop the right ethos in our security teams.