I'm Finished!

Today, I read something that troubled me.  What I read was another blog post about the author’s lack of faith and confidence in the ability of students graduating with a Master in Science in Cybersecurity to secure a network.  I can’t speak for the individual that wrote that post, however, what I can tell you is I have had a completely different experience than that individual.  Much of what I have learned throughout my journey to earning a MS in Cybersecurity can be contributed to the experiences and knowledge shared by other students.  I am confident that my fellow students have the knowledge and expertise to be valuable assets to the cybersecurity community.  By working together, not as individuals, I believe we can all make a difference.

Okay, I will step off my soapbox and continue on with something more important.  This week marks the end of my journey towards earning a Master in Science in Cyber security degree.   It’s has been a long and hard journey since I started.  Long because of the many nights and weekends I spent in my basement office working on course assignments each week and hard because of all time I had to devote to the assignments in lieu of my family.  So what was the hardest part about earning the degree?  It was time management.  As if work and family is not enough to fill a person’s schedule, I had to complicate it more by carving out time to complete course assignments and to study.  The best advice I can give to someone else that is thinking about continuing their education or has just started a degree program is to stick with it once you start it.  All the time and hard work devoted to it will pay off in the end.

I can’t give myself all the credit though.  I couldn’t have done this without the help of some important people in my life.  I would to thank my parents for the support and encouragement they have given me throughout the years.  I would also like to thank my mother and father in-law for all the time they spent watching my children so that I could work on my assignments as soon as came home from work every day.  I want to thank my two daughters for understanding why I missed all of those important events so I could “work on my school work in the basement.”  Last, I want to thank my wife.  She has sacrifice so much just so I could have the time I needed to work my assignments.  I couldn’t have done it without you.

This may seem like the end, but it is not.  As I mentioned twelve weeks ago, I plan on adding to this blog as I continue my education and career.  So don’t stop visiting my blog.  Stay tuned for more posts about information security and what you can do protect yourself and others from becoming a victim of a cybercrime.

What’s So Hard About Creating an Action Plan? (Week 10)

For the last two weeks I have been creating an action plan that specifies the controls I recommended to manage the risk associated with the threats identified from the threat analysis previously completed.  One thing that troubled me while completing the action plan was determining which threats to address.  In short, should I identify a control to transfer, mitigate, or eliminate every threat or should I pick and choose the threats I feel should be mitigated?  After much thought, I decided that since I was tasked with determining the cause of recent data breach and preventing it from occurring again that it was not my place to pick and choose the controls to present to the senior management.  Instead, I decided I would present all of the controls and let the senior management determine which ones to implement.

Finally, I had a resolution to my initial problem.  However, after reviewing my final product I felt as if it presented “the sky is falling” kind of assessment.  That is definitely not what I was trying accomplish.  I simply wanted to make the management aware of all the potential security issues found with the organization’s network.  How in the world was I going to be able to achieve senior management buy in and get them to implement some or all of the controls developed to fix the critical vulnerabilities?

After some more critical thinking and one sleepless night I developed a course of action that I would employ in order to achieve senior management buy in without making them feel as if the sky was falling.  The first thing I would do is show the senior managers the level of risk assigned to each threat.  It would be recommended that threats with a higher level of risk should be addressed prior to threats with a lower risk rating.  The second method that could be used to achieve senior management buy in is to present each threat with a cost benefit analysis.  The cost benefit analysis can be used to compare the cost of implementing a recommended control with the cost associated with responding and recovering from an incident caused by a threat.  If the cost to implement a control is less than an unwanted incident then it only makes sense to opt to implement the recommended control.  The last option I thought of is something I learned in one of my previous classes.  It is called a la carte pricing.  Basically, recommended controls are represented as options to select from.  For example, Option A is to transfer the risk and costs $1,000.  Option B is to accept the risk and costs $2,000.  Option C is to mitigate the risk and costs $500.  I wonder which option the senior management would choose if presented the aforementioned options?  I know the one I would probably choose.

To Share or Not To Share, That is the Question (Week 9)

Last week I had an interesting conversation with another student in my class about sharing information in the cybersecurity field which led me to think about how cybersecurity information is shared.  If you really think about it, there is a lot of information out there that suggests we are sharing information.  The only downside to the plethora of information that exists is it makes it difficult to learn about new and emerging threats as they are discovered because they are spread across many resources.  Sure, we can spend our days searching and reading through resources, but who has time to do that?  Wouldn’t it be great if there was a one stop shop we could all go to learn and share information about new and emerging cybersecurity threats?

Apparently I am not the only that has thought about this.  Efforts within our government are on the way to develop and enact a cybersecurity bill that calls for the creation of a system for sharing cybersecurity information as it is discovered between public and private entities.  The proposed bill is called the Cybersecurity Information Sharing Act and is very close to being enacted.  Finally, a one stop shop for us to utilize to learn about new and emerging cybersecurity threats before we learn about them the hard way; when they strike our organization.

Unfortunately, there is one major concern with the proposed bill.  That major concern is privacy.  Some believe the bill will jeopardize our right to privacy since the information sharing system would open a backdoor for companies to legally share their users’ private data (Greenberg, 2015).  This is a major concern we are all too familiar with after the big fiasco with the NSA breaking privacy rules in the past.  Do we really want to go through something like that again?

In order to defend against cyber threats we are going to have to figure out how to share cyber threat information and intelligence without jeopardizing peoples’ right to privacy.  The Cybersecurity Information Sharing Act seems to be heading in the right direction, but in its current state may threaten our right to privacy.  Hopefully revisions to the bill will be made before it is enacted and then we can use it to help us fight the battle against cybercrime without infringing on our privacy.

References

Greenberg, A. (2015, April 22). House passes cybersecurity bill despite privacy protests. Retrieved May 10, 2015, from http://www.wired.com/2015/04/house-passes-cybersecurity-bill-despite-privacy-protests/