Open in app

Sign in

Write

Sign in

Ecosystem Engineering in Cybersecurity, Pt. 2

In this second installment in the series, let’s take a deep dive into the first building block: Target Identification

Peter Luban
3 min readFeb 22, 2019

--

In this industry, we’re all familiar with terms like “risk” and “threat”. And we’ve all been through the assessment rigamarole when it comes to building out a risk catalog or a threat matrix. Have you ever been involved in one of these exercises, and right in the thick of it you say something like “this isn’t working, its too much” or something along the lines of “how do I know that these are the right things to focus on?”? Yea, me too.

This is the result of another antiquated method of risk identification still being the unspoken industry standard in many environments. “Find all the things” may have worked back in the day when the threat landscape was simpler and adversaries were less sophisticated, but in todays world of constant change, we need an anchor point to begin with. Target Identification is a way by which to establish a starting point when it comes time to invest in risk management practices and is a fundamental step in the creation of a functioning risk framework. Let’s explore the concept a bit further.

I like to start with defining terms, and since we’re on the biological science kick, let’s stick with the theme and do just that:

(According to pharmacology) Target identification is the process of identifying the direct molecular target — for example protein or nucleic acid — of a small molecule. In clinical pharmacology, target identification is aimed at finding the efficacy target of a drug/pharmaceutical or other xenobiotic. Identifying the biological origin of a disease, and the potential targets for intervention, is the first step in the discovery of a medicine.

Let’s explore this in terms of cybersecurity. The above essentially states that in order to invest in harm reduction efficiently, you must understand where application of control will result in the highest bang for buck. And in order to understand that, we must seek to understand what is truly at risk. Since we’re talking in terms of business risk, then we must strive to understand what risks, were they to manifest, would materially impact the business in terms of loss. THAT is Target Identification. Tying risk back to line of business, be it in terms of financial loss, loss of revenue, opportunity loss, reputation loss, loss of assets or any other type of loss that matters most to the particular business that you’re in. Collecting every conceivable risk ala pokemon is a fool’s errand and is an exercise in futility. Relevant risk tied to known threats and threat actors, correlated with measurable business impact is the path to harmony.

I know that there’s tons of ambiguity as it relates to what we consider “impact” or “loss” as well as “risk” and “risk management”, and diving into those concepts is a whole other article in and of itself (which I will write, i promise), but in simple terms, highest loss = biggest target. Force rank your targets in terms of loss and you have the beginning of a beautiful risk catalog…step one on your way to the wonderful world that is Security Ecosystem Engineering.

Stay tuned for my next article in this series where we explore building block two: Visibility!

Cybersecurity
Risk Management
Security
Risk
Engineering

--

--

Peter Luban

Written by Peter Luban

10 Followers

Pete has been working in Cybersecurity related fields for over 20 years in many industries from big finance, all the way down to tiny internet startups.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams