Month: January 2017

In many spheres of employment, the application of Artificial Intelligence (AI) technology is creating a growing fear. Kevin Maney of Newsweek vividly summarized the pending transformation of employment and the concerns it raises in his recent article “How artificial intelligence and robots will radically transform the economy.”

In the Information Security (InfoSec) community, AI is commonly seen as a savior – an application of technology that will allow businesses to more rapidly identify and mitigate threats, without having to add more humans. That human factor is commonly seen as a business inhibitor as the necessary skills and experience are both costly and difficult to obtain.

As a consequence, over the last few years, many vendors have re-engineered and re-branded their products as employing AI – both as a hat-tip to their customer’s growing frustrations that combating every new threat requires additional personnel to look after the tools and products being sold to them, and as a differentiator amongst “legacy” approaches to dealing with the threats that persist despite two decades of detection innovation.

The rebranding, remarketing, and inclusion of various data science buzzwords – machine intelligence, machine learning, big data, data lakes, unsupervised learning – into product sales pitches and collateral have made it appear that security automation is the same as AI security.

We are still at the very early days of the AI revolution. Product and service vendors are advancing their v1.0 AI engines and are predominantly focused on solving two challenges – sifting through an expanding trove of threat data for actionable nuggets and replicating the most common and basic human security analyst functions.

Neither challenge is particularly demanding of an AI platform. Statistical approaches to anomaly detection, data clustering and labeling processes meet all the criteria for the first security challenge, while “expert system” approaches of the 1970s and 1980s tend to be adequate for most of the second challenge. What’s changed is volume of data that decisions must be based upon and the advances in learning systems.

What is confusing many security technology buyers at the moment lies with the inclusion of AI buzzwords around products and services that are essentially delivering “automation.”

Many of the heavily marketed value propositions have to do with automating many of the manual tasks that a threat analyst or incident responder would undertake in their day-to-day activities, such as sifting through critical alerts, correlating them with other lesser alerts and log entries, pulling packet captures (PCAPs) and host activity logs, overlaying external threat intelligence and data feeds, and presenting an analytics package for a human analyst to determine the next actions. All these linked actions can of course be easily automated using scripting languages if the organization was so inclined.

The automation of security event handling doesn’t require AI – at least not the kind or level of AI that we anticipate will cause a global economic and employment transformation.

The AI v1.0 being employed in many of today’s products may be best thought of as assembly-line robots – replicating repeated mechanical tasks, not necessarily requiring any “intelligence” as such. That automation obviously brings efficiencies and consistency to incident investigation and response – but by itself isn’t yet having an impact on an organization’s need to employ skilled human analysts.

As organizations get more comfortable sharing and collectively pooling data, the security community can anticipate the advancement and incorporation of better learning systems – driving down an incremental AI v1.1 path – in which process automation efficiently learns the quirks, actions and common decisions of the environment within which it is operating. One example would be assessing an analytics package that was automatically compiled by determining similarities with previously generated and actioned packages, assigning a prioritization and routing to the correct human responder. It may sound like a small but logical process of automation, but requires another level and class of math, and “intelligence” to learn and tune an expert decision making process.

In my mind, Security AI v2.0 lies in an intelligence engine that not only dynamically learns through observing the repeated classification of threats and their corresponding actions, but is able to correctly identify suspicious behaviors it has never seen before, determine the context of the situation and initiate the most appropriate actions on behalf of the organization.

That might include the ability to not just identify that a new host has been added to the network and appears to be launching a port scan against the active directory server, but to predict whether the action may be part of a penetration test (pentest) by understanding the typical pentest delivery process, typical targets of past pentests and the regular cadence or scheduling of pentests within the organization. The engine could then arrive at an evidence-based conclusion, track down and alert the business owners of the suspected activity and, while waiting for confirmation, automatically adjust threat prevention rules and alerting thresholds to isolate the suspicious activity to minimize potential harm.

The success of Security AI lies in determining actions based off incomplete and previously unclassified information – at which point the hard-to-retain “tier-one” security analyst roles will disappear like so many assembly-line jobs in the motor vehicle industry have in the past couple decades.

Gunter Ollmann, Chief Security Officer, Vectra

[ISACA Now Blog]

Let’s pretend you’re planning a big trip, and you need a nice place to stay. After considering different options online, you find a place that sounds great. The photos appear perfect.

So, here’s the question. When you arrive, will the lodging match your expectations…or is it just too good to be true?

When you’re choosing among CISSP^® training providers, we know you’re sorting through a variety of companies and often times, big, beautiful claims. To ensure you aren’t surprised when you reach the CISSP certification exam, here are three myths debunked.

Myth #1: Pass rates of 90%+ are guaranteed.

What you should know: No training provider knows exactly which questions and real-world scenarios will be on the exam, so there’s no way to guarantee a pass rate.

The CISSP certification exam is very tough, and it’s constantly being updated to reflect our ever-changing cyber world. Not to mention, there are a variety of unknown variables when each person takes the exam.

The notion that a company will prepare you for the exact questions on the exam is impossible.

Bottom line: (ISC)² does not provide pass rate information to any training providers – including our very own (ISC)² Official and Approved Training Providers. Be careful with any company that guarantees a pass rate.

 

Myth #2: Any training company can get you a CISSP exam voucher.

What you should know: (ISC)² and (ISC)² Official Training Providers are the only authorized organizations with the ability to offer CISSP exam vouchers.

What happens if an unauthorized company says they can get exam vouchers for you? For example, “all you need to do is give them your Pearson VUE credentials.”

You should know you’re putting yourself at risk. Sharing your Pearson VUE credentials with unauthorized companies or individuals violates the terms of the (ISC)² Non-Disclosure Agreement. Doing this means you:

• May lose your CISSP certification
• Can be indefinitely suspended from retaking the exam
• Will lose the money you’ve paid for the exam

Bottom line: When you go through official channels for exam vouchers, you completely eliminate these risks. (ISC)² and our Official Training Providers will never ask you for your Pearson VUE credentials.

 

Myth #3: Passing the exam is the one and only thing that matters.

What you should know: There’s more at stake here.

It’s easy to slip into the mindset that passing the exam is the only thing that matters. In this mindset, training can quickly turn into a series of memorization drills and brain dumps.

But step back for a moment. The CISSP certification was created to measure whether you have the experience, knowledge and critical thinking skills to be effective at your job.

Yes, we help you prepare for test day. Just as important, though, we never lose sight of the bigger picture: inspiring a safe and secure cyber world and developing professionals who can protect their organizations.

Because we create and manage the CISSP Common Body of Knowledge (CBK^®), our training seminars always include the most current information. Plus, all of our instructors have the CISSP certification themselves. This means our instructors can help you:

• Understand how to apply the most current best practices in real-world scenarios
• Build critical thinking skills to enable you to think beyond the tasks at hand
• Address today’s security problems, and discover tomorrow’s challenges before they even happen

Bottom line: When you choose (ISC)² or one of our (ISC)² Official Training Providers, you are on the way to becoming the most well-rounded and effective information security professional possible.

Interested in becoming a CISSP? Download the free planning kit.

[(ISC)² Blog]

“You can’t do today’s job with yesterday’s methods and be in business tomorrow.”

To execute your strategy, you need to build business capabilities. In order to ensure a business will be successful in the future, an organization must understand how it defines success and must know if it has the capability today to do better or to do more to achieve this success.

What Is Business Capability?

A business capability (or, simply, capabilities) describes a unique, collective ability that can be applied to achieve a specific outcome. A capability model describes the complete set of capabilities an organization requires to execute its business model or fulfill its mission. An easy way to grasp the concept is to think about capabilities as organization-level skills embedded in people, process and/or technology.
Business capability defines an organization’s capability to successfully perform a unique business activity. Business capability is used for managing units of strategic business change and providing the mandate for programs and project portfolios.
Capabilities typically:

• Form the building blocks of the business but do not have an independent purpose of their own
• Represent stable business functions
• Are unique and independent from each other
• Are abstracted from the organizational model and can be defined for any organizational unit
• Capture the business’s best interests

Since a business capability model describes the complete set of capabilities an organization requires to execute its business mission, vision and objectives, skills associated with various areas within the business are considered capability components (figure 1).

Figure 1—Examples of Capability Components

Name	Recruitment Management
Roles	User •Recruiter Stakeholders •Manager •Candidate
Processes	Evaluation of new hire requisitions Recruitment/sourcing of candidates Screening and selection of candidates Hiring of candidate
Information	Candidate/applicant details Position description Recruitment agency data Industry standard role definitions
Tools/Technologies	Recruitment management application Human resources application Social media applications

Source: Oluwaseyi Ojo. Reprinted with permission.                          

These include:

• People
• Processes
• Information
• Tools/technologies
• Organization units
• Functions/roles
• Business services
• Information and data
• Application services
• Applications
• Infrastructure
• Infrastructure services

Why Assess Business Capability?

Organizations face many questions such as:

• How should we organize ourselves?
• We have many outsourced capabilities. How do we support cooperation with our partners?
• How do we adopt new technology and integrate it into our existing landscape?
• How do we make sure that security standards are implemented in a consistent way?
• What is the impact of this new acquisition on our business processes?
• Who is the authoritative source for customer products, etc.?
• How do we align our technology portfolios with our strategy road map?

To address these questions, businesses develop a business capability model to describe the rationale of how an organization creates, delivers and captures value (figure 2).

Figure 2—Mapping Capability to the Organization

Source: Oluwaseyi Ojo. Reprinted with permission.

Business capabilities should be mapped to the respective functions or organizational units that provide or utilize these skills. Once a capability is identified as being used across multiple business units within the organization, it is important to consider that changes to that capability will impact multiple organizational areas involved. Often, when transformation maps for new technologies are created, it is important to understand that changes in a solution or service a business provides internally or externally can have a significant downstream impact on other parts of the organization.
Figure 3 is the starting point for a business capability model. This matrix represents all the business capabilities that an organization performs. Each cell is a business capability.

Figure 3—Example of a Capability Model

Source: United Kingdom Government Reference Architecture (UKRA) v1.0

The columns (functional management) reflect the high-level value chain for the organization or are major groupings of business capabilities that are meaningful to the business. The rows (capability management) reflect the fundamental purpose of a business capability, and there are normally 3 rows, namely:

• Strategy
• Management
• Operations

Using the COBIT 5 Framework to Develop Business Capability

Enterprise architecture recognizes that the organization is a system and the cross-cutting concerns must first be addressed at the overall level, i.e., the enterprise. It recognizes that one cannot solve every detailed problem at once. Effective ways to deconstruct the problem must be found. Focusing on business capabilities that support business strategy first, then delving into the design of those capabilities, forms an effective way to consider people, process and technology together.
Mapping business capabilities to business strategy is key. Business strategy elaborates on the business vision (enterprise goals), sets the direction for the business and determines where to focus executive attention. It identifies high-level initiatives in support of strategic themes expressed in strategic business objectives.
At this point, there is a need to create a capability map.

Business Capability Map

“Business-capability mapping is the process of modeling what a business does to reach its objectives (its capabilities), instead of how it does it (its business processes).”

–Denise Cook¹

The first step is to identify the highest-level capabilities of the business and add these as elements to the capability map. For example, the highest-level capabilities for the whole organization might be:

• Service/Product Development
• Service/product delivery
• Business operations, etc.

The next step is to deconstruct these high-level capabilities into lower-level capabilities and add these lower-level capabilities as subcapabilities in the map. One way to figure out how to deconstruct the business into capabilities is to identify the key services or products that the business offers and list the high-level activities that enable the business to offer these things. For example, if a company builds software applications, it would need to perform market analysis, product development, advertising and sales, distribution, and so on. These are all capabilities that support the business.
It is advisable to continue deconstructing the capabilities until the desired level of detail is achieved. For each capability that is added to the map, a description of that capability can be included in the details view. In addition, the attributes can be defined and related material such as text documents, spreadsheets or presentations can be attached.
After a network of capabilities has been mapped, business groups can group together capabilities that share a common attribute (i.e., an organizational unit, a business goal). For example, all the capabilities related to strategic planning in one business group can be grouped together and all the capabilities related to business operations in another. The next step is to create references to the processes that implement the capability.

How COBIT 5 Develops Business Capability

COBIT 5 is a framework rather than a standard and, as a result, it is designed to be adapted by adopting organizations. A core principle of the design of COBIT 5 is to align systematically with cognate frameworks and standards. COBIT provides best practice guidance for the complete life cycle of IT investment. It comes with a suite of management tools with supporting guidance.

Evaluate, Direct and Monitor Domain

The Evaluate, Direct and Monitor (EDM) domain covers governance. Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and processes against agreed-on direction and objectives.
To develop business capabilities, the following COBIT 5 processes must be considered under the governance layer of COBIT 5:

• EDM01 Ensure Governance Framework Setting and Maintenance
• EDM02 Ensure Benefits Delivery
• EDM03 Ensure Risk Optimization
• EDM04 Ensure Resource Optimization

These processes address the objective of business capabilities.
Name of COBIT process: EDM01 Ensure Governance Framework Setting and Maintenance.
Brief description of process: This process focuses on providing governance of enterprise, prepare and maintain effective enabling structures, principles, processes and practices, with clarity of responsibilities and authority to achieve the enterprise’s mission, goals and objectives.

How to use it for developing business capabilities: To develop business capabilities, a strong governance system must be prepared, implemented and effectively maintained, this will help the organization to continually identify and engage with the enterprise’s stakeholders, understand their requirements, document these requirements, obtain their support, buy-in and commitment; this will also help to drive the development of business capabilities that will achieve the enterprise’s goals and objectives.
Name of COBIT process: EDM02 Ensure Benefits Delivery.²
Brief description of process: This process focuses on optimizing the value contribution to the business from the business processes.

How to use it for developing business capabilities: Developing business capabilities is an investment; this helps to continually evaluate the investment and strategic alignment to determine the likelihood of achieving enterprise objectives and delivering value at a reasonable cost. It also helps to identify and make judgments on any changes in direction that need to be given to management to optimize value creation and realization. With a defined balanced set of performance objectives, metrics, targets and benchmarks, monitoring the key business goals and metrics to determine the extent to which the business capabilities are generating the expected value and benefits to the enterprise is crucial.
Name of COBIT process: EDM03 Ensure Risk Optimization.
Brief description of process: This process focuses on ensuring that the enterprise’s risk management framework is established and monitored.

How to use it for developing business capabilities: While developing business capabilities, a new risk can be introduced or an existing risk which was once low can be triggered and this becomes high or critical; this helps to define the enterprise’s risk appetite and tolerance and also ensures these are understood, articulated and communicated. To develop sustainable business capabilities, organizations must proactively evaluate risk factors in advance of pending strategic enterprise decisions and ensure that risk-aware enterprise decisions are made. This helps to determine the level of risk that the enterprise is willing to take when developing business capabilities in order to meet its objectives (risk appetite).
Name of COBIT process: EDM04 Ensure Resource Optimization.
Brief description of process: This process ensures adequate and sufficient capabilities (people, process and technology) are available to support enterprise objectives effectively.

How to use it for developing business capabilities: To develop business capabilities, resources need to be optimized; this focuses on establishing and maintaining resources (people, process and technology) needed to develop business capabilities. Resources are key to develop and sustain business capabilities. The resource needs of the enterprise must be met in the optimal manner that will increase likelihood of benefit realization and readiness for future change. Resources must be allocated to best meet enterprise priorities within budget constraints and overall enterprise goals and objectives.

Align, Plan and Organize Domain

The Align, Plan and Organize (APO) domain covers the use of information and technology and how best it can be used in an enterprise to help achieve enterprise goals and objectives. It also highlights the organizational and infrastructural form IT is to take to achieve the optimal results and to generate the most benefits from the use of IT.
To develop business capabilities, the following COBIT 5 processes must be considered under the management layer of COBIT 5:

• APO02 Manage Strategy
• APO03 Manage Enterprise Architecture
• APO05 Manage Portfolio
• DSS06.01 Align control activities embedded in business process with enterprise objectives.

These processes address the objective of business capabilities.
Name of COBIT process: APO02 Manage Strategy.
Brief description of process: This process focuses on setting business goals and objectives.

How to use it for developing business capabilities: To execute your strategy, you need to build your business capabilities. The primary reason for developing business capabilities is to support and achieve the business goals and objectives. To develop business capabilities, the enterprise direction must be clearly defined; understood and strategic plans aligned with business goals and objectives. This helps ascertain priorities in order to develop the right business capabilities.
Name of COBIT process: APO03 Manage Enterprise Architecture.
Brief description of process: This process focuses on establishing a common architecture for effectively and efficiently realizing enterprise strategies.

How to use it for developing business capabilities: Enterprise architecture is a conceptual tool that helps organizations get a deeper understanding of their own structure and the way they work. It provides a map of the enterprise, and it is a “route planner” for business and technology change. To develop business capabilities, organizations must connect strategy to execution; enterprise architecture enables flexibility and adaptability, so that business capabilities can keep pace with changes in strategy. Enterprise architecture provides a balanced approach to the selection, design, development and deployment of all the solutions (business capabilities) to support the enterprise.
Name of COBIT process: APO05 Manage Portfolio.
Brief description of process: This process focuses on evaluating, prioritizing and balancing programs and services, managing demand within resource and funding constraints, based on their alignment with strategic objectives, enterprise worth and risk.

How to use it for developing business capabilities: This process establishes the portfolio strategy, defines portfolio governance and monitors and controls the portfolio. The objective of this process is to identify projects and initiatives that the organization will focus on to develop business capabilities and align them with strategic goals, objectives and business needs. In addition, a budget is secured and allocated to ensure that projects are prioritized, organized and staffed. Monitoring the status and performance of projects and initiatives is used to build, deliver and improve products and services.
Name of COBIT practice: DSS06.01 Align control activities embedded in business processes with enterprise objectives.
Brief description of practice: This practice in the Deliver, Service and Support (DSS) domain focuses on assessing and monitoring the execution of the business process activities and related controls, based on enterprise risk, to ensure that the processing controls are aligned with business needs.

How to use it for developing business capabilities: This practice helps to identify and document control activities of key business capabilities to satisfy control requirements for strategic, operational, reporting and compliance objectives; prioritize control activities based on the inherent risk to the business and identify key controls and continually monitor control activities on an end-to-end basis to identify opportunities for improvement.
The continual assessment and monitoring are important to ensure that the right business capabilities are properly developed and improved.
These COBIT 5 practices, if properly and painstakingly implemented will help achieve the desired business capabilities.

Conclusion

Capabilities are purely business views of the business, whether the capability is automated or not. It is a capability if the business can and does have this ability—even if it is weak. Capabilities can provide both strategic and operational investment guidance. Capabilities can be easily and subjectively assessed. Once assessed, capability analysis can be applied to a wide variety of organizational problems.

Oluwaseyi Ojo, CEng, CRISC, CISM, CGEIT, COBIT 5 Certified Assessor, CISSP, TOGAF 9

Is an experienced enterprise and security architect. He has assisted several organizations in developing and improving their business capabilities using best practice standards and frameworks to translate their business vision, goals and strategies into effective road maps that described the enterprises’ present and future states that enabled them to evolve in order to gain and maintain their competitive advantages. He is an ISACA exam writer for CRISC and CISM exams. He can be contacted through his LinkedIn profile.

Endnotes

¹ Cook, D.; “Business-Capability Mapping: Staying Ahead of the Joneses,” Microsoft, March 2007
² This, all subsequent COBIT content, is from ISACA, COBIT 5: Enabling Processes , USA, 2012