Updated 9 February 2024: The CISO Security Mind Map has been updated from the 2023, to the 2024 version. The 2024 version includes the latest trends and changes to security programs.
Changes and focus areas of the CISO Security Mind Map 2024:
- Use of the ‘Govern’ function in addition to Identify, Protect, Detect, Respond, and Recover. This is to reflect changes in the NIST CSF 2.0 (currently still a draft version).
- Inclusion of AI Threats and AI Enhanced Security, to acknowledge the latest developments in (Gen) AI. Most companies realize the significance of AI developments and are acting accordingly to prepare.
- New regulations that have either been introduced recently or are coming into force soon. The highlights include EU DORA, EU NIS2, EU Artificial Intelligence Act, USA SEC reporting requirements.
- Ransomware remains a key area of concern, just like last year.
Why should you study my CISO security mind map 2024?
Information and cyber security is a complex and evolving capability that every company must deal with.
But what is it?
How do you know you’re working on the rights topics and domains, and how do you know you’re doing a good enough job?
These are difficult questions to answer.
To help define what is information and cyber security, I have created a CISO security mind map 2024.
The CISO security mind map started in 2023, and is included for reference purposes.
Govern
Cyber Security Governance: Security strategy, budgeting, alignment with business & business goals, roles & responsibilities, hiring and team strategy.
Data Governance: Data ownership, data rules, data usage approvals, separation of production and non-production, data masking, Personally Identifiable Information (PII).
Security and Privacy Standards: Alignment with security standards, NIST (CSF), ISO27001, SOC 2 / ISAE3402 type 1 & 2, CIS, NIS2, PCI DSS, SOX, GDPR, CCPA, HIPAA, DORA.
Identify
Asset Management: Asset inventory, (automated) asset discovery, CMDB, asset types (systems, network, applications, etc.).
Risk Assessments, Threat Modeling, Pentesting & Red Teaming: Performing (periodic) risk assessments, pentesting or ethical hacking, red teaming, security compliance testing, application & business threat modeling, security by design.
Cyber Security Threat Intelligence: Monitoring of intelligence sources, threats from attackers, dark web monitoring, CSIRT.
Third-Party Risk Management (TPRM): TPRM governance, TPRM assessments for due diligence, periodic monitoring, profiling and risk tiering, secure onboarding, off-boarding, Software Bill of Materials (SBOM).
Protect
Endpoint Protection & Mobile Device Management: Endpoint protection on laptops/desktops/servers, BYOD/CYOD, Mobile Device Management (MDM), secure internet access (via proxy/firewall).
Network Security: Network and Web Application Firewalls, firewall rule reviews, Virtual Private Networks (VPN), (micro) segmentation, (virtual) LANs, software defined networking, segmented management access, jump servers, zero-trust networking, DMZs, (network) IDS/IPS, Proxy filtering, DDoS protection, Network Access Control (NAC), CASB Gateway, TLS/SSL offloading.
Vulnerability Management: Vulnerability scanning, vulnerability remediation, credentialed & non-credentialed scanning, managing and accepting vulnerabilities. Note: we have an article describing the differences between threat modeling and vulnerability management.
Hardening & Secure Configuration: Hardening baselines, hardening procedures, hardening scanning, deviations and deviation management.
Encryption and Cryptography: Encryption of data at rest & in transit, (virtual) disk encryption, database encryption, SSL/TLS, Key Management System, Public Key Infrastructure.
Secure Development & Deployment: Secure Software Development Life Cycle (SSDLC), CI/CD pipelines, CI/CD security triggers, security requirements, OWASP top 10.
Physical Security: Access badges, physical locks, anti-tailgating or piggybacking turnstiles, security guards, Data Center physical security.
Identity & Access Management (IAM): HR onboarding and off-boarding, HR integration, joiner + mover + leaver process, minimum password requirements, Single Sign On (SSO), Multi-Factor Authentication (MFA), Role Based Access Control (RBAC), Active Directory, Privileged Access Management, OAuth, smart cards, password managers, (key) vaults, federations, trusts.
Data Loss Protection: Data classification (i.e., public, internal, confidential, etc.), classifying (office) documents, limiting external storage access, limiting online sharing, Email scanning.
Security Awareness & Training: Compliance training, phishing training, training of special groups (i.e., privileged users, senior leadership, etc.), monitoring of compliance.
Brand and Domain Protection: Social media monitoring, domain monitoring, takedown requests, asset monitoring.
Detect
Security Logging & Monitoring: Endpoints + clients + servers + network components + applications with security logging enabled, centralized & untampered collection of logs, use case development, use of SIEM, monitoring events and follow-up.
Response and Recover
Secure Operations Center: Event monitoring, SOC investigation and response procedures, analysis of SIEM alerts, Indicators of Compromise, triage, threat intelligence, containment, recovery, isolation.
Incident Management: Incident Management plans and procedures, Incident Management task force, classification, incident response, forensics, data breach, incident playbooks.
Business Continuity Management (BCM) and Disaster Recovery (DR): Business Continuity Plan, Disaster Recovery plans and procedures, Disaster Recovery testing, recovery sites, hot + warm + cold sites.