Lessons Learned in Building and Implementing an Effective Cybersecurity Strategy

Abstract

Today's missions rely on highly integrated and complex technology that must be protected from a wide range of adversaries in a very dynamic and contested cyber environment. The predominant response to the growing, shifting cyber threat has been to apply cyber hygiene best practices and focus on satisfying compliance mandates for an authority to operate. While necessary, these steps alone are not sufficient, given the pace of technology change and the increasing abilities of our adversaries. For organizations developing or acquiring complex, software-enabled technologies, a cybersecurity strategy provides a critical set of guidelines that enable intelligent, risk-based decisions throughout the life cycle. The strategy identifies planning, design, monitoring, and enforcement considerations for integrating cybersecurity into all products, processes, and resources. As such, it defines expectations for how the individual technology components, their assembled configurations, and their interactions will meet the security requirements of a mission. Effective cybersecurity requires the application of engineering rigor to the process of defining security requirements in the context of other system imperatives. Cybersecurity engineering is a discipline focused on analyzing and managing mission and system cyber risk and trade-offs across the life cycle. Cybersecurity engineers evaluate interactions, dependencies, and system response to attacks. They identify security practices and mechanisms that need coordination across the life cycle, spanning components, people, processes, and tools. They prepare the technology to handle the operational environment where it will ultimately reside. In this paper, we introduce the purpose of a cybersecurity strategy and describe the role of cybersecurity engineering in implementing it. We identify six key cybersecurity engineering activities and share observations on how these activities can be used to address the challenges acquisition programs face as they work to improve cybersecurity under resource and time constraints.