Graph Image
Invictus Insights March 06, 2020

Cyber Security as a Service: A Pragmatic Approach to “Service-izing” Cyber

By: G. Michael Carroll, CASP, Security +, ITIL Foundations

Every 4 years, the Department of Defense (DoD) conducts their Quadrennial Defense Review (QDR).  QDR is a legislatively-mandated review of Department of Defense strategy and priorities.  Back in 2005, when I supported the Defense Information Systems Agency (DISA) as a contractor for Hawkeye Systems (a former Jim Kelly company) I supported a Senior official for DISA GIG Operations who was in charge of conducting end to end reviews of multiple initiatives that were funded by DoD.  All of these initiatives were in the penumbra of what is now referred to as “cyber” initiatives.  The end result was a set of recommendations to the DepSecDef Wolfowitz on $30 billion in DoD programs over the DoD Future Years Development Program (FYDP).  At that time, these programs were referred to as Computer Network Defense (CND), Information Assurance (IA), a concept called, “Net-Centricity”, information sharing, data strategy, and several other programs.  It was also the first time I was introduced to placing parameters around discipline areas and packaging them into services; something I refer to as “service-izing”.

One of the key outputs from the QDR report was the requirement to define “cyber”, cyberspace, and “cyberpower”, the ability to exert power over cyberspace.  “CyberPower” is what DoD sought to capture and manage as part of its national defense mission.  Similar to air, land, sea, and space, “commons” for which the US exerted its dominance over, however there was still the question about how effective DoD and the US could and should exert leadership or dominance in this growing, but not well understood “common.”  Under the leadership of the National Defense University (NDU), a series of symposia were held, bringing in experts from all over academia, industry, and military, to help shape this important topic area.  What resulted was a book on CyberPower Theory, which I helped compile and edit, and it was published by NDU Press in 2007.  In the book, terms like cyber and cyberspace were defined, discussed, and packaged into services, some of which continue to be used today.  Below is an excerpt from the NDU Cyber Power Theory book“…Cyber can be defined in many ways. One recent study found 28 definitions of cyberspace. Accordingly, one of the most important lessons in this realm is to recognize that definitions should be used as an aid to policy and analysis, and not as a limitation on them. In the context of this book, cyber is used to encompass technical, informational, and human elements. Daniel Kuehl defines cyberspace as an operational domain framed by the use of electronics and the electromagnetic spectrum to create, store, modify, exchange, and exploit information via interconnected and Internetted information systems and their associated infrastructures.  That definition is broad and technically focused but is a useful platform from which to begin discussion.  As one looks at different elements of cyberpower, the Kuehl definition provides a common base for analysis, but other aspects will tend to be added or emphasized, and the technical definition will be less critical to the development of policy and strategy. By way of examples:

  • cyber influence activities will include the Internet as well as radio, television, communications such as cell phones, and applications for all
  • cyber military activities will include network-centric operations, computer network attack and exploitation, geopolitical influence operations, and security
  • cybersecurity will include not only technical issues such as viruses and denial-of-service attacks, but also human matters—such as insider deception as well as normal human mistakes—and the problems of governance, both national and international.”

Fast forward to 2015, DoD policy replaces the term, “IA” with the term, “cybersecurity.”  In short, by fiat, IA is dead, long live cybersecurity!  Authors note: sometimes it takes a while for change to occur in organizations as big and broad as DoD.  That brings us closer to present day where we find Invictus International, supporting one of its largest customers, the Defense Intelligence Agency (DIA), providing support for cybersecurity and cyber defense services.  So now the question remains, the main premise of this article, how does one make a service out of (service-ize) something like cybersecurity

First, let’s define what “service” means.  The dictionary defines “service” as both a noun and a verb.  For example, one can provide a service – the action of helping or doing work for someone.  In this regard, one mainly thinks of telecommunication services, transportation services, water and electric utilities, or consulting services, etc.  One can also “service” a lawn mower when it needs repairs.  So it’s a little tricky to get your hands around what a service is however in all cases there is either labor or some deliverable involved in exchange for the service provided.  If one takes the above approach, it then is easy to “service-ize” a cybersecurity service.

Here is an example of a typical cybersecurity service that might be provided by a government agency.  Assessing and authorizing (A&A) an IT system to be placed into service on a production network.  As most of you know, IT systems must be assessed to ensure a proper security security posture before being authorized to be placed into service on an Agency network.  The authorizations vary from short term (depending on the risk) to longer term (usually 3 years).  There are specialized security controls assessors (SCA) that conduct the assessments and when completed, a recommendation is made to an authorizing official (AO) to grant approval to operate (ATO) to the system owner/customer.  Then the system record is updated in the official repository and reported up to and through Agency leadership.  There are many steps involved in the A&A of an IT system, both from the service provider as well as the system owner.  If one were to service-ize A&A, it would involve a detailed description of ALL the steps involved, from the very beginning when the system owner/customer wants to request A&A services all the way to when the ATO is granted and the system record is updated.  Some of the critical items when service-izing A&A are to identify the boundaries of the A&A service (what is and what is not part of the service), publishing the service hours (when will the work be conducted), what are the responsibilities of the service provider and the system owner / customer, how long should the process take, and what are the deliverables at the end of the service.  This is just one example of a cybersecurity service.  There are many others but they can all follow the same service-izing approach and different organizations may decide to service-ize in different ways based on their own capabilities and need to internally control certain aspects fo their IT and cybersecurity posture.  Invictus has helped a number of organizations strategize and decide what elements of their cybersecurity can be “service-ized” and how to optimize that level of service.  For commercal organizations, we even have a model where an Invictus cybersecurity engineer can act as the Chief Infomration Security Officer (CISO) – as a service.

Below are some objectives and recommendations when creating a service out of a cybersecurity offering.

Service-izing Objectives and Recommendations

The service must be well-defined and bounded.  When service-izing a set of tasks or “work”, one must define the work in functional terms.  In other words, what are the inputs, processes and outputs?  Once the service is defined and bounded (very important), one has the beginnings of a real service.  I believe it should go without saying that a service is something of value to the requestor and in some cases, that service cannot be sought from any other party.  In other words, there could be a monopoly on certain types of services and that is common for certain state, local and federal government services.  For example, one can only get a valid driver’s license from the DMV (in Virginia) or MVA (in Maryland). However, that is not true for commercial service providers.  Commercial service providers almost always compete for customer’s business and the ones that survive provide better services at competitive or better prices than others.

So, assuming you do not have a monopoly on a service and have to compete for market share, the best practice is to establish service delivery targets, also known as Service Level Agreements (SLA), with requesters or customers.  The Service Owner defines the SLA.  The SLA states, you will do this, and I will do that within a specified timeframe and certain conditions.  When defined in an SLA, the provider states the tasks and work and deliverables that will be provided to the requestor/customer.  This is where most of the up-front time should be spent by the Service Owner; defining all the things that are necessary for the service to exist and be viable.  If there are processes surrounding the delivery of the service, the Process Owner is responsible party for establishing these as well as approving any changes to the supporting processes.  Foot Stomp…SLAs are useless unless there are penalties for non-performance.  Service Level Objectives (SLO) are better than nothing but SLAs are the catalyst for what I jokingly refer to as, “The Quickening Effect”.  If you are familiar with the “Highlander” movie, you know that “the quickening effect” keeps your service strong and makes it stronger and more valuable over time.  And you dont have to cut off the head of your opponent to have the quickening effect work for you.  SLAs within government agencies are rare but are becoming more relevant in-service delivery CIO shops across the federal market space.

Define your service delivery hours.  E.g., M-F, 0800-1600 hours EST.  Define the inputs required from the requestor for when the service process starts.  E.g., Service clock starts when the customer provides the appropriate documents properly filled out, and a service ticket is generated for the project.  Also be specific on when the service process clock stops.  E.g., An authorization letter will be generated and provided to customer, the service ticket is resolved, and the system record is updated.

Set service delivery targets for the SLAs.  Be as specific as possible, e.g., Service Provider will issue authorization letter in within X business days, however YOU DON’T HAVE TO BE PERFECT.  Pick a target and start measuring performance.  You can compare your SLAs to commercial SLAs however commercial companies don’t have the same constraints on them as DoD elements.  If you never meet your SLA, see if there are unnecessary steps you can eliminate or bundle (combine with other steps).  As for bundling, try to bundle the process steps rather than over measure interim steps.

Only measure that which matters to customers or leadership.  Move out, measure, and report.  For multiple periods of “Nothing To Report” metrics, remove that target or bundle it with another process.  Place importance weights on different SLAs to align with the organizational mission.  E.g., SLA targets for authorizing a system are 2 times as important as, for example, establishing a new cyber account.

Service and Process Owners play a key role in managing SLAs.  Service Owners are responsible to everyone surrounding the delivery of the service.  Process Owners describe and document the processes, validate the process by digital signature.  This relationship between the Service Owner and the Process Owner is critical.  Both affect the others’ success.  Note: if you are in the business of supporting service delivery of a cyber service, don’t start the new process (based on rumor) until the Process Owner validates a new process and target.  This is a quick way to get in trouble.

Establishing SLAs and SLOs sharpen the axe for any organization.  It enables an organization to optimize resources and improve service delivery time to market and quality for its customers.  It enables organizations to properly gauge the amount of staff dedicated to a particular service area.  It enables organizations to package their services then contract to external contracting firms to execute.  And it enables government agencies to establish Performance Based Contracts (PBC) for their cyber services.  It is easy if you do all the hard-definitional work up front.  It is harder when services are ill-defined and unconstrained.  Last cautionary note; as stated earlier, real SLAs have penalties for non-performance.  If the service delivery organization fails to meet critical SLA targets, there should be some monetary penalty for this…e.g., Agency can short pay the bill to the vendor.  On the flip side, if SLA’s are consistently obtained or exceeded, there should be some financial benefit to the provider for the better service being provided to their customers.

Regardless of your organization’s plans, Invictus can assist you to help optimize the level of cybersecurity services you may want to treat “as a service.”  We have experience implementing and monitoring a number of different models.  Now, go out there and start service-izing your cybersecurity services!