The Map of Cybersecurity Domains
By Henry Jiang
CISO and Managing Director at Oppenheimer & Co. Inc.
Recently, I posted a picture of a mind-map that I created just called "The Map of Cybersecurity Domains (v1.0)." The map was put together as a way to clear my head by fully immersing myself in the world of cybersecurity day-in and day-out for the past few years, and constant reminder that just how complex and vast the subject can be.
To the people outside of cybersecurity world, even to the people who are involved with cybersecurity, they often form their viewpoints that sometimes are limited by their understanding, and confined by the functions of their roles.
How many times a cyber security practitioner such as myself when mentioning to other people what I do, and other people would response by one of the followings:
a) oh, you are a hacker, can you break into my computer? haha,
b) ok, I got it, you are doing something with computers...
When you visit a new city, a new country, or a new place, you usually want to get a hold of a map to orient yourself. Why not a map for the world of cybersecurity? Over the years, as a trained network architect, I always liked to draw diagrams to convey complex designs or ideas to share with other people, so this skill comes pretty handy in the cyber world.
The map version 1.0 was first published on LinkedIn as a photo not as an article. Within days, the post went viral, with over 180,000 views in about a week of time and still counting. I received many constructive feedbacks from the LinkedIn community that I felt so compelled to publish an updated version of the map to:
- incorporate some really good advices from the people who had read my original post;
- correct misspelled words;
- properly explain what the map is about, and what it is not about;
- share the map in other file format (PDF, free mind-map app, etc.) so the information can be distributed and modified more easily.
The World of Cybersecurity Map Version 2.0
The map is about capturing key areas of cybersecurity practice in interconnected ways. The practice of cybersecurity is not just about "hacking." With the map, one should realize that hacking, perhaps a more appropriate definition of such activities should be "authorized penetration test" which is a sub-domain under "Risk Assessment," or under a another sub-domain called "Active Defense" under "Security Operation."
The map is not based on a particular standard or framework. However, being a CISSP myself, you can certainly see some of familiar components from ISC2. For example, Security Engineering and Security Operations.
The map is based on my personal views on the subject. It represents how I see those domains, and sub-domains should be put together, in logical and meaningful ways. You might disagree with my viewpoint, but that's how I see things. Sometimes I might agree with you, in that case I will modify the map and thank you for your thoughtful input.
The map was designed purposely not to include specific control categories for the most part unless the controls are important enough to stand out on they own. Neither specific objects are mentioned, i.e. type of users, applications, computers, IoT devices, etc. In this regard you will not see firewall, IDS/IPS, end-point-protection, anti-malware/anti-virus, web proxy, DDoS remediation, UBA/UEBA, etc. being explicitly mentioned. They are however, are being implicitly included under respective domains or sub-domains such as governance, security architecture, security operation, detection, prevention, etc.
Security Architecture vs. Security Operations
Some questions were asked about why certain items fit one domain but not the other? In my opinion, things that can fit under "Security Architecture" are the items that being planned, designed and implemented as the "platforms." Whereas the items under "Security Operation" are the activities that are repeatable following established SOPs (standard operating procedures.)
Sometimes one sub-domain may fit under multiple parent domains, in which case I will place it under the domain that is the most logical; sort of like CISSP exam: two answers could be both right for a single question, but you must select the one the is most appropriate. To my fellow CISSPs, you know what I mean :)
The thought process here is that if we ought to include every product category in the world of cybersecurity, the map would become too big to be manage, and readers can lose focus quickly.
The purpose of the map is for it to be used to drive high-level conversations with people inside and outside of cybersecurity field, with your engineers, your cybersecurity analysts, with board members, with C-level executives, with business owners, with students who want to enter the IT or cybersecurity field, with vendors who often pitch their product as the "magic bullet."
Given the specific industry that I am in, and the fact I work for a US-based financial firm, the map inevitably is influenced by the US regulations and laws pertaining the financial industry. Some of domains or sub-domains such as 3rd Party Risk, User education, Data Leakage Prevention are results of published FINRA and SEC guidelines on cybersecurity. With this post however you shall be able to access the original mind-map files so that you can modify the map to fit with your specific industry and region as you see fit.
The map, this time around, is properly published as an article as opposite to a picture - I have learned from my previous mistake that once you posted a picture on LinkedIn you cannot really modify it, especially it contains several typos :)
So what's next?
Perhaps each domain on the map can be expanded upon with additional branches as separate visual guides; take Governance domain for example, it just has so much a talk about. Maybe those will be my future projects.