The Impact of Persona Groups and Use Cases on Asset and Attack Surface Management
Home » Latest Articles » The Impact of Persona Groups and Use Cases on Asset and Attack Surface Management
By Steve Chambers
on
inCybersecurity Observability
This blog is kicking off a series of pages and posts that cover the personas and use case aspects of cybersecurity asset attack surface management, based on the SJULTRA team’s experience and discussions with others in the industry.
While we all love our technology here at SJULTRA, it’s always the people and process stuff that is always the big challenge to address.
Integrating systems with CAASMCyber Asset Attack Surface Management (CAASM) focuses on man… via their 1,000+ adapters, writing queries, and creating enforcements — that’s the fun bit! 😀
What if I told you that we often encounter clients grappling with the non-technical nature of asset and attack surface management? Is the crux of the problem not in the technology itself, but in the intricate interplay between organizational personas and the diverse use cases they encounter?
Table of Contents
The challenge we address is threefold:
Understanding the Persona Landscape: Each organization comprises a unique ecosystem of roles, from IT and Security Leadership to practitioners on both sides. These personas often operate in silos, with differing priorities, languages, and perspectives on security.
Aligning with Business Needs: Security initiatives must be harmonized with specific business use cases, whether it’s improving day-to-day operations, navigating mergers and acquisitions, managing third-party relationships, or undertaking significant technology migrations.
Bridging the Gap: The most critical challenge is bridging the divide between technical security requirements and business objectives, ensuring that asset and attack surface management strategies resonate with and are embraced by all stakeholders.
Our task, as consultants, is to navigate this foreign yet familiar landscape, helping our clients to understand that effective cybersecurity is not just about implementing the latest tools or following best practices.
Yes, we sell and deliver the latest and greatest (and also some of the golden oldies!), and we know that they don’t stick if you don’t prepare the surface 😉
It’s about creating a — deep breath — “holistic” approach that considers the unique perspectives and needs of each persona group while addressing specific business use cases. By doing so, we can foster a security-aware culture that at every level of the organization, turning potential vulnerabilities into strengths. If people truly are the weakest link, as they say?
In this discussion, we’ll explore how different persona groups impact and are impacted by various cybersecurity scenarios, with a focus on asset and attack surface management (though it applies to other domains, too).
Our goal is to generate debate, find research, and share insights that will help people develop more cohesive, effective, and business-aligned security strategies.
Persona Groups and Their Roles
To avoid boiling our brains with too much complexity, and to help us compare and contrast different companies and people, we use the age-old approach of a 2 x 2 matrix which makes up four personas groups.
1. IT Leadership
CTOs, CIOs, Heads of IT, Fractional CTOs/CSOs, and Non-exec directors play a pivotal role in setting the overall technology strategy and ensuring that cybersecurity is integrated into the organization’s broader objectives. They are responsible for allocating resources, approving budgets, and championing security initiatives at the executive level.
2. Security Leadership
CSOs, CISOs, and Heads of IT Security or Infosec are tasked with developing and implementing comprehensive security strategies. They bridge the gap between technical requirements and business needs, ensuring that asset and attack surface management aligns with the organization’s risk appetite and compliance obligations.
3. IT Practitioners
Solution Architects and Developers are on the front lines of implementing and maintaining IT systems. Their decisions and actions directly impact the organization’s asset landscape and potential attack surfaces. They play a crucial role in integrating security best practices into the development and deployment processes.
4. Security Practitioners
Security Analysts and Vulnerability Analysts are responsible for the day-to-day operations of identifying, assessing, and mitigating security risks. They work closely with asset management tools and attack surface analysis to maintain a strong security posture and respond to emerging threats.
Use Cases and Persona Group Impact
None of the above persona groups work in isolation. One way they are brought together is through a business use case.
We regularly experience these four use case groups:
1. Improving IT/Security Business As Usual
IT Leadership: Drives the cultural shift towards prioritizing security in daily operations, allocating resources for continuous improvement initiatives.
Security Leadership: Develops comprehensive asset management strategies, sets security policies, and ensures compliance with relevant standards.
IT Practitioners: Implement secure-by-design principles in system architecture and development, actively participating in asset discovery and classification.
Security Practitioners: Conduct regular vulnerability assessments, manage patching processes, and monitor the attack surface for potential threats.
Observation: Successful BAU posture improvement requires a holistic approach where each persona group contributes their unique expertise and perspective. The challenge lies in maintaining consistent communication and alignment across these groups to ensure a unified security strategy.
2. Mergers and Acquisitions
IT Leadership: Oversees the integration of disparate IT environments, ensuring that security considerations are factored into M&A decisions.
Security Leadership: Conducts thorough security assessments of the acquired entity, identifies potential risks, and develops integration plans that maintain or enhance overall security posture.
IT Practitioners: Manage the technical aspects of integrating new assets, applications, and users into existing systems while maintaining security integrity.
Security Practitioners: Perform detailed attack surface analysis of the combined entity, identifying new vulnerabilities and adjusting security controls accordingly.
Observation: M&A activities present unique challenges in asset and attack surface management due to the potential for unknown vulnerabilities and disparate security practices. The key to success lies in rapid and comprehensive discovery and assessment processes, coupled with agile adaptation of security measures.
IT Leadership: Evaluates the strategic implications of partnering decisions, ensuring that security requirements are clearly defined in service level agreements.
Security Leadership: Develops protocols for securely transferring responsibilities and access rights, maintaining the principle of least privilege throughout the transition.
IT Practitioners: Manage the technical aspects of granting or revoking access to systems and data, ensuring smooth operational transitions.
Security Practitioners: Monitor for any unusual activity during transition periods, conduct security awareness training for new team members, and update asset inventories and attack surface models.
Observation: The human element is particularly crucial in this use case. While technology transfers may not always occur, the movement of people and processes introduces significant changes to the organization’s security dynamics. Careful management of identities, access rights, and knowledge transfer is essential to maintain security integrity.
4. Technology Migration (Cloud On-premises, or VMware Off-boarding)
IT Leadership: Drives the strategic direction of technology migrations, balancing operational needs with security requirements and cost considerations.
Security Leadership: Ensures that security architectures are adapted for the new environment, addressing unique challenges posed by hybrid or cloud infrastructures.
IT Practitioners: Execute the technical aspects of migrations, ensuring that security controls are properly implemented in the new environment and that no vulnerabilities are introduced during the transition.
Security Practitioners: Conduct comprehensive security assessments of the new infrastructure, update asset inventories and attack surface models, and adapt monitoring and incident response processes to the new environment.
Observation: Technology migrations significantly alter the organization’s asset landscape and attack surface. The challenge lies in maintaining visibility and control throughout the transition, especially when moving to cloud environments where traditional perimeter-based security models may no longer apply. Continuous asset discovery and real-time attack surface management become even more critical in these dynamic environments.
Conclusion
Effective asset management and attack surface management doesn’t just require a collaborative effort across all persona groups within an organization — it discovers cracks in the collaboration.
Each persona group brings unique perspectives and responsibilities that, when properly aligned, create a robust and adaptive security posture. As organizations navigate complex use cases such as improving BAU security, managing M&As, partnering with external providers, and migrating technologies, the interplay between these persona groups becomes increasingly important.
At SJULTRA, we use Cybersecurity Asset Attack Surface Management software to get the full-landscape-view, find the gaps, and use this information to support any one of four use cases.
If we get it right, then by leveraging the strengths of each group and promoting cross-functional collaboration, organizations can build a more resilient and effective approach to asset and attack surface management.
When the context of persona groups and use cases are not applied, then gaps inevitably form in cybersecurity. CAASM is an approach to see and close these gaps, and we use CAASM to achieve this for our clients.
Next steps
This is a long-running topic at SJULTRA. What often turns out to be a “simple” project to integrate some tools… turns into a discovery of an organizations landscape of people, process, and technology — one problem at a time.
We now want to explore this further:
Is it just us seeing this?
Who else sees this?
What do they see?
Is there research?
How can we get more people involved?
If you’re interested in this topic, you can hit us up on the contact page, any of these methods!