I think some still remember when non-functional requirements (NFR) were activities in a project plan and thus could be prioritized accordingly. However, this meant that important requirements for a system or application did not always get the focus that was needed - the time did not exist.
NFRs were quite often prioritized with less effort. Functional requirements have always had most focus - business and customer driven - defining what the system does or must not do while the non-functional requirements focus on specifying how the system should do it. Examples of NFRs are:
- Performance - for example response time, throughput, utilization, static volumetric
- Scalability
- Capacity
- Availability
- Reliability
- Recoverability
- Maintainability
- Serviceability
- Security
- Regulatory
- Manageability
- Environmental
- Data Integrity
- Usability
- Interoperability
I do not want to write so much more about the NFRs themselves but about the change that has taken place in the last 4-5 years. I am referring to the increased use of Cloud services, Third Party applications and solutions as well as digitalisation, while we face accelerating growth of the aggressive cybercriminal landscape and actors and their devastating attacks on enterprises.
Cyber security hygiene today
Today we need to focus much more on cyber security hygiene than on specific NFRs. Much is still the same, but the awareness cross organizations and cross industries and authorities has increased. Cyber security hygiene refers to the core fundamental cyber security best practices that an organisation's security practitioners and users must develop through an increased awareness of cyber risks.
Cyber security hygiene is about educating and training yourself and the organisation, to think proactively about cyber security and about risks to be aware of and how to lower them, as you do with your daily personal hygiene. Establishing solid cyber security hygiene practices should be as routine as brushing your teeth.
The cyber security hygiene challenges exist the whole time. Within an organisation, there may be multiple attack vectors that must be neutralised or mitigated with robust cyber security hygiene. From a classic on-premise environment to an increased consumption of third-party SaaS applications and Cloud services, many elements in a cyber-security strategy require regular and ongoing adjustment based on the ever-changing threat landscape.
Digitisation is driven by efficiency and increased automation that depends on more access to data. Flexibility in processes and the possible alternative connectivity options (at the office or remote) affect the requirements for cyber security hygiene. There are more extensive risks that need to be managed, and which must be managed by cyber security health:
- Data loss
- Misplaced data
- Security breaches
- Outdated software
- Old security software
- A lack of vendor risk management
- Routines and strategy around cyber security hygiene
Maintaining cyber security hygiene requires the engagement of every individual in an organisation. It really is an organisational effort and challenge to improve awareness. Therefore, every individual in an organisation needs to understand basic cyber security hygiene practices and what is required to protect and maintain organisation-wide cyber security - one strategy the organisation and all employees need to commit to. This is done by scheduled education and training.
It is very important to create a routine around cyber security hygiene. It helps to ensure a system's or an application's health by enabling practices that continually help prevent cybercriminals from causing security breaches, installing malware or stealing personal information. Having proper cyber security hygiene also ensures better incident response if a successful attack occurs. This addresses the three cornerstones of people, process and technology.
Examples of applying best practices are, for instance, the Center for Internet Security (CIS) controls involved, and then I mean CIS version 8. It is a simplified control set with controls divided into three areas:
- Basic CIS Controls
- Foundational CIS Controls
- Organization CIS Controls
Evaluate the benefit implementing the following cyber-security hygiene principles to manage the most common and pervasive cyber security risks.
- Establish an incident response plan
- Establish network security and monitoring
- Maintain access control based on privilege and maintain user access accounts
- Manage technology changes and use standardised configurations
- Implement controls to protect and recover data
- Prevent and monitor malware exposures
- Manage third-party cyber risks and external dependencies
- Perform cyber threat and vulnerability monitoring and remediation
- Automate your company's security practices reducing the impact of human error
By focusing on education and training to improve awareness, employees will have a better ability to perform basic security tasks such as updating devices, identifying suspicious behaviours, and practicing good cyber hygiene across teams.
Complexity is the enemy of security, so the best response to an increasingly complicated and highly dynamic digital world is to get back to the basics. That starts with cyber- security hygiene.