This information requirement is one that is well understood by cyber security practitioners and decision makers, and has fuelled recent developments in the industry such as the burgeoning number of cyber threat intelligence offerings available on the market. Beyond this threat specific information though there is also a significant requirement for advice and guidance across a broad range of information security topics, and this requirement claims a large amount of time and effort from many security professionals.
However, although there are apparently many information sources available it can be difficult to find reliable, credible information, of the appropriate level on relevant topics.
There are some great, highly rigorous and detailed information sources and standards available. For example the ISO2700X series of information security standards provides an excellent baseline for the development of an information security programme and has the benefit of providing avenues for certification. Similarly the NIST Special Publications are an excellent reference set and are freely distributed. Meanwhile the SANS institute is renowned for its guidance and thought-leadership on information security, with works such as the Critical Security Controls and the multitude of research contained in the Reading Room provides a good source of practical guidance.
However, much of this work is prohibitively detailed and at a level that is not readily accessible to many, particularly those with only limited time to study it - understanding these frameworks is a specialisation in itself.
On the other hand concise guidance that is readily accessible to generalist information security professionals and decision makers is difficult to come by. While there are no doubt an abundance of blogs and whitepapers available, the veracity of much of this material is unknown and therefore is often of little use. This is exacerbated by a vendor tendency to produce marketing material thinly veiled as research and guidance, when it is little more than a promotional vehicle for a specific product.
Fortunately there is an increasing amount of good quality, readily digestible, authoritative information available. Industry groups and professional bodies have an increasingly important role to play in this space, for example CREST has led the way in the UK for many years and is producing an increasing amount of quality research on a range of cyber security topics.
Similarly the Institution of Engineering and Technology is bringing their considerable track record to bear on the area of cyber security, and we have been working with them recently on the IET Engineering and Technology Reference.
The IET Engineering and Technology Reference is a library of articles providing insight into a range of technology and cyber security related areas. While rigorous and authoritative in nature, these articles are intended as primers, providing core information on the topics and highlighting avenues for further study and detail should it be required. In this way the work is an excellent fit for the requirements of many information security practitioners, providing a sufficient foundation for decisions to be approached in an informed manner - without requiring prohibitive time to study and master.
Over the next few weeks we will be publishing a series of blogs covering the topics we contributed to the IET work, including:
- Incident Response and Handling
- Advanced Persistent Threat (APT)
- Social Engineering
- The Insider Threat
In the meantime, if you would like any information on thesetopics or have another information requirement that you would like to discuss,then please get in touch.
Contact and Follow-Up
Nick is a part of our Response team in Context's London office. See the Contact page for how to get in touch.