Thursday, October 8, 2015

The Security Pyramid Model

I work in the field of IT Security for roughly two years now and before that I have worked two years as an IT Continuity Officer. And I can say, thankfully, that I have learned allot. The most important thing I probably have learned is that it is nowhere near possible to know everything. The key is to be able to create an overview of the entire situation in which you operate and, where needed, to learn the skills needed for that specific task. Truth to be told, that is much less easier done than being said.

As an IT Security Officer do I need to focus on Identity Management, Network Security, Data Security, Security Architecture or any other topic? I would likely say that you probably need to comprehend at least all fields (and more), but also choose your own specialization. To complete the gaps in your knowledge and experience you will need to look for co-workers and other sources to perform your job.

Last year I completed my exam of CISSP and I got my title in November 2014. The training course did not literately help me to extend my knowledge on very specific topics (apart from Forensics I have to say), but the training helped me to see the bigger picture in IT Security. There is many debate whether or not certifications like CISSP are sensible or not, but for me it did add value to my work as an IT Security professional.

In this blog-post I am going to share the foundations of my experience and knowledge from the last couple of years in to a model. In this model I have set out the most important topics and I am convinced that if these concepts can help you in your profession, especially when you are new to this very interesting field of work. I call this model the Security Pyramid Model. First I'll show you the model and describe the basics, ethics and the rules for success in Information Security.

As I have CISSP, did the training Ethical Hacking, and follow sources like Isaca, SANS and many more, you might find the model below influenced by their theories, frameworks and concepts.

The Security Pyramid Model

The Security Pyramid Model

The triangles

I find that many topics comes in pairs of three. Just think about concepts like people, process and technology. But also strategic, tactical and operational and of course the well known confidentiality, integrity and availability. What I did was looking at what I saw as dominant 'mantras' within Information Security. Then I formulated three words with each concept and placed it in the pyramid.

It is a gray area obviously, but in a way I modeled the pyramids in some form of a hierarchic manner. In the end, privacy needs to be protected by security. Whether it is your very own privacy or that of the company's secrets, it needs to be secure. So that is on the very top, the ultimate goal. But in order to get there you need some ground work to do.

Skipping the rules for success and the ethics (which will be talked about below), I will start with the first row of triangles. Security needs to be addressed on every level in an organisation, it needs to be scoped on all three elements within an organisation and in my opinion good Security is done based on risk-management. But in order for this to work the organisation needs to embed Security in its DNA using legislation, policies to enforce legislation and procedures to implement the policies. And the flow of information (most often the crown-jewels of an organization and also often the sensitive data of its customers) needs to be addressed properly.

In the layer on top of that there is the well known Security triage. Then there is the concept of intelligence, detection and response of Security incidents, and that is where the magic happens when it comes down to trumping on incidents like hacking and breaches that might (or will) occur. And when selecting the solutions to address risks and vulnerabilities, always think in layered defense, security by design and compartmentalization. And when that is done you will need to think about how much trust you want, control you need and secrecy you grave when you think about privacy.

Security Life Cycle Management

Everything is changing very fast. Whether it is the capability of hackers, new Security solutions, laws, markets or your very own customers, you need to respond quickly to this changing environment. On everything in your Security organization you need to have proper life cycle management. Policies can probably be reviewed on a 2-year basis, but technical solutions needs to be under constant review. So on everything that is done to keep the crown-jewels safe, life cycle it!

Rules for Success

Rules for success are important, as they determine how (yes, obviously) successful you will be at your work.

It all starts with people first. If they are not safe all else does not matter. If your co-workers are harmed by 'Security' measures or are harmed by the lack of it, it all has failed already. The second is the support of your management. For every decision, policy, security measure and investment you need management support. If you don't have it, you will likely fail eventually.

We also need to keep in mind that in the end everyone is responsible to do their part to be secure. Everyone is responsible for their security in their private lives, but at work all co-workers are responsible for the security of their organisation as a whole. You cannot outsource such responsibility. Therefore, training is needed. Some need more training then others, but continues training and growth of awareness are very important. Never waist a good crisis, so share your security failures at least internally. This helps to make everyone understand that a breach can happen fast and that a company going down effects everyone in it.

But all the above does not help if you do not have the appropriate policies. Policies are needed to show the employees what the boundaries, obligations and rights are and how the should be kept and respected. Policies do not (or at least should not) know any exceptions. An exception is document as a new policy.


Ethics are important to prevent organisations and people going corrupt and harm either the company itself or the society the operate in. The following rules are inspired by the (ISC)2 Code of Ethics, but also by the Isaca Code of Professional Ethics.

At first, protect the society and its infrastructure first. As a person, be honorable and justly. Act responsible and comply to legal regulations and laws. Provide a component service and where-ever possible, advance the profession you work in.


There are many frameworks that address various of countermeasures and solutions for risks and vulnerabilities and all those frameworks have their of course their worth. What I hope to achieve with this model is to put it all in to one view.

I hope I was of any value to you with sharing what I know and experienced and that we can learn from each-other when we are discussing it. So feel free to agree, disagree and certainly feel free to share your thoughts and questions in the comments below.



Post a Comment