Our founder and CEO, Evan Francen, recently attended the 2021 Cyber Security Summit to introduce a new cybersecurity methodology known as Programmatic Distributed Empowerment for Information Security (PDEIS™).
During his presentation, Francen spoke about PDEIS™ and his motivation for creating it.
“CISOs are playing a game they can’t win. My heart goes out to so many of the CISOs who are playing this game because they work really, really, hard, they take on a lot of responsibility, and I think we’ve set them up to fail. So, all of this sort of led to creating this construct, PDEIS™, a method that can change the game and put us all in a better position to win.”
You can watch Evan’s full presentation below or continue reading for a detailed explanation of PDEIS™ and how the program is implemented.
What is PDEIS™?
PDEIS™ is the SecurityStudio cybersecurity methodology for solving information security challenges in complex environments. The objective is to improve security effectiveness and accountability through simplification, collaboration, and resource sharing.
PDEIS™ was created primarily around these five principles:
- Complexity is the worst enemy of information security.
- Speaking the same (information security) language is critical.
- Information security roles and responsibilities must be understood.
- Information security measurement is essential to information security management.
- Justified Information security budgets save money.
How The PDEIS™ Cybersecurity Methodology Works
PDEIS™ is intentionally simple, consisting of three phases and ten implementation steps.
Phase 1 – Preparation
A complex organization is the sum of its less complex components. Phase 1 is focused on preparing the organization for better information security management through simplification, organization, common language use, and empowerment.
There are five steps in Phase 1
Step 1 – Define Entity Classifications
The first step in PDEIS™ is to define how an entity can/will be organized into sub entity groups (or types). No two entities are the same, and some entities are more complex than others.
Step 2 – Classify Sub Entities
The second step consists of classifying the organization’s sub entities, essentially populating each of the entity classifications with the entities.
Step 3 – Choose Starting Classification
Depending upon the size and complexity of the organization, it may be overwhelming to address all classifications at one time. As a starting point, choose one classification and the entities it contains.
Step 4 – Choose Common Language
Nothing (entities, people, computers, applications, etc.) can communicate without a common language or a translation between languages.
Step 5 – Assign Empowerment
In each sub entity, someone must be responsible for information security. Define who is responsible for information security in each entity/sub entity. These are the people who are empowered to conduct risk assessments and to make risk decisions (later). It’s acceptable to delegate tasks, but not responsibility.
Phase 2 – Assessment
There are only two steps in Phase 2, however, they are very important steps. Phase 2 is primarily concerned with information gathering through risk assessments.
Step 6 – Determine Inheritance
Entities and sub entities sometimes use (or inherit) controls or resources from other entities. Determine where administrative, physical, internal technical, and/or external technical controls are inherited.
In most cases, inheritance happens in a parent/child relationship.
Step 7 – Determine Current State
Determining the current state involves conducting risk assessments for all entities within a specific classification. Risk assessments are best completed by the those who were assigned empowerment (Step 5) or a delegate. The best results are obtained by working with the people closest to the source.
Phase 3 – Empowerment
The current state is now understood for all sub entities (and the classification they belong to). The risk assessments are the beginning of the risk management journey and now decisions must be made on how the risks will be handled.
The last three steps of PDEIS™ are in Phase 3.
Step 8 – Consult and Empower
Risk decisions are made closest to where they have the most impact. The people who were assigned empowerment (Step 5) and/or their delegate(s) make information security risk decisions, set priorities, establish timelines, etc.
Step 9 – Enable and Implement
The road maps that were created in Step 8 are used to determine where there are shared resources (or should be), to justify budget, determine future state, etc.
Step 10 – Monitor, Support, Report, and Adjust
At this point in the PDEIS™, the information security program is well understood, the plan is endorsed, and responsibilities have been assigned. As with all plans, however, there will events that can cause the plan to change over time.
For the CISO and those ultimately responsible:
• Entity and sub entity progress is tracked
• Support is provided (as necessary)
• Reporting is updated to reflect progress, and
• Adjustments are made (as necessary).
PDEIS™ is now fully operational, at least for the chosen entity classification(s). It’s time to take what was learned in the first iteration and apply it to the next classification(s) and further refine the process.
The PDEIS™ cybersecurity methodology combines the expertise of top security professionals along with industry best practices, to provide a straightforward roadmap to solving information security challenges in complex environments. Securing a complex environment will always be difficult but implementing PDEIS™ in your organization can make a huge difference in simplifying the process.
Don’t forget to check out Evan’s full presentation on the concepts covered here, and stay tuned into the blog for cybersecurity news, updates, and more. If you need any assistance with the topics covered in this blog, don’t hesitate to reach out.