Skip to Main Content
March 24, 2020

Crossover Sec: Breaking Down the Silos

Written by Rockie Brockway
Business Risk Assessment Program Development Security Program Assessment Virtual CISO

People who know me well, or who saw the Derbycon 6 talk I gave with Adam Hogan, "Adaptation of the Security Sub-Culture," know of my non-InfoSec hobby and history of playing in loud bands that recorded and toured across the U.S. and Canada, mostly in the 90s. It was music in the 80s that had the most influence on me, everything from the big metal bands like Judas Priest and Iron Maiden to the small hardcore punk bands like Minor Threat and Bad Brains. Hindsight is 20/20, so what happened in the middle of that decade makes total sense to me now, but at the time it was mind-blowing. The metal bands started playing faster and the hardcore bands started getting heavier. The blended result of the two genres became commonly known in the music industry as 'Crossover'.

The Crossover analogy seems fitting when discussing InfoSec today. For well over two decades, security consulting has been divided into its own two big genres. For simplicity's sake, we'll label them 'Technical Services' and 'Advisory Services,' since that's what we call them here at TrustedSec. The Technical Services team performs technical assessments like Penetration Testing, Red/Purple/Blue Teaming, Application Assessments, Incident Response, etc. The Advisory Services team performs mostly non-technical assessments like program and controls assessments, regulatory-related audits and readiness assessments, risk assessments, and ongoing strategic engagements like Virtual Chief Information Security Officer (vCISO) programs. This siloed approach to security consulting evolved organically over time, and to this day there is very little overlap.

I've spent my career straddling the two genres, looking for ways to not only improve overall security consulting value, but also trying to think outside of the box and push back against formulaic industry methods and standards that have either run their course or otherwise need to be improved upon, often to the consternation of my colleagues. :) A good example of this is the concept of 'risk'. Aside from the fact that many security professionals continue to refer to Program and Controls Assessments as 'Risk Assessments,' today's risk frameworks mostly live in the Advisory Services genre. This makes a lot of sense, since one of the primary goals of a Risk Assessment is to provide leadership a clear picture of the organization's current risk landscape, including questions like:

  • What are the critical systems that help facilitate a successful business model?
  • What are the likely or unlikely negative events that could affect the organization's ability to conduct business?
  • What would be the likely financial ramifications if one of the negative events actually occurs?

These questions can then be weighed against the associated risk tolerances of the executives, and board, to determine if the potential of one of the negative things happening is enough to warrant additional investments.

Here is where the concept of Crossover comes into play. The best way to maximize InfoSec value for a business is by aligning the technical processes associated with the protection of business-critical data with business' needs, valuations, and goals. At TrustedSec, one-way Crossover is realized is through our Business Risk Assessment, which is a blended solution of both Technical and Advisory Services.

In order to gauge the potential impact of a negative event, an understanding of the organization's critical systems is necessary, as well as an understanding of the organization's loss thresholds. This data is typically gathered through conversations with line of business leadership across the business, can be used to model expected loss scenarios, and can be relatively straight forward. Input from across many of the multiple lines of businesses within an organization makes for a more accurate value model.

Risk Assessments must also look at the threat landscape. Personally, I like much of the Factor Analysis of Information Risk (FAIR) Risk Management framework, which has a variable called Threat Capability (TCAP). TCAP tends to be a little too vague for my tastes, and by default doesn't take into consideration variables like industry targeting, active techniques, and threat-actor sophistication or motivation, which are important players in the risk derivation process. The TCAP topic will be presented in a webinar in the near future, so stay tuned.


We now have a dataset related to an organization's critical systems and a dataset related to adversarial information like competition and threat-actor groups working in specific industries. The end goal in our Risk Assessment is to derive the likelihood of negatives happening to the organization's extremely important systems, and determining expected financial outcomes to the business if negative events were to happen. Therefore, if we're trying to gauge likelihood, we need to model simulated 'bad' things. In other words, we need to simulate the threat actor's likely actions.

When looking at what type of adversary simulation will return the best value for a client within a Risk Assessment, it is important to have an understanding of roughly how mature an organization's security program is. Does the organization have dedicated security personnel or a Security Operations Center (SOC)? These are good places to start. I prefer using Internal Penetration Tests and Red Team engagements for these Risk Assessment purposes, handing off both the business-critical systems (targets) and adversarial data (techniques) to the technical teams as the starting point for a very real-world simulation.

When the technical teams have completed their engagements, we'll have a couple of additional variables that will be used in the final risk calculations, including attack complexity, or the difficulty of the successful attack chain that was used to breach the critical system(s). The combination of these additional datasets gives us an enhanced set of variables to add to existing risk frameworks like FAIR, resulting in improved likelihood and impact calculations.

These additional Crossover datasets should be standard components of more comprehensive, technology-focused Risk Assessments. They contribute to the derivation of more precise and accurate risk ratings that the business can better use to plan short, mid, and long-term investments, to protect the organization's ability to conduct business and generate revenue, as well as allowing the business to take a risk and continue to innovate.

Organic business growth has a tendency to lead to security program growth inside of technical bubbles, typically disconnected from the needs of the business. This can lead to organizational confusion between people, processes, and technology, potentially resulting in a greater likelihood of security incidents and business disruptions. InfoSec Crossover is intended to facilitate the next step in the evolution of aligning security with the business since the inability to conduct business has direct financial ramifications.

At TrustedSec, innovation is a crucial component of our value proposition, as well as staying on the cutting edge of the security and risk world. Crossover is certainly an example of that and is not limited to the Business Risk Assessment detailed in this post. Look out for some of TrustedSec's other offerings that have adapted to bridge the siloed genres and provide even more value to businesses.

Innovation itself can be inspired from virtually anything, including, in this case, a small sub-culture of music. Don't be afraid to be inspired by whatever moves you. Those smaller ideas, ideals, and innovations can be blended back into the mainstream to break down barriers, improve existing concepts, and add value.