About This Project - Cyber City Map

# About This Project ![[CCM-150-Logo.png|center]] ## Overview This [Cyber City Map](Cybersecurity.md) (CCM) project is aimed at providing an industry reference that makes cybersecurity easier to understand and implement from a business perspective. An organization's security needs are met by aligning strategic, core, and supporting security controls to build the proper amount of adversary resilience. Using concepts from Enterprise Architecture, we intend to develop a general set of capabilities as a cybersecurity capability map. We call this a ***city map*** because it provides a framework for finding and using capabilities as needed to support business goals. Capability maps are essential for bridging between business needs and complex capabilities, such as cybersecurity, to achieve value. This project is meant to be additive and is not intended as a replacement for other industry initiatives. It has been established via a working group and is an ongoing project. ## Goals > [!goal 1] > **A Benchmark** - We seek to establish a benchmark set of cybersecurity capabilities that can be used to measure cybersecurity investments. > [!goal 2] > **A Bounded Model** - Cybersecurity has become a bit of a dumping ground for business hygiene issues. We feel strongly that a set of explicit cybersecurity capabilities must be established to provide insights into the value of great cybersecurity. > [!goal 3] > **Target State** - We aim to make it easier to discuss the target state of adversary resilience and bring pragmatism to cybersecurity measurement. ## Process We began our journey with this Cyber City Map by identifying core cybersecurity needs and processes, then converting these to use a capability naming convention of Noun-Verb. In the early part of this journey, we knew that the Cyber City Map would present opportunities for refinement and provide a tool for debate. This map is meant to be used by organizations that opt for cybersecurity to be part of everything it does and where adversary resilience is intended to be a measurable outcome, similar to availability. ```mermaid flowchart LR A[1. Cyber Strategy] --> B[2. Needs Analysis] B --> C[3. Documented Capabilities] C --> D[4. Mapped Compliance] D --> E[5. Mapped Overlays] ``` 1. **Cyber Strategy** - To build this framework, we developed a basic generic cybersecurity strategy for reducing the impact of cyber attacks on any organization to form a generic capability map. 2. **Needs Analysis** - Using the Cyber City Map, we analyzed several public strategies and use cases to determine capability needs. 3. **Documented Capabilities** - We used what we learned to document a set of generic cybersecurity capabilities. 4. **Mapped Compliance** - We mapped compliance requirements to this model to enable compliance-driven insights. 5. **Mapped Overlays** - Functional overlays are developed to make it easier to align resources and skills to increase the value of capabilities. Using this methodology, the Cyber City Map is a tool that an organization can leverage to evaluate its cybersecurity capabilities from an industry-wide lens. Using this Cyber City Map, an organization can evaluate what it has as cybersecurity capabilities and then establish a roadmap for evolving these capabilities as needed. ## Collaboration >[!question] How can I collaborate? >Interested in collaborating with us? If you are interested in following us, reviewing, or contributing, you can find our page on **LinkedIn**: [Cyber City Map](https://www.linkedin.com/showcase/cybercitymap). Use the **✈️ Message** button to DM us with your interest. We review the inbox every Wednesday. Our working group has this high-level [[Roadmap]] for our efforts and will continue to evolve this project to help the industry make use of it. We are currently at an early stage with this work and meet weekly to move it forward. ## Exclusions >[!tip] >More important than what is in this capability map is what is not in this capability map. We have explicitly defined a narrow interpretation of Cybersecurity capabilities to take care of adversary abuse cases within an organization. Our aim is not to duplicate what other capabilities do but to ensure all organizational capabilities are resilient by design to ensure cybersecurity is part of targeted value streams. Keeping with the principles of Enterprise Architecture and the development of capability maps. Although the Cyber City Map looks a bit like an org chart, it is not and should not be used as one. Capabilities are unique and should not be replicated across a business even though processes and functions can be duplicated for the purpose of efficiency or other business reasons. Also, an org chart should not influence a capability map. A capability map is built based on strategy. It provides what a organization must do to fulfill on its strategy. It is our belief that security capabilities required to protect and defend a specific capability belong with that capability in its part of the the business capability map. As such, we purposely excluded capabilities from the Cyber City Map that belong elsewhere. This capability map is meant to address what must be done to support cybersecurity versus moving detail-level security needs from other business capabilities into cybersecurity. Most organizations will need to adjust this map to meet their needs. ## Inspiration & Resources + https://pubs.opengroup.org/togaf-standard/business-architecture/business-capabilities.html + https://architect.salesforce.com/diagrams/template-gallery/business-capability-map + https://medium.com/intuit-engineering/is-your-data-lake-more-like-a-used-book-store-or-a-public-library-f444ef6a1798 + https://en.wikipedia.org/wiki/MECE_principle + https://dodcio.defense.gov/Library/DoD-Architecture-Framework/ + https://www.isaca.org/resources/news-and-trends/industry-news/2017/developing-business-capabilities-using-cobit-5 + [Cybersecurity Capability Maturity Model to NIST Cybersecurity Framework Mapping | NCCoE](https://www.nccoe.nist.gov/news-insights/cybersecurity-capability-maturity-model-nist-cybersecurity-framework-mapping) ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.