Cybersecurity Concept Map

Develop a concept map that links the “normal” cybersecurity or information security incident response process to the laws, regulations, or policies that pertain to business.

A concept map is a visual representation of ideas and how they relate to each other. Concept maps can take many forms:

• Mind maps often take one central idea and decompose it, branch by branch, layer by layer. The user can start in the center bubble (with the main idea) and work their way around the layer of subordinate and surrounding bubbles, each of which is part of explaining or exploring the main idea.
• Outlines (such as indented outlines that you might do for a writing task) are mind maps in a linear fashion.
• Process concept maps show the links between the steps of a logical process and the concepts or ideas that support it. Those concepts or ideas may be what enable the user of the concept map to move from one logical state on the concept map to another by reflecting business logic, constraints, or success criteria.

Concept maps can combine elements of many styles of charts, diagrams, or visualization techniques.

Mapping Different Kinds of Ideas in Different Ways

Organizations have many information models of what the organization is, what it does, how it does it, and the value it achieves in doing so, such as:

• Organizational charts
• Strategic, tactical, and operational plans (as PERT, Gannt, or critical path diagrams; or as the data that drive project management systems
• Balanced scorecards (to relate processes to KPIs to strengths, weaknesses, opportunities, and threats)
• Business logic models, including high-level process flow diagrams, detailed internal logic, and flows involving customers, suppliers, financial services, or compliance regimes
• Relationship diagrams that show how functions within the organization fit together with other external organizations or people
• Risk management models (which link threats or vulnerabilities to objectives, processes, or assets)
• Timelines of different scales can combine elements from all of these information models

Drivers to Policies to Processes to KPIs

• Some organizations actually map out how external and internal drivers (such as regulatory requirements or strategic goals) actually trace to specific policy statements, how those policy statements apply to key processes, and how that should (all things being equal) drive through to clearly-defined ways to measure and evaluate key performance indicators (KPIs) associated with those processes. Remember, KPIs don’t show “what did the process do;” they show “did the process achieve the overarching, important objective?”
• More importantly: such a concept map can show how and where the “bang for the buck” comes from by threading together all of the elements of making the business case for spending more (or just doing things in better ways). Processes and tasks — the work the organization’s people do — only should exist because they’re satisfying a goal, objective, or a compliance constraint, after all; the mitigating risk is one such goal.