In the middle of the 20th century, psychologist Abraham Maslow developed a hierarchy of human needs model in which basic needs, like food and water, must be met before higher needs, like self-esteem and self-actualization, can be explored. Maslow employed a pyramid to display this hierarchy.
Maslow’s hierarchy of needs can readily be applied to cybersecurity. Before moving up the hierarchy, organizations need to get the foundational elements of cybersecurity right.
Cybersecurity Hierarchy of Needs
Alex Clayton, security and continuity manager at 3i, suggests a four-layered controls pyramid for the cybersecurity hierarchy of needs. These control layers include:
- Preventative Controls
At the bottom of the cybersecurity pyramid lies preventative controls, such as the physical security of IT systems, patching of known vulnerabilities, and the security training of employees. When your primary data center room door is always open, what’s the point of an advanced security tool? If your employees click on phishing emails, what’s the point of having an expensive security system? Mike Lefebvre, Director of Cybersecurity at SEI Sphere, recommends adding asset and log management to the bottom of the pyramid. If you don’t know where your assets are and what they are doing, you can’t secure them, he argues.
- Detective Controls
Next up the pyramid, detective controls, which spot suspicious behaviors and stop them from harming your organization. Detective controls can spot software and hardware anomalies so that further disruption can be avoided. Intrusion detection systems and antivirus software provide protection at this level.
- Deterrent Controls
On top of detection controls are deterrent controls that discourage people from violating security policies, for example, by putting up warning signs. Deterrent controls let potential attackers know that the security system will use all its available weapons if they try to attack. An example of a deterrent control is a proxy server that redirects users to a warning page when they try to access a restricted site.
- Corrective Controls
After that, there are corrective controls to mitigate the damage from a breach. A corrective control restores the system to its normal state after a security breach. For example, a disaster recovery plan helps you respond and recover if a ransomware attack happens.
These layers should work together to protect your organization. The bottom layers need to be addressed first, providing a solid foundation for your cybersecurity program. Only then can the other layers function effectively to create a robust cybersecurity posture.
Looking to meet your organization’s cybersecurity hierarchy of needs? MBL Technologies can help. We offer a wide array of cybersecurity services to identify weaknesses in your security posture and implement cost-effective, targeted solutions. Contact us today to get started.
