Map your cybersecurity gaps with the Cyber Defense Matrix

by

Security has never been more complex than it is now. At the same time, it will never be this simple again. 

When we sit down to analyze our security posture, the controls we have in place, our procedures and processes, vulnerabilities, threats, and many, many other factors, where do we start? How do we know if we’re seeing everything? What exactly is this notion of navigating security and how do we go about doing that?

Like many of us, Sounil Yu, CISO and Head of Research at JupiterOne, had these same questions. Shortly after, circa 2014, the Cyber Defense Matrix was born. Last month, JupiterOne sponsored the inaugural Cyber Defense Matrix conference – here’s what we learned.

Navigating the Cyber Defense Matrix

The Cyber Defense Matrix is built based on the NIST Cybersecurity Framework and maps:

  • The five asset classes: devices, applications, networks, data, users
  • The five operational functions: identify, protect, detect, respond, recover 
  • The degree of dependency on people, technology, and process. 

From left to right, the identify and protect columns speak to structural awareness. Situational awareness takes over in the detect, respond, and recover columns.

Left and right of "boom"

As we move from left to right, the degree of dependency on technology is inverse with the degree of dependency on people. Our dependency on process, however, remains constant throughout all five functions. This continuum helps us pinpoint where we rely on which resources. 

The Cyber Defense Matrix is like an onion

While this Matrix is broad in what it covers, it only covers the assets owned and controlled by the enterprise. Rather than creating additional rows and columns to accommodate the complexity of what we do in cybersecurity, Sounil added ‘layers’ to illustrate further intricacies.

For example, IP addresses might be in the Identify, Network cell. But are we identifying our IP addresses or the threat actor’s IP addresses? These layers can extend to third party or vendor assets, customer assets, threat actor assets, and more. 

Organization: The first step to communicating risk

At its core, the Cyber Defense Matrix is about organization. It’s a way to standardize your security data in a way where all relevant parties can collectively look at and analyze the information in a useful way. 

“All models are wrong, but some are useful.” – George Box 

The Cyber Defense Matrix can be adapted to a variety of different use cases - but Sounil states that understanding the distinctions of your audience, the words used, and the functions is crucial. Some of the use cases Sounil identifies in the Cyber Defense Matrix book include:

  • Mapping security technologies & categories
  • Security measurements and metrics
  • Developing a technological roadmap for security programs
  • Understanding security handoffs between teams
  • Investigating and rationalizing new technologies

For example, although a globe can help us understand the scale of the world we live in and its geography, it isn’t necessarily the right tool to use when you’re lost in a building and searching for a specific room. Similarly, how we communicate risk at a strategic, high-level is vastly different from how we communicate risk at an operational level. The translation layer is critical.

Let’s face it – cybersecurity gaps exist

The reality of today’s security landscape is that there are gaps everywhere - in your tech stack, in your compliance controls, or in your security team’s skill sets. The Cyber Defense Matrix can help you map your gaps for each operational function and asset class; the degree to which each cell is filled, however, depends on your organization’s size and maturity.

The Cyber Defense Matrix can be adapted for a variety of audiences from practitioners to investors, and can help organize information in a consumable, actionable way. It can stretch to inform and identify gaps in multiple areas of your security program – including measurements and metrics, resource allocation, tech investment roadmaps, business constraints, and organizational handoffs. 

To learn more about the Cyber Defense Matrix, check out Sounil’s eBook here.

Watch Sounil Yu's opening session at the Cyber Defense Matrix Conference

Tanvi Tapadia
Tanvi Tapadia

Born and raised in Raleigh, North Carolina, Tanvi is a marketer who strives to create the perfect balance between data-driven decisions and creative marketing. She is an NC State graduate who loves to explore, eat, and play with her dog Butter.

Keep Reading

Proactive IAM Security: Transforming Identity Security with Actionable Insights | Okta Integration with JupiterOne
December 19, 2024
Blog
Unlocking Proactive Security: How Okta and JupiterOne Elevate IAM Insights

Unlock proactive IAM security with Okta and JupiterOne, gaining real-time insights, enforcing least privilege, and reducing risks in dynamic cloud environments.

Transitioning from Vulnerability Management to Exposure Management | JupiterOne
December 13, 2024
Blog
Transitioning from Vulnerability Management to Exposure Management with JupiterOne

Explore Gartner's latest report on Exposure Management and learn how your organization can prioritize vulnerabilities and minimize exposures.

The Ultimate CAASM Guide for 2025 | JupiterOne
November 20, 2024
Blog
The Ultimate CAASM Guide for 2025

Discover how Cyber Asset Attack Surface Management (CAASM) is providing enhanced visibility of internal and external assets in 2025.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.