[Posted on Behalf of Dennis Leber Cybersecurity Executive | CISO | Board Member | Educator | Speaker | Author ]
METT-T is an acronym for planning patrol mission utilized by the US Marine Corps. This acronym is also very useful when applied to planning Information Security.
Let 's take a look at each part, and apply that to our Information Security.
M is Mission; the mission is at the center of your analysis. The mission dictates the approach you take in designing your security controls. If you are tasked with protecting HIPAA compliant data you may take one approach in comparison to the approach you would take to protect payment card data.
E is enemy; understanding your enemy's strategies, and tactics enable you to create an information intelligence picture of adversaries to your enterprise (threat hunting & threat modeling). You must account for the effect an enemy attack will have on your enterprise.
Understanding the enemy and giving a clear picture of the enemy helps leaders determine how to destroy enemy threats. Leaders need to look at potential threats, then prepare plans (Incident response), conduct rehearsals on responses with the business, and ensure each member of the team is prepared to defeat those threats.
T is terrain and weather; Terrain and weather are effects on the enterprise, they should not dictate mission success. The terrain in our case is the parts of the enterprise that must be crossed, and are considered when determining how the team members will react, or cause them challenges when protecting or responding to events.
If there is difficult "terrain" that offers cover and/or concealment, the enemy will use it to their advantage. Leaders should plan for additional equipment, and support considerations such as vendor support, hardware acquisition, and manual operations until technical solutions are restored to mitigate advantages the "terrain" provides to the enemy.
The effects of terrain, and weather must planned for no matter what the operation calls for.
T is Troops and support; The leader determines how the controls are organized based on the capabilities of the organization. This is accomplished by taking into account the assets, equipment, supporting vendors, and resources.
Leaders should not forget two additional factors; what are the adjacent business units capabilities, and what supporting capabilities are available through out the life-cycle of the security process. If you communicate your intentions others will lend support to your success.
T is Time and availability; in the Military patrol world there are three items, actionable, priority, routine. These mean different things to patrol, but applying this to Information Security, we desire to have plans that are actionable, create actionable responses, are based on priority of the assets/systems/data. In regards to routine; we strive to automate routine events so time is freed up to focus on more important tasks.
.png)
Comments