Cybersecurity pillar

Cybersecurity fundamentals

Use this primer to align control frameworks, detection engineering, exposure management, and resilience metrics so security, engineering, and business leaders can make evidence-backed decisions.

Control frameworks that anchor evidence

Select authoritative baselines so policies, audits, and regulator inquiries map to the same source controls.

  • NIST Cybersecurity Framework 2.0. Organize strategy, budget, and metrics around the Identify–Protect–Detect–Respond–Recover functions and the 106 outcome statements; use the new Govern function to show how risk appetite and supply chain policies tie to controls.NIST Cybersecurity Framework 2.0
  • ISO/IEC 27001:2022 and 27002:2022. Map Statements of Applicability, supplier clauses, and monitoring controls to Annex A’s 93 control titles and the detailed guidance in ISO/IEC 27002:2022 so auditors can trace evidence to a globally recognized baseline.ISO/IEC 27001:2022ISO/IEC 27002:2022
  • Sector overlays and laws. Incorporate EU DORA operational resilience chapters, U.S. SEC Regulation S-K Item 106 incident disclosure triggers, and NIST SP 800-53 Rev. 5 for U.S. federal suppliers so playbooks reflect industry-specific expectations.EU DORASEC Regulation S-K Item 106NIST SP 800-53 Rev.5

Detection engineering foundations

Translate threat intelligence into testable content that SOC and SRE teams can maintain.

  • Threat-informed design. Map detections to MITRE ATT&CK techniques that match your adversary profile, and track coverage, testing status, and false-positive rates in a single inventory.MITRE ATT&CK
  • Countermeasure cataloging. Use MITRE D3FEND to identify supporting countermeasures and the Open Cybersecurity Schema Framework (OCSF) to normalize log fields, ensuring each rule documents the exact data source it depends on.MITRE D3FENDOpen Cybersecurity Schema Framework
  • Continuous validation. Combine adversary emulation (e.g., Atomic Red Team) with CI/CD gates that block content changes lacking unit tests, and schedule purple-team exercises to prove detection efficacy against top ransomware TTPs.NIST Cybersecurity Framework 2.0
Incident response flow showing detect and triage, assess and notify, contain and eradicate, recover and validate, communicate, and learn and improve with supporting governance roles.
Use a single incident flow that links ATT&CK-linked detections to materiality assessments, CISA playbook containment, rebuild validation, regulator notifications, and post-incident learning so evidence stays defensible.

Exposure management and attack surface hygiene

Reduce exploitable conditions by pairing asset intelligence with exploit-led prioritization.

  • Unified asset census. Maintain a reconciled inventory of cloud accounts, identities, endpoints, and internet-facing services so exposure findings can be tied to an accountable owner; align with NIST CSF 2.0 asset management outcomes and ISO/IEC 27001:2022 control A.5.9 (inventory of information and assets).NIST Cybersecurity Framework 2.0ISO/IEC 27001:2022
  • Exploit-aware prioritization. Rank vulnerabilities with a blend of CVSS v3.1 metrics, EPSS likelihood, and whether an issue appears in CISA’s Known Exploited Vulnerabilities catalog; document SLOs that follow NIST SP 800-40 guidance for timely patching.Exploit Prediction Scoring SystemCISA KEVNIST SP 800-40 Rev.4
  • Software supply chain hardening. Require software bills of materials (SBOMs), signed artifacts, and vulnerability notification clauses from suppliers to satisfy DORA Article 28 and ISO/IEC 27036 guidance on supplier relationships.EU DORAISO/IEC 27036
Circular attack surface reduction loop covering asset census, exposure intake, exploit-aware prioritization, remediation windows, validation and monitoring, and reporting.
Tie the exposure lifecycle to CISA KEV deadlines, BOD 22-01 timers, CVSS v4.0 and EPSS risk scoring, and NIST CSF outcomes so owners can defend remediation decisions with measurable evidence.

Resilience patterns and metrics

Engineer recoverability and measure whether safeguards meet board, regulator, and customer expectations.

  • Cyber resiliency constructs. Apply NIST SP 800-160 Vol. 2 practices such as diversity, redundancy, segmentation, and elasticity to critical systems so they can continue to operate under attack.NIST SP 800-160 Vol.2 Rev.1
  • Backup and recovery assurance. Align backup frequency, immutability, and restoration tests with NIST SP 800-34 for continuity planning; publish recovery time objectives (RTO) and recovery point objectives (RPO) alongside evidence of recent restore drills.NIST SP 800-34 Rev.2
  • Resilience KPIs and KRIs. Track mean time to detect (MTTD), mean time to contain (MTTC), time to patch exploitable vulnerabilities, control coverage against NIST CSF outcomes, and service availability SLOs; use ISO/IEC 27004 guidance to ensure metrics are defined, measured, and reviewed consistently.ISO/IEC 27004:2024NIST Cybersecurity Framework 2.0

Control checklist for defensible coverage

Use this practitioner checklist to confirm each capability has an owner, runbook, and logged evidence before audits or tabletop tests.

Foundation and governance

  • Control mapping complete. All NIST CSF 2.0 outcomes mapped to ISO/IEC 27001 Annex A controls with RACI, exceptions register, and compensating controls documented.
  • Asset and identity census. Unified inventory for devices, cloud accounts, service principals, and third-party connections with ownership, criticality, and supporting logs defined.
  • Supplier assurances. SBOM intake, signing validation, vulnerability notifications, and attestation cadence aligned to DORA Article 28 and SOC 2 / ISO evidence packages.
  • Backup immutability and drills. Gold, silver, bronze tiers with immutable backups, isolated credentials, and quarterly restore tests covering ransomware and destructive attack scenarios.

Detection, response, and hardening

  • Detection content lifecycle. ATT&CK-linked rules with data-source requirements, tests, peer review, deployment approvals, and retirement criteria captured in a single backlog.
  • Exposure remediation. Risk-based SLAs for KEV items, EPSS-driven prioritisation, and compensating controls for deferred fixes with sign-off from the accountable owner.
  • Identity protections. Tiered MFA resilience patterns (phishing-resistant where possible), step-up triggers for privileged actions, and passwordless pilots recorded with rollback plans.
  • Incident automation. SOAR playbooks with human-in-the-loop checkpoints for containment, eradication, and regulator notifications; evidence vault links for lessons learned.

Cross-reference the hardening tasks against the Security Operations Modernisation guide, the Exposure Management guide, and recent SOAR incident response briefs so playbooks reflect the latest regulator and threat intel expectations.

KPI and KRI scorecard

Track outcome-focused indicators that withstand scrutiny from boards, regulators, and insurers.

Focus area KPIs KRIs Evidence sources
Detection engineering Detection coverage by ATT&CK technique; rule test pass rate; mean time to promote rules from staging to prod. False-positive rate over 24h; % of critical techniques without active detection; failed detection tests per sprint. Detection backlog; CI logs; purple-team reports; IR automation guide.
Exposure management Median remediation time for KEV items; % assets with owner; % internet-facing services covered by authenticated scans. Exploit availability before patch; orphaned assets; deferred fixes breaching SLA; repeat findings by asset class. Vulnerability platform exports; CMDB reconciliations; Exposure maturity guide.
Identity & access % privileged identities using phishing-resistant MFA; break-glass account drills completed; access reviews closed on time. Unmanaged tokens/keys; dormant privileged accounts over threshold; conditional access policy bypasses. IAM logs; review attestations; Identity threat detection guide.
Resilience RPO/RTO adherence in quarterly tests; backup restore success rate; tabletop exercise completion rate. Failed restores; critical services lacking runbooks; incidents exceeding regulatory notification windows. BCP/DR drill reports; notification runbooks; NIS2 supply chain guide.

Implementation pitfalls to avoid

  • Framework sprawl. Running overlapping control catalogs without a single mapping causes audit drift; pick one evidence spine (e.g., NIST CSF to ISO/IEC 27001 mapping) and retire redundant lists.
  • Alert-only fixes. Detection tuning without fixing root-cause exposures drives toil; link every detection gap to an exposure or hardening task with an accountable owner.
  • Unverified automation. SOAR playbooks deployed without test cases or human checkpoints can disrupt production; require sandbox validation and rollback hooks before enabling auto-containment.
  • Unowned shadow assets. Internet-facing services or cloud identities without clear ownership invalidate SLA metrics and regulator responses; enforce ownership tags and disablement timers by default.
  • Recovery without evidence. Backups that restore but lack immutability proofs, chain-of-custody logs, or credential segregation will not satisfy ransomware claims or audits; capture evidence alongside each drill.

Validate fixes against the identity threat hunting briefs and the Incident Response modernization guide to keep playbooks defensible.