The Map of Cybersecurity Domains (version 2.0)

Update (March 2021): The Map of Cybersecurity Domains Version 3.0 published. Link here.

About the Map version 1.0

A week ago, I posted a picture of a mind-map that I created just called "The Map of Cybersecurity Domains (v1.0)." The map was put together as a way to clear my head by fully immersing myself in the world of cybersecurity day-in and day-out for the past few years, and constant reminder that just how complex and vast the subject can be. 

To the people outside of cybersecurity world, even to the people who are involved with cybersecurity, they often form their viewpoints that sometimes are limited by their understanding, and confined by the functions of their roles. 

How many times a cyber security practitioner such as myself when mentioning to other people what I do, and other people would response by one of the followings:

a) oh, you are a hacker, can you break into my computer? haha,

b) ok, I got it, you are doing something with computers...   

When you visit a new city, a new country, or a new place, you usually want to get a hold of a map to orient yourself. Why not a map for the world of cybersecurity? Over the years, as a trained network architect, I always liked to draw diagrams to  convey complex designs or ideas to share with other people, so this skill comes pretty handy in the cyber world.

The map version 1.0 was published on LinkedIn as a photo not as an article. Within days, the post went viral, with over 180,000 views in about a week of time and still counting. I received many constructive feedbacks from LinkedIn community that I felt so compelled to publish an updated version of the map that to:

- incorporate some really good advices from the people who had read my original post; 

- correct misspelled words; 

- properly explain what the map is about, and what it is not about;

- share the map in other file format (PDF, free mind-map app, etc.) so the information can be distributed and modified more easily. 

Here is the map version 1.1, an interim updated version before the latested version 2.0.

The World of Cybersecurity Map version 2.0

The map is about capturing key areas of cybersecurity practice in interconnected ways. The practice of cybersecurity is not just about "hacking." With the map, one should realize that hacking, perhaps a more appropriate definition of such activities should be "authorized penetration test" which is a sub-domain under "Risk Assessment," or under a another sub-domain called "Active Defense" under "Security Operation."

Three file formats are available for downloading: (PDF, FreeMind Map file, SimpleMind Map File). Cybersecurity Map 2.0.

Map files download

The map is not based on a particular standard or framework. However, being a CISSP myself, you can certainly see some of familiar components from ISC2. For example, Security Engineering and Security Operations.

The map is based on my personal views on the subject. It represents how I see those domains, and sub-domains should be put together, in logical and meaningful ways. You might disagree with my viewpoint, but that's how I see things. Sometimes I might agree with you, in that case I will modify the map and thank you for your thoughtful input.

The map was designed purposely not to include specific control categories for the most part unless the controls are important enough to stand out on they own. Neither specific objects are mentioned, i.e. type of users, applications, computers, IoT devices, etc. In this regard you will not see firewall, IDS/IPS, end-point-protection, anti-malware/anti-virus, web proxy, DDoS remediation, UBA/UEBA, etc. being explicitly mentioned. They are however, are being implicitly included under respective domains or sub-domains such as governance, security architecture, security operation, detection, prevention, etc.

Security Architecture vs. Security Operations

Some questions were asked about why certain items fit one domain but not the other? In my opinion, things that can fit under "Security Architecture" are the items that being planned, designed and implemented as the "platforms." Whereas the items under "Security Operation" are the activities that are repeatable following established SOPs (standard operating procedures.)

Sometimes one sub-domain may fit under multiple parent domains, in which case I will place it under the domain that is the most logical; sort of like CISSP exam: two answers could be both right for a single question, but you must select the one the is most appropriate. To my fellow CISSPs, you know what I mean :)  

The thought process here is that if we ought to include every product category in the world of cybersecurity, the map would become too big to be manage and readers can lose focus quickly. 

The purpose of the map is for it to be used to drive high-level conversations with people inside and outside of cybersecurity field, with your engineers, your cybersecurity analysts, with board members, with C-level executives, with business owners, with students who want to enter the IT or cybersecurity field, with vendors who often pitch their product as the "magic bullet."

Given the specific industry that I am in, and the fact I work for a US-based financial firm, the map inevitably is influenced by the US regulations and laws pertaining the financial industry. Some of domains or sub-domains such as 3rd Party Risk, User education, Data Leakage Prevention are results of published FINRA and SEC guidelines on cybersecurity. With this post however you shall be able to access the original mind-map files so that you can modify the map to fit with your specific industry and region as you see fit.

The map, this time around, is properly published as an article as opposite to a picture - I have learned from my previous mistake that once you posted a picture on LinkedIn you cannot really modify it, especially it contains several typos :)

So what's next?

Perhaps each domain on the map can be expanded upon with additional branches as separate visual guides; take Governance domain for example, it just has so much a talk about. Maybe those will be my future projects. 

Update (Feb 28, 2017)

Thanks to the efforts of Yolanda Baker, CISA at Chubb, the map is now available in Spanish! It was a great collaborative effort with Yolanda, and with many other people who kindly provided me with constructive feedbacks to make the map more complete.

Please click here to download the Spanish version of map in PDF format.

Credits

Jourdane Hamilton, thank you for suggesting to include the Physical Security domain which is an important domain that I missed. This domain is now added. And thank you Annie Dabbada for supporting this idea as well, along with few other key points you made under comment section.

Thank you the following people who spotted typos with map version 1.0: Sebastian Taphanel, Rex DeLacy, Joanne Boucher, Eleanor K. Meltzer, Gary Warner.

Courtney Adante, thank you for suggesting include reporting under Governance, I have added the "Reports and Scorecards /Risk-informed//KPIs/KRIs" sub-domain there.

Shawn NicolenVery, I added COBIT under Framework and Standard domain.

Yolanda Baker, thank for offering to translate the map into Spanish!

Joe Franscella, "Active Defense" is now added under Security Operation domain. 

Divyesh Solanki, excellent point on adding "Code review / scan" under Risk Assessment, it is done!

Suid Adeyanju, as per your suggestion, swapping places between "Security Engineering" and "Security Architecture." It makes more sense that way, the architecture is more border than engineering. 

Alister Whitehat, thank you for understanding the views of this map represent and sharing them with others.

Mirena Taskova, thank you for sharing the map within your network earlier on! 

Chris Joyce, thanks for you sticking up for me in the comment section.