When we talk about creativity, the mind goes to sculptors, musicians, and dancers. We think about the art of turning a blank canvas into a beautiful work of art. As we move the discussion to technology, we often talk about graphic design, web development, and game design, but, we are here to tell you that creativity has a vital role to play in cybersecurity. If you don’t think that exploit writers are thinking creatively about how they may be able to inject some code into your business’s applications to have it return the crown jewels, you and I need to have a serious chat.
Here are some other places where creativity shows up in cybersecurity:
- Creative and innovative thinking is how the next firewall algorithm, log analytics tool, code debugger, etc, will be thought of.
- In digital forensics, thinking creatively may help you locate necessary evidence hidden on a disk.
- An essential part of a threat hunter’s job is to use cunning and creativity to predict where an attacker may have left some tracks.
Creativity is essential for driving innovation, problem-solving, and responding to the myriad of emergent threats in the field of cybersecurity. Creativity can be applied at the individual level or across cultures to solve problems. A creative mindset empowers individuals to adapt, think outside the box, and connect links that otherwise wouldn’t be seen.
As a CISO
Operating as an executive over the cybersecurity organization, the CISO can apply creativity in areas such as strategic planning, budgeting, and cultural engagement. Strategy is developed looking forward and is subject to a wide range of inputs, and every situation is unique. A creative CISO is not simply pulling down and re-using off-the-shelf plans, policies, and playbooks to get the job done. Creativity comes in adapting existing mental models, building upon them, and contextualizing them.
Budgeting is another area where creativity is key. Needs continue to grow and budgets do not expand at a commensurate rate. Security teams are almost always in a position of trying to figure out how to do more with less. This may take the form of elimination of low-performing programs or un-used tools. It might also take the form of integration across tools and processes to expand coverage. Depending on the organization dynamics, there may also be opportunities to capture funding from other sources, such as budget pooling with other departments.
Mental models such as the Cyber Defense Matrix can be a tremendous tool in evaluating budgets and resources. There are numerous ways to map a program on to the matrix, teams, people, tools, and budget percentage all provide a unique perspective as to how a program is organized.
As a Pentester
Penetration testing, also known as ethical hacking, is a crucial aspect of cyber security, simulating attacks on live systems. One of the most important skills for a penetration tester is creativity, even compared to the wide range of technical abilities one must have. Finding vulnerabilities can be done through a checklist style approach, but that is rapidly becoming commoditized through vulnerability scanning tools. The value of a penetration test comes in the outside the box thinking, vulnerability chaining, and developing new attack techniques altogether.
Creativity is also embodied in the process of thinking like an attacker, personification oftentimes associated with red teaming. What would that adversary do? What would they be motivated to exploit? What capabilities would they likely have? Would they prefer a fast and destructive or low and slow approach to achieve their goals? These are all questions that a tester may need to consider and adapt to, depending on the nature of an engagement.