Cyber Strategy: Risk-Driven Security

and Resiliency 1st Edition Carol A.

Siegel
Visit to download the full and correct content document:
https://textbookfull.com/product/cyber-strategy-risk-driven-security-and-resiliency-1st-
edition-carol-a-siegel/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Handbook of System Safety and Security Cyber Risk and

Risk Management Cyber Security Threat Analysis
Functional Safety Software Systems and Cyber Physical
Systems 1st Edition Edward Griffor
https://textbookfull.com/product/handbook-of-system-safety-and-
security-cyber-risk-and-risk-management-cyber-security-threat-
analysis-functional-safety-software-systems-and-cyber-physical-
systems-1st-edition-edward-griffor/

Building a corporate culture of security : strategies

for strengthening organizational resiliency 1st Edition
Sullivant

https://textbookfull.com/product/building-a-corporate-culture-of-
security-strategies-for-strengthening-organizational-
resiliency-1st-edition-sullivant/

Industrial Control Systems Security and Resiliency

Practice and Theory Craig Rieger

https://textbookfull.com/product/industrial-control-systems-
security-and-resiliency-practice-and-theory-craig-rieger/

Cyber Security for Cyber Physical Systems 1st Edition

Saqib Ali

https://textbookfull.com/product/cyber-security-for-cyber-
physical-systems-1st-edition-saqib-ali/
Cyber Security Erickson Karnel

https://textbookfull.com/product/cyber-security-erickson-karnel/

Practical Vulnerability Management A Strategic Approach

to Managing Cyber Risk 1st Edition Andrew Magnusson

https://textbookfull.com/product/practical-vulnerability-
management-a-strategic-approach-to-managing-cyber-risk-1st-
edition-andrew-magnusson/

Transdisciplinary Perspectives on Risk Management and

Cyber Intelligence 1st Edition Luisa Dall'Acqua

https://textbookfull.com/product/transdisciplinary-perspectives-
on-risk-management-and-cyber-intelligence-1st-edition-luisa-
dallacqua/

Cyber Security The complete guide to cyber threats and

protection 2nd edition Sutton

https://textbookfull.com/product/cyber-security-the-complete-
guide-to-cyber-threats-and-protection-2nd-edition-sutton/

Cyber Physical Computing for IoT driven Services 1st

Edition Vladimir Hahanov (Auth.)

https://textbookfull.com/product/cyber-physical-computing-for-
iot-driven-services-1st-edition-vladimir-hahanov-auth/
Cyber Strategy: Risk-Driven
Security and Resiliency
 Cyber Strategy

Risk-Driven Security and Resiliency

Carol A. Siegel
Mark Sweeney
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742

© 2020 by Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed on acid-free paper

International Standard Book Number-13: 978-0-367-33945-6 (Paperback)

978-0-367-45817-1 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable
efforts have been made to publish reliable data and information, but the author and publisher cannot
assume responsibility for the validity of all materials or the consequences of their use. The authors and
publishers have attempted to trace the copyright holders of all material reproduced in this publication
and apologize to copyright holders if permission to publish in this form has not been obtained. If any
copyright material has not been acknowledged please write and let us know so we may rectify in any
future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced,
transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or here-
after invented, including photocopying, microflming, and recording, or in any information storage or
retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.
copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC),
222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-proft organization that
provides licenses and registration for a variety of users. For organizations that have been granted a
photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are
used only for identifcation and explanation without intent to infringe.

Visit the Taylor & Francis Web site at

http://www.taylorandfrancis.com

and the CRC Press Web site at

http://www.crcpress.com
Contents
Author Biographies ................................................................................................ xiii

Chapter 1 Why Cybersecurity and Cyber Resiliency Strategies

Are Mandatory for Organizations Today .............................................1
1.1 The Value Proposition ...............................................................2
1.2 The 6 STEPs for Developing and Maintaining
a Cybersecurity and Cyber Resiliency Strategy........................2
1.3 Cybersecurity and Cyber Resiliency Strategy
Key Players ................................................................................3
1.4 Initiating the Strategy................................................................4
1.5 Triggers to Create a Corporate Cybersecurity
and Cyber Resiliency Strategy ..................................................4
1.6 Information Security vs. Cybersecurity ....................................5
1.6.1 Information Security ....................................................5
1.6.2 Cybersecurity ...............................................................6
1.7 Cyber Resiliency vs. Traditional Resiliency..............................6
1.8 Cybersecurity and Cyber Resiliency Strategy
Life Cycle ..................................................................................9
1.9 Cyber Strategies vs. Cyber Programs........................................9
1.10 Cybersecurity and Cyber Resiliency Programs
for Organizations..................................................................... 11
1.11 Cybersecurity and Cyber Resiliency Architecture:
Standards and Frameworks ..................................................... 12
1.11.1 Enterprise Information Security Architecture ........... 13
1.11.2 Regulatory Security Architecture .............................. 14
1.11.3 Introduction to the NIST Cybersecurity
Framework (CSF) ....................................................... 14
1.12 Cyber Program Preplanning.................................................... 16
1.13 Technical Areas of Concentration for a Cyber Program......... 16

Chapter 2 The 6 STEPs in Developing and Maintaining a Cybersecurity

and Cyber Resiliency Strategy ........................................................... 19
2.1 STEP 1: Preplanning: Preparation for Strategy
Development ............................................................................ 19
2.1.1 Corporate Culture and Organizational
Analysis ...................................................................... 19
2.1.2 Matrixed Organizational Structure ............................ 21
2.1.3 Siloed Organizational Structure................................. 22
2.1.4 Enabling the Organization for Strategy Adoption ....... 23
2.1.5 Forming a Steering Committee..................................24

v
vi Contents

2.1.6 Creating Strategic Plan Critical Success Factors .......25

2.1.7 Designating a Project Manager
for the Steering Committee........................................25
2.1.8 Developing Steering Committee Tasks......................25
2.1.9 Establishing Corporate Business Values....................26
2.1.10 Determining the Mission/Vision, Principles,
and Strategic Objectives for Cybersecurity
and Cyber Resiliency .................................................26
2.1.10.1 Mission/Vision............................................ 27
2.1.10.2 Cyber Program Principles ..........................28
2.1.10.3 Strategic Objectives ....................................28
2.2 STEP 2: Strategy Project Management ................................... 29
2.2.1 Initiatives for Cybersecurity
Strategic Objectives.................................................... 29
2.2.2 Initiatives for Cyber Resiliency
Strategic Objectives.................................................... 31
2.2.3 Creating a Strategy Project Charter ........................... 33
2.2.4 Aligning the Strategy with Other Existing
Corporate Strategies and Corporate
Business Objectives.................................................... 33
2.2.5 Developing a Strategic Plan Overview
Reporting Template ....................................................34
2.2.6 Determining Work Efforts .........................................34
2.2.7 Strategy Timeline ....................................................... 36
2.2.8 Strategy Swimlane ..................................................... 37
2.2.9 NIST CSF Initiative Mapping .................................... 37
2.2.10 The Final Strategy Document Deliverable................. 39
2.3 STEP 3: Cyber Threats, Vulnerabilities,
and Intelligence Analysis ........................................................ 39
2.3.1 Cyber Threats............................................................. 39
2.3.1.1 Cyber Threat Risk Reporting .....................40
2.3.2 Threat Intelligence, Identifcation,
and Modeling..............................................................40
2.3.3 Vulnerabilities ............................................................40
2.3.3.1 Asset Related Vulnerabilities ..................... 41
2.3.3.2 Vulnerability Severity Risk Reporting ....... 41
2.4 STEP 4: Cyber Risks and Controls ......................................... 41
2.4.1 Cyber Risk Category Defnitions for Business .......... 41
2.4.2 Risk Appetite and Risk Tolerance.............................. 42
2.4.3 Cyber Risk Measurement Methodologies .................. 42
2.4.3.1 Cyber Risk Management ............................ 42
2.4.3.2 Cyber Risk Calculation...............................44
2.4.4 Controls ...................................................................... 45
2.4.5 Cyber Insurance ......................................................... 45
2.5 STEP 5: Assessing Current and Target States......................... 47
2.5.1 Types of Assessments................................................. 47
Contents vii

2.6 STEP 6: Measuring Strategic Plan Performance

and End of Year (EoY) Tasks ..................................................48
2.6.1 Cyber Key Risk Indicators (KRIs) and Key
Performance Indicators (KPIs)................................... 48
2.7 Governance Cycles and Processes........................................... 51
2.8 Proposing New Initiatives to Mitigate Threats
and Reduce Risk...................................................................... 52
2.8.1 Cybersecurity and Cyber Resiliency
Reporting – Yearly Report Example .......................... 52
2.8.2 Refning the Strategy over Time – End of
Year (EoY) Tasks ....................................................... 54
2.8.2.1 Gathering Data to Measure
Strategy Performance ................................. 54
2.8.2.2 Creating Yearly Reports to Show
Performance................................................ 54
2.8.2.3 Determining New Initiatives
for the Following Year ................................ 54
2.8.2.4 Perform Various Project Management
Tasks ........................................................... 54
2.9 Checklists and Templates ........................................................ 55
Notes...................................................................................................55

Chapter 3 Strategy Project Management ............................................................ 57

3.1 Vision to Initiative Flow .......................................................... 57
3.2 Strategy Project Charter .......................................................... 58
3.3 Strategy Preparation Checklist................................................ 58
3.4 Strategy Timeline .................................................................... 58
3.5 Strategy Gantt Chart................................................................60
3.6 Strategy Swimlane................................................................... 62
3.7 Data Flow Diagrams for STEPs 2, 3, 4, 5, and 6 .................... 62
3.8 RACI Strategy Development Matrix....................................... 65
3.9 NIST CSF Initiative Mapping ................................................. 65
3.10 The Final Strategy Deliverable................................................ 65

Chapter 4 Cyber Threats, Vulnerabilities, and Intelligence Analysis ................ 75

4.1 Threats in the Context of a Cybersecurity
and Cyber Resiliency Strategy ................................................ 76
4.1.1 Defnition of a Threat ................................................. 77
4.1.2 Evolution of Cyber Threats ........................................ 77
4.1.2.1 The Early Stages of Cyber Threats............. 77
4.1.2.2 Present-Day and Future Cyber
Threat Actors .............................................. 77
4.1.3 Types of Threats and Actors ...................................... 79
4.1.3.1 Script Kiddies ............................................. 79
4.1.3.2 Hacktivists .................................................. 79
viii Contents

4.1.3.3 Organized Crime Groups ........................... 80

4.1.3.4 Nation-States...............................................80
4.1.3.5 Insider Threats ............................................ 81
4.1.3.6 Artifcial Intelligence Powered Threats ........81
4.1.4 Threat Intelligence, Identifcation,
and Modeling.............................................................. 82
4.1.4.1 MITRE ATT&CK ...................................... 83
4.1.4.2 Threat Intelligence, Identifcation,
and Modeling within a Strategy
and a Program............................................. 83
4.1.4.3 Monitoring for Threats ...............................84
4.1.4.4 Reporting on Threat Intelligence................ 85
4.2 Vulnerabilities ......................................................................... 86
4.2.1 Open Web Application Security Project
(OWASP) Application Security Vulnerabilities ......... 87
4.2.2 Identifying Vulnerabilities ......................................... 88
4.2.2.1 Modern-Day Vulnerability
Management Issues..................................... 88
4.2.3 Asset-Related Vulnerabilities..................................... 89
4.2.4 Common Vulnerability Scoring
System (CVSS) ........................................................... 90
4.2.5 Vulnerabilities in the Context of a Strategy ............... 91
4.3 Cyberattacks ............................................................................92
4.3.1 Common Types of Cyberattacks ................................92
4.3.2 Typical Types of Losses Due to Cyberattacks ........... 93
Notes........................................................................................94

Chapter 5 Cyber Risks and Controls................................................................... 95

5.1 Cyber Risk............................................................................... 95
5.1.1 Cyber Risk Framework .............................................. 95
5.1.2 Risk Category Defnitions .......................................... 95
5.1.3 Risk Tolerance and Risk Appetite..............................97
5.1.3.1 Risk Appetite ..............................................97
5.1.3.2 Risk Tolerance ............................................ 98
5.1.3.3 Risk Appetite vs. Risk Tolerance................ 98
5.1.4 Cyber Risk Measurement Methodologies .................. 98
5.1.4.1 US National Institute of Standards
and Technology’s Special
Publications 800-30 ...................................99
5.1.5 A NIST 800-30 Cyber Risk Assessment
Example.................................................................... 100
5.1.5.1 NIST Risk Descriptions
for Government Entities............................ 105
5.1.5.2 NIST Adversarial Threat Ratings............. 105
Contents ix

5.1.6 Other Well-Known Cyber Risk Assessment

Methodologies .......................................................... 105
5.1.6.1 ISACA Risk Framework – Risk IT .............106
5.1.6.2 The International Organization
for Standardization/International
Electrotechnical Commission’s
(ISO/IEC) 27000 ...................................... 106
5.1.6.3 A Guide to the Project Management
Body of Knowledge (PMBOK® Guide) ......107
5.1.6.4 Open Web Application Security
ProjectTM (OWASP) Risk Rating
Methodology............................................. 108
5.1.6.5 Committee of Sponsoring
Organization of the Treadway
Commission (COSO) Enterprise
Risk Management (ERM) ........................ 110
5.1.6.6 Factor Analysis of Information
Risk (FAIR) .............................................. 110
5.1.6.7 Carnegie Mellon® Risk Quantifcation
Method (CM RQM) .................................. 113
5.1.7 Risk Disclosure: The Securities and
Exchange Commission (SEC) Guidance
on Risk (Feb 2018) ................................................... 113
5.2 IT Controls............................................................................. 114
5.2.1 Main Functions of Controls...................................... 115
5.2.2 Maturity of Controls................................................. 115
5.2.3 The Center for Internet Security Critical
Security Controls...................................................... 116
5.2.4 Auditing of Information Technology (IT) Controls...... 116
5.3 Cyber Insurance..................................................................... 117
5.3.1 Risk Transfer ............................................................ 118
Notes.................................................................................................119

Chapter 6 Current and Target State Assessments ............................................. 121

6.1 Introduction to Assessments.................................................. 121
6.2 Current State Assessments .................................................... 122
6.2.1 Categories of Assessments ....................................... 122
6.2.1.1 Self-Assessments ...................................... 123
6.2.1.2 External/Third-Party Assessments........... 127
6.2.1.3 Audits (Internal & External) .................... 127
6.2.2 Frameworks, Industry Standards, Regulations,
and Models ............................................................... 128
6.2.2.1 NIST Cybersecurity Framework
Core Identifers and Categories ................ 128
x Contents

6.3 Conducting a Current State Assessment ............................... 128

6.4 Unmapped Initiatives Discussion .......................................... 135
6.5 Target State Assessment ........................................................ 135
6.5.1 NIST CSF Target States ........................................... 137
6.6 How to Rate Current and Target States................................. 140

Chapter 7 Measuring Strategic Plan Performance and End of Year

(EoY) Tasks ...................................................................................... 145
7.1 Evaluating the Strategy Against the Critical
Success Factors ..............................................................................146
7.2 Key Risk Indicators (KRIs)................................................... 146
7.3 Key Performance Indicators (KPIs) ...................................... 146
7.4 Reporting on the Strategies ................................................... 150
7.4.1 Cybersecurity and Cyber Resiliency Initiatives
Mapped to NIST CSF Subcategories ....................... 150
7.4.2 Cybersecurity Initiatives NOT Mapped
to the NIST CSF....................................................... 150
7.4.3 Initiative to CSF Mapping Per Objective ................. 150
7.4.4 Strategic Plan Progress Reports – Cybersecurity
and Cyber Resiliency ............................................... 152
7.4.5 Current State to End of Year and Target State
Maturity Tier Rating ................................................ 152
7.4.6 Preparation of the EoY Performance Report ........... 152
7.5 Determining New Initiatives for the Next Year .................... 155
7.6 End of Year Tasks.................................................................. 157
7.6.1 Defne the Strategy’s Pyramid Parameters
for Following Year.................................................... 158
7.6.2 Create the Timeline for Following Year................... 158
7.6.3 Confrm Steering Group Member
Composition ............................................................. 159
7.6.4 Distribute EoY Performance Reports
to Senior Management.............................................. 159
7.6.5 End of Year Steering Committee
Responsibilities RACI .............................................. 159
7.6.6 Ensure Compliance with Regulations ...................... 159
7.6.7 Complete Governance Hoops................................... 160
7.6.7.1 Governance Organization Diagram.......... 161
7.6.7.2 Strategy Governance Body RACI ............ 161
7.6.7.3 Governance Approval Swimlane
for the Cybersecurity and Cyber
Resiliency Strategy ................................... 161
7.6.8 Cybersecurity and Cyber Resiliency Strategy
Life Cycle ................................................................. 161
Contents xi

Chapter 8 Checklists and Templates to Help Create an Enterprise-Wide

Cybersecurity and Cyber Resiliency Strategy ................................. 165
8.1 Guides to Strategy Preparation.............................................. 165
8.2 STEP 1: Preplanning: Preparation for Strategy
Development .......................................................................... 167
8.2.1 Preplanning Checklist .............................................. 167
8.2.2 Mission/Vision, Principles, Strategic
Objectives, and Initiatives Pyramid ......................... 168
8.2.3 Analyze Organizational and Cultural
Structure.......................................................................168
8.2.4 RACI Completion for STEP 1.................................. 169
8.2.5 Critical Success Factors Validation.......................... 169
8.2.6 Evaluate Organizational Readiness.......................... 169
8.3 STEP 2: Strategy Project Management ................................. 169
8.3.1 Project Charter ......................................................... 169
8.3.2 RACI Completion for STEP 2.................................. 169
8.3.3 Complete RACI Development for the
Steering Committee Tasks ....................................... 173
8.3.4 Data Flow Analysis for STEP 2 ............................... 173
8.3.5 Develop Draft Final Deliverable Table
of Contents ............................................................... 173
8.4 STEPs 3 and 4: Cyber Threats, Vulnerabilities,
Intelligence Analysis, Risks, and Controls............................ 173
8.4.1 RACI for STEPs 3 and 4: Cyber Threats,
Vulnerabilities & Cyber Risks, and Controls........... 173
8.4.2 Data Flow Analysis for STEPs 3 and 4.................... 173
8.4.3 Incidents to Controls Mapping ................................. 173
8.5 STEP 5: Current and Target State Assessments.................... 179
8.5.1 RACI for STEP 5: Current and Target State
Assessments.............................................................. 179
8.5.2 Data Flow Analysis for STEP 5:
Current and Target State Assessments ..................... 179
8.5.3 Performing a Quantitative Risk Assessment............ 179
8.6 STEP 6: Measuring Plan Performance
and EoY Tasks ...........................................................................189
8.6.1 Checklist for STEP 6: End of Year Tasks ................ 189
8.6.2 RACI for STEP 6: Measuring Plan
Performance and EoY Tasks .................................... 189
8.6.3 Data Flow Diagram for STEP 6:
Measuring Strategic Plan Performance
and EoY Tasks .......................................................... 189
8.6.4 Derive the Critical Success Factors.......................... 189
8.6.5 Review the Key Risk Indicators and Key
Performance Indicators ............................................ 191
xii Contents

8.6.6 Strategic Plan Reporting Template........................... 191

8.6.7 Initiative to CSF Mapping Per Objective ................. 194
8.6.8 Cybersecurity and Cyber Resiliency
Yearly Report ........................................................... 194
8.6.9 Governance Hoops ................................................... 194
8.6.10 Governance Approval Organization
Hierarchy.................................................................. 194
8.6.11 Governance Approval RACI .................................... 196
8.6.12 Governance Approval Swimlane ............................. 196
8.7 Assembling the Full Project RACI........................................ 199
8.8 Chapter 8 Downloadable Files .............................................. 199
Author Biographies
Carol A. Siegel is a Cybersecurity strategy and IT Risk
Management professional with over 30+ years’ experi-
ence. Carol earned her BS in Systems Analysis Engineering
from Boston University in 1971, and her MBA in Computer
Applications from New York University in 1984. She has
CISSP, CISA, and CISM certifcations from ISC2 and
ISACA, respectively. Carol has coauthored one of the frst
books on Internet security, a book for Microsoft on Windows
NT Security, as well as numerous articles for Auerbach
Publications on information security and risk management. Carol has worked for
many Fortune 50 fnancial services companies in the Banking, Insurance, Big Four,
and Pharma sectors and has held several Chief Information Security Offcer (CISO)
positions. Most recently, Carol worked for the Federal Reserve Bank of New York.

Mark Sweeney is a Cybersecurity and Cyber Resiliency profes-

sional with over 5 years of experience in strategizing and imple-
menting risk-based cybersecurity and cyber resiliency programs.
Mark earned his BS in Security & Risk Analysis – Information
& Cyber Security from Penn State University in 2014. Mark
has worked in Big Four consulting companies and the Financial
Services Industry as a Cybersecurity and Cyber Resiliency
expert, and he is currently a cyber insurance underwriter.

xiii
 1 Why Cybersecurity
and Cyber Resiliency
Strategies Are Mandatory
for Organizations Today
Cybersecurity and cyber resiliency are the number one concerns for companies
today. Organizations must protect their assets and defend against threats and attacks
in order to stay in business. A break-in or breach can destroy a company’s assets
and/or reputation in a matter of minutes. Readiness is key, so that if the unthinkable
happens, your company will have the tools and action plans to counter and recover
from the attack.
Developing a cybersecurity and cyber resiliency strategy that supports the busi-
ness and is resource effcient requires strategic planning. Most organizations lack
the necessary experience to conduct the appropriate planning required to streamline
efforts, while minimizing risks, as they strive toward their long-term strategic busi-
ness objectives.
The cybersecurity profession is growing exponentially. Although there are numer-
ous universities and technical schools that provide degrees in these new felds, they
are not teaching how to develop a strategy: one that is unifying – that allows an orga-
nization to develop a risk-based, effcient, and targeted effort that will be approved
by top company management.
The cyber resiliency feld is even younger, evolving from the traditional felds of disas-
ter recovery and business continuity. It is, however, not fne-tuned to the cybersecurity
threats of today and struggles to identify and prepare for the threats of tomorrow. There
is much more growth that must happen in this arena in order for organizations to feel
comfortable with their cyber programs in an age of persistent and advancing threats.
In larger organizations, pockets of cybersecurity and cyber resiliency can be
found in company silos such as specifc business units. A business unit or silo can
have its own information security and disaster recovery/business continuity strat-
egy that may or may not roll up into an enterprise-wide effort. Also, if a company
has acquired other companies and joined additional networks, each legacy company
or business unit will surely have their own policies, procedures, standards, and/or
frameworks they follow. All of these strategies may have conficting goals and not
focus on the highest priority business objectives.
In order to respond to today’s threats in a cohesive manner, communications and
threat intelligence must utilize a common language and risk metrics. Defning a
taxonomy for risks, threats, vulnerabilities, and controls will facilitate an effective
and measurable response.
1
2 Cyber Strategy: Risk-Driven Security and Resiliency

1.1 THE VALUE PROPOSITION

This book will provide concepts, processes, roadmaps, project development tools,
and reporting templates to be used by any type of company in order to develop their
enterprise-wide cybersecurity and cyber resiliency strategies. This book delivers a
methodology for companies to bring together their disassociated strategic planning
efforts into one corporate-wide strategy that will effciently utilize resources, target
high risk threats, evaluate resultant risk mitigation efforts, while engaging buy-in
across the corporate culture, senior management, business silos, and diverse busi-
ness interests. A mid-level manager, as well as a CISO or CIO, can use this book to
create very real strategies that can be published by the Board of the company and
approved by their supervisory entities. By using the unifying techniques discussed
later, the strategy sponsor can assimilate strategies from other areas of the com-
pany that may be in development and align and/or incorporate them into a central
enterprise-wide strategy.
The book will discuss the steps and tasks required from conception of the strategy
through its planning, creation, success and performance measurement techniques,
management reporting, and planning for future ongoing efforts.

1.2 THE 6 STEPS FOR DEVELOPING AND MAINTAINING

A CYBERSECURITY AND CYBER RESILIENCY STRATEGY
In order for an organization to develop and maintain its cybersecurity and cyber
resiliency strategy, there are 6 major STEPs that should be taken. If performed, the
organization’s cybersecurity and cyber resiliency strategy will be comprehen-
sive, functional, long lasting, and have continued buy-in and support from senior
management. They are:

1. STEP 1: Preplanning: Preparation for Strategy Development

2. STEP 2: Strategy Project Management
3. STEP 3: Cyber Threats, Vulnerabilities, and Intelligence Analysis
4. STEP 4: Cyber Risks and Controls
5. STEP 5: Current and Target State Assessments
6. STEP 6: Strategic Plan Performance Measurement and End of the Year (EoY)
Tasks

The 6 Development and Annual Maintenance STEPs for a Cybersecurity and

Cyber Resiliency Strategy (Figure 1.1) show a sequential representation of the
6 STEPs required.
Each of the 6 STEPs will be discussed in detail throughout the book and meth-
odologies presented for their approach and execution. NOTE: In striving to keep
applicability of the strategy particulars and processes presented here current
and continuously timely, the authors have decided to make this book technology
agnostic, thereby not dating any particular technology, objective, initiative, or
conclusion.
Why Cybersecurity and Cyber Resiliency Strategies Are Mandatory 3

FIGURE 1.1 The 6 Development and Annual Maintenance STEPs for a Cybersecurity and
Cyber Resiliency Strategy.

1.3 CYBERSECURITY AND CYBER RESILIENCY

STRATEGY KEY PLAYERS
What job functions and management levels of people in an organization might need
this information? The most obvious people would be any one in the information
security, cybersecurity, cyber resiliency, business continuity/disaster recovery, and
resiliency areas that are tasked with developing a strategic action plan to combat
cyber threats and attacks over the longer term. This would include, but not be limited
to, such roles as shown in Table 1.1.

TABLE 1.1
Cybersecurity and Cyber Resiliency Strategy Key Players
Developers, Approvers, or Readers
1. Chief Information Security Offcer (CISO)
2. Chief Information Offcer (CIO)
3. Chief Technology Offcer (CTO)
4. Cyber/Security Architect
5. Cyber/Security Engineer
6. Security Administrator
7. Cyber/Security Manager
8. Security Software Developer
9. Security Incident Responder
10. Cryptographer
11. Cybersecurity/Resiliency Consultant
12. Data Security Strategist
13. Chief Resiliency Offcer
14. Business Continuity Analyst
15. Disaster Recovery Manager
16. Resiliency Engineer
17. Business Preparedness and Resiliency Program Manager
18. Global Resiliency Project Manager
4 Cyber Strategy: Risk-Driven Security and Resiliency

However, it is not just the security professionals who need to be concerned with
a cyberattack. Increasingly more regulations are demanding accountability from
senior management when there is a breach. Not just CISOs and CIOs, but also
Chief Operating Offcers (COO) and Chief Executive Offcers (CEO) can be legally
liable. Every level up the food chain can be deemed responsible and might have to
pay penalties.

1.4 INITIATING THE STRATEGY

In fact, any one of the above job roles might have already initiated a cybersecurity
or cyber resiliency strategy independently. From a top down perspective, it is clearly
easier if a strategy is created and approved from a senior manager or c-level position
as that level of management can authorize and dedicate the appropriate resources to
the task more easily. In addition, a c-level or senior vice president frequently inter-
faces with governing boards and oversight bodies and is more apt to get buy-in more
quickly. However, if the strategy is assigned to a subject matter expert (SME) further
down the food chain, this approach will give him/her all the information and steps
necessary to work the strategy up the corporate structure and get all the relevant
participants involved.
Optimally, a corporate strategy needs to be unified in a top down approach
from senior levels, in order to profit from synergies and alignment with business
objectives and resources. However, from a bottom up perspective, if a mid-level
manager needs to create a strategy, it is strongly advisable that he/she needs to
engage and obtain senior management buy-in from the beginning. This can be
done via networking, making presentations and awareness sessions, participat-
ing in relevant committees, arranging targeted meetings, and setting specific
agenda items. Proposing a strategy to senior management should include how
the strategy meets overall corporate objectives and aligns with other existing
strategies throughout the organization. The list of players that can initiate a
strategy can be expanded to literally any group in an organization that needs to
develop a long-term strategy, as the objective of this book is to provide the pro-
cess and approach by which to formulate the strategy and gain its wide-spread
adoption.

1.5 TRIGGERS TO CREATE A CORPORATE CYBERSECURITY

AND CYBER RESILIENCY STRATEGY
Within any organization there most assuredly exists pressure to create a cyberse-
curity and cyber resiliency strategy. There is simply too much press for companies
not to realize that they need a written strategy, together with procedures in case
of an attack or breach. In summary, pressures to create a cybersecurity and cyber
resiliency strategy (“the strategy”) can include the following triggers as shown in
Why Cybersecurity and Cyber Resiliency Strategies Are Mandatory 5

TABLE 1.2
Cybersecurity and Cyber Resiliency Strategy Triggers
Reactive Triggers Proactive Triggers
1. Press release 1. Absence of a strategy
2. Cyber threat 2. Unifcation of strategies
3. System hack or breach 3. Cyber intelligence
4. Assessment report 4. Regulatory requirement
5. Audit fnding 5. Business controls
6. Legal issue

Table 1.2. In the case of a signifcant security event or an audit fnding, the organi-
zation will need to move quickly to satisfy this gap.

1.6 INFORMATION SECURITY VS. CYBERSECURITY

In some organizations, cybersecurity is used synonymously with information secu-
rity, but they are not the same thing. Some basic defnitions are in order here.

1.6.1 INFORMATION SECURITY

Information security is defned as the protection of information and information
systems from unauthorized access, use, disclosure, disruption, modifcation, or
destruction in order to provide confdentiality, integrity, and availability. According
to the International Organization for Standardization (ISO), the model, commonly
referred to as “7 ISO principles” is comprised of seven principles: confdentiality,
integrity, availability, non-repudiation, accountability, authenticity, and reliability.
Confdentiality means that the information should not be made accessible or dis-
closed to unauthorized individuals, entities, or processes. Integrity is the property
of safeguarding the accuracy and completeness of assets. Availability means the
property of being accessible and usable upon demand by an authorized entity. Non-
repudiation means the ability to prove the occurrence of an action in such a way that
the action cannot be repudiated later. Accountability denotes the property which
ensures that the identity of the individual, with any type of action, in the informa-
tion system can be traced. Authenticity refers to entities such as users, processes,
systems, and information. Reliability means consistency in the intended behaviors
and results.
The three principles most widely referred to – confdentiality, integrity, and avail-
ability are known as the CIA Triad. This model is designed to guide policies and
standards for information security within organizations. Figure 1.2 shows the CIA
Security Triad.
6 Cyber Strategy: Risk-Driven Security and Resiliency

FIGURE 1.2 CIA Security Triad.

1.6.2 CYBERSECURITY
As defned by the National Initiative for Cybersecurity Careers and StudiesTM
(NICCS), Cybersecurity is strategy, policy, and standards regarding the security of
and operations in cyberspace, and encompassing the full range of threat reduction,
vulnerability reduction, deterrence, international engagement, incident response,
resiliency, and recovery policies and activities, including computer network opera-
tions, information assurance, law enforcement, diplomacy, military, and intelligence
missions as they relate to the security and stability of the global information and
communications infrastructure.
In general, cybersecurity is the ability to protect or defend the cyberspace user
from cyberattacks. Based on the defnitions, cybersecurity is contained within infor-
mation security. Figure 1.3 shows the overlapping areas of information security and
cybersecurity.

1.7 CYBER RESILIENCY VS. TRADITIONAL RESILIENCY

Cyber resiliency is a new and emerging feld that has become front and center
with the recent acceptance of the reality that it is no longer if, but when a cyber-
attack will occur. Due to this realization, the industry has imported traditional
business continuity concepts into the suite of cyber activities and morphed them
Why Cybersecurity and Cyber Resiliency Strategies Are Mandatory 7

FIGURE 1.3 Information Security vs. Cybersecurity.

to ft the needs of a cyber program. This may not be the best approach in creating
a cyber program.
The main goal of a cyber resiliency program within an organization is to develop
an array of optimal alternatives for meeting the organization’s mission if a cyberat-
tack is to occur – to become resilient from the impacts of a cyberattack. As Figure 1.4
shows, cyber resiliency spreads security, business continuity, and resiliency across a
suite of disciplines that organizations must consider in order to be resilient in the face
of advancing and persistent cyber threats.
There are many defnitions of cyber resiliency depending on the nature of the
mission that the organization wants to assure. Below are several defnitions.
Cyber resiliency is:

1. The ability of the organization to achieve its mission even under degraded
circumstances as defned by the Computer Emergency Response Program
(CERT).
2. The organization’s ability to adapt to risk that affects its core operational
capacities. Operational resiliency is an emergent property of effective oper-
ational risk management, supported and enabled by activities such as secu-
rity and business continuity. A subset of enterprise resiliency, operational
resiliency focuses on the organization’s ability to manage operational risk,
8 Cyber Strategy: Risk-Driven Security and Resiliency

FIGURE 1.4 The Components of Cyber Resiliency.

whereas enterprise resiliency encompasses additional areas of risk such as

business risk and credit risk as defned by the CERT.
3. The ability to quickly adapt and recover from any known or unknown
changes to the environment through holistic implementation of risk
management, contingency, and continuity planning as defned by NIST
SP 800-34.
4. The ability to continue to: (i) operate under adverse conditions or stress,
even if in a degraded or debilitated state, while maintaining essential
operational capabilities; and (ii) recover to an effective operational pos-
ture in a time frame consistent with mission needs as defned by NIST
SP 800-37.

While some of the defnitions vary, the main goal of cyber resiliency is to prepare
the organization so that executives, board members, employees, and perhaps even
the general public, can be confdent that the IT systems supporting the business will
complete their designated mission, while under and after an attack.
Figure 1.5 shows the overlapping areas of cybersecurity and cyber resiliency.
Why Cybersecurity and Cyber Resiliency Strategies Are Mandatory 9

FIGURE 1.5 Cybersecurity vs. Cyber Resiliency.

1.8 CYBERSECURITY AND CYBER RESILIENCY

STRATEGY LIFE CYCLE
One of the more differentiating qualities of a cyber strategy from a cyber program
is its repeatability or life cycle characteristic. As the 6 STEPs to strategy creation
and then subsequent maintenance show, the life cycle starts with assessment, then
strategy creation, after that performance management of the strategy and ultimately,
the establishment of new initiatives based on the performance of the prior year’s ini-
tiatives. The process then repeats itself, most likely yearly. Each of the main thrusts
of the life cycle have subcomponents that will be expounded upon throughout the
following chapters. Figure 1.6 shows a graphical representation of this life cycle.

1.9 CYBER STRATEGIES VS. CYBER PROGRAMS

There can be a lot of confusion on the differences between a cyber strategy and
a cyber program. A program is a list of steps that are or will be taken to accom-
plish specifc goals and objectives. A strategy is a list of objectives and fulfllment
approaches derived in advance to be achieved at a future time; a future oriented
activity that can be represented by a roadmap of actions that it will take to accom-
plish specifc tasks or goals.
A strategy is more comprehensive than a program and is not operational in nature.
A strategy has a large scope and may consider multiple approaches in order to achieve
the desired target state. A strategy presents the reasons as to why a particular path
is taken—the program outlines the how. A strategy is developed before the program
and will direct the program.
10 Cyber Strategy: Risk-Driven Security and Resiliency

FIGURE 1.6 Cybersecurity and Cyber Resiliency Strategy Life Cycle.

A program is a collection of projects or initiatives and is generally long term

and operational in nature. A program can consist of a portfolio of projects that have
similar goals or objectives. A program is developed after strategic objectives are for-
mulated. The program is comprised of many projects or initiatives that help achieve
those strategic objectives.
Cybersecurity and cyber resiliency strategies begin with overarching missions
and/or visions of the organization. The strategy may also require principles. The
principles are technology agnostic and may be general in nature. The objectives
are derived from the principles and can be one-to-many in nature. Supporting the
objectives are the projects or initiatives. Each project or initiative has a project plan
or roadmap. A department, functional area, or enterprise can have cyber programs
Why Cybersecurity and Cyber Resiliency Strategies Are Mandatory 11

TABLE 1.3
Attributes of Cyber Strategies and Cyber Programs
Attribute Cyber Strategy Cyber Program
1. Strategic in Nature ✓
2. Operational in Nature ✓
3. Multi-Year ✓ ✓
4. Repetitive Life Cycle ✓
5. Contains Mission and/or Vision ✓
6. Contains Principles ✓
7. Contains Objectives ✓ ✓
8. References Projects/Initiatives ✓ ✓
9. Implements Projects/Initiatives ✓

that encompass one or more cyber strategies and/or cyber programs. The objective
of this book is to help organizations to incorporate top-down approaches to develop-
ing their cyber strategies. Different cyber programs can then be developed according
to organizational structure and objectives. Table 1.3 highlights the major differences
between the two.

1.10 CYBERSECURITY AND CYBER RESILIENCY

PROGRAMS FOR ORGANIZATIONS
However, cybersecurity and cyber resiliency programs can consist of many of the
same elements as shown in Figure 1.7.
A cybersecurity/cyber resiliency program is ongoing and always operational
within the organization. It is built over time and refned as needed depending on
security threats/risks and business needs. A program includes defned initiatives,
procedures, and controls. It defnes not only technical but managerial, operational,
legal, and regulatory measures. It is built to address the organizational pillars of
people, process, and technology. The program is constructed utilizing security archi-
tecture principles, so that there can exist technical uniformity and resiliency from a
ground up perspective incorporating controls at the data, operating system, applica-
tion, network, Internet, and cloud levels. These controls maintain the systems quality
attributes of classic CIA plus accountability and assurance. Both the cybersecurity
strategy and program(s) are based on a corporate vision and principles. Where the
cybersecurity program differs from the cybersecurity strategy is that the program
is ongoing, and providing for and creating the actual technical security infrastruc-
ture for the organization, while the cybersecurity strategy, based on intelligence and
risk-based threat analysis, proposes strategic objectives that can vary over time. In
order to satisfy these strategic objectives, specifc initiatives must be crafted and
implemented. These initiatives over time may infuence the cybersecurity posture
and underlying enterprise security architecture, resulting in changes in technology
and processes.
12 Cyber Strategy: Risk-Driven Security and Resiliency

FIGURE 1.7 Cybersecurity and Cyber Resiliency Program Components.

1.11 CYBERSECURITY AND CYBER RESILIENCY

ARCHITECTURE: STANDARDS AND FRAMEWORKS
A documented enterprise-wide security architecture is critical in establishing the
foundation for any cyber program. The security architecture generally would be
developed by the Information Technology (IT), Architecture, and/or Engineering
groups. Having an enterprise security architecture has many critical business and
technical benefts, some of which are listed in Table 1.4.

TABLE 1.4
Benefts of an Enterprise Cyber Architecture
Business Benefts
• Alignment with enterprise objectives
• Remain current with changing requirements
• Minimize risk through technical choices
• Detect and react to threats more quickly
• Separation of duties
Technical Benefts
• Provide resilient services
• Security and Resiliency by design
• Network segmentation to provide containment
• Provide isolation and redundancy
• Ensure availability
• Address threats with technology choices
• Defense in Depth
Why Cybersecurity and Cyber Resiliency Strategies Are Mandatory 13

Without a cybersecurity or cyber resilient architecture, the applicable tools

and techniques would not be able to be deployed to prevent or recover from a
cyberattack.

1.11.1 ENTERPRISE INFORMATION SECURITY ARCHITECTURE

Security procedures and products are, of course, critical to maintaining a security
and resilient infrastructure, but more foundational to the choice of products are
the industry standards and frameworks that the organization chooses to follow.
Figure 1.8 shows a classic organization security architecture and how data and criti-
cal assets and the missions and business processes they support are key to cybersecu-
rity and cyber resiliency. The diagram also shows how a Defense in Depth approach
is key to implementing, maintaining, monitoring, and measuring cybersecurity and
cyber resiliency. Additionally, groups such as Audit, Legal, and Compliance play an
important role in assisting the implementation of cyber program, the cyber strategies
and their goals. Cyber programs and strategies are not just about implementation and
maintenance, but also about monitoring and reporting on all aspects to executives as
to their effectiveness and relevance.

FIGURE 1.8 Information Security Architecture.

14 Cyber Strategy: Risk-Driven Security and Resiliency

FIGURE 1.9 Regulatory Cybersecurity Architecture.

1.11.2 REGULATORY SECURITY ARCHITECTURE

In order to provide more structure to the strategy, appropriate standards and frame-
works need to be selected and endorsed by the organization. There exist a number
of industry standards and frameworks that can be utilized as a basis for the strategy,
and/or can be used for assessing the strategy current and target states. Some of the
most recognized and accepted are listed in Figure 1.9.
Implementing the required business sector regulations is fundamental in prevent-
ing fraud and deception. A solid regulatory architecture will provide the basis for
the organization to meet business objectives, provide system reliability, and protect
against legal liability.

1.11.3 INTRODUCTION TO THE NIST CYBERSECURITY FRAMEWORK (CSF)

A corporate cyber strategy and/or program can have many components. There
are many industry standards, frameworks, and guidelines that can inform a cyber
resiliency strategy. One of the most commonly known cybersecurity frame-
works that also encompasses cyber resiliency aspects is the NIST Cybersecurity
Framework (CSF). The CSF consists of three main components: The Core,
Implementation Tiers, and Profles. As shown in Figure 1.10 the CSF Core
Another random document with
no related content on Scribd:
 Fig. 220. Fig. 221.

131. Pine.—Fig. 221. Very variable, very light and soft in “soft” pine, such as
white pine; of medium weight to heavy and quite hard in “hard” pine, of which
longleaf or Georgia pine is the extreme form. Usually it is stiff, quite strong, of even
texture and more or less resinous. The sapwood is yellowish white; the heartwood,
orange brown. Pine shrinks moderately, seasons rapidly and without much injury; it
works easily; is never too hard to nail (unlike oak or hickory); it is mostly quite
durable, and if well seasoned is not subject to the attacks of boring insects. The
heavier the wood, the darker, stronger and harder it is, and the more it shrinks and
checks. Pine is used more extensively than any other kind of wood. It is the
principal wood in common carpentry, as well as in all heavy construction, bridges,
trestles, etc. It is used also in almost every other wood industry, for spars, masts,
planks, and timbers in ship building, in car and wagon construction, in cooperage,
for crates and boxes, in furniture work, for toys and patterns, railway ties, water
pipes, excelsior, etc. Pines are usually large trees with few branches, the straight,
cylindrical, useful stem forming by far the greatest part of the tree.
132. Spruce.—Fig. 222. Resembles soft pine, is light, very soft, stiff, moderately
strong, less resinous than pine; has no distinct heartwood, and is of whitish color.
Used like soft pine, but also employed as resonance wood and preferred for paper
pulp. Spruces, like pines, form extensive forests; they are more frugal, thrive on
thinner soils, and bear more shade, but usually require a more humid climate.
“Black” and “white” spruce as applied by lumbermen, usually refer to narrow and
wide ringed forms of black spruce.
 Fig. 222. Fig. 223.

Broad-Leaved Woods.
133. Ash.—Fig. 223. Wood heavy, hard, strong, stiff, quite tough, not durable in
contact with soil, straight grained, rough on the split surface and coarse in texture.
The wood shrinks moderately, seasons with little injury, stands well and takes a
good polish. In carpentry ash is used for finishing lumber, stairways, panels, etc.; it
is used in shipbuilding, in the construction of cars, wagons, carriages, etc., in the
manufacture of farm implements, machinery, and especially of furniture of all
kinds, and also for harness work; for barrels, baskets, oars, tool handles, hoops,
clothespins, and toys. The trees of the several species of ash are rapid growers, of
small to medium height with stout trunks; they form no forests, but occur scattered
in almost all broad-leaved forests.
134. Basswood.—Fig. 224. (Lime tree, American linden, lin, bee tree): Wood
light, soft, stiff but not strong, of fine texture, and white to light brown color. The
wood shrinks considerably in drying, works and stands well; it is used in carpentry,
in the manufacture of furniture and woodenware, both turned and carved, in
cooperage, for toys, also for paneling of car and carriage bodies. Medium to large
sized trees, common in all Northern broad-leaved forests; found throughout the
Eastern United States.
Fig. 224.
 Fig. 225. Fig. 226.

135. Birch.—Fig. 225. Wood heavy, hard, strong, of fine texture; sapwood
whitish, heartwood in shades of brown with red and yellow; very handsome, with
satiny luster, equaling cherry. The wood shrinks considerably in drying, works and
stands well and takes a good polish, but is not durable if exposed. Birch is used for
finishing lumber in building, in the manufacture of furniture, in woodturnery for
spools, boxes, wooden shoes, etc., for shoe lasts and pegs, for wagon hubs, ox
yokes, etc., also in wood carving. The birches are medium sized trees, form
extensive forests northward and occur scattered in all broad-leaved forests of the
Eastern United States.
136. Butternut.—Fig. 226. (White Walnut.) Wood very similar to black walnut,
but light, quite soft, not strong and of light brown color. Used chiefly for finishing
lumber, cabinet work and cooperage. Medium sized tree, largest and most
common in the Ohio basin; Maine to Minnesota and southward to Georgia and
Alabama.
 Fig. 227.

137. Cherry.—Fig. 227. Wood heavy, hard, strong, of fine texture: sapwood
yellowish white, heartwood reddish to brown. The wood shrinks considerably in
drying, works and stands well, takes a good polish, and is much esteemed for its
beauty. Cherry is used chiefly as a decorative finishing lumber for buildings, cars
and boats, also for furniture and for turnery. It is becoming too costly for many
purposes for which it is naturally suited. The lumber-furnishing cherry of this
country, the wild black cherry, is a small to medium sized tree, scattered through
many of the broad-leaved woods of the western slope of the Alleghanies, but
found from Michigan to Florida and west to Texas.
138. Chestnut.—Fig. 228. Wood light, moderately soft, stiff, not strong, of
coarse texture; the sapwood light, the heartwood darker brown. It shrinks and
checks considerably in drying, works easily, stands well, and is very durable. Used
in cabinet work, cooperage, for railway ties, telegraph poles, and locally in heavy
construction. Medium sized tree very common in the Alleghanies, occurs from
Maine to Michigan and southward to Alabama.
 Fig. 228. Fig. 229.

139. Elm.—Fig. 229. Wood heavy, hard, strong, very tough; moderately durable
in contact with the soil; commonly cross-grained, difficult to split and shape, warps
and checks considerably in drying, but stands well if properly handled. The broad
sapwood whitish, heart brown, both shades of gray and red; on split surface rough,
texture coarse to fine, capable of high polish. Elm is used in the construction of
cars, wagons, etc., in boat and ship building, for agricultural implements and
machinery; in rough cooperage, saddlery, and harness work, but particularly in the
manufacture of all kinds of furniture, where the beautiful figures, especially of the
tangential or bastard section, are just beginning to be duly appreciated. The elms
are medium to large sized trees, of fairly rapid growth, with stout trunk, form no
forests of pure growth, but are found scattered in all the broad-leaved woods of our
country.
140. Gum.—This general term refers to two kinds of wood usually distinguished
as sweet or red gum, and sour, black, or tupelo gum, the former being a relative of
the witch-hazel, the latter belonging to the dogwood family.
Sweet Gum. Fig. 230. (red gum, liquidambar); Wood rather heavy, rather soft,
quite stiff and strong, tough, commonly cross-grained, of fine texture; the broad
sapwood whitish, the heartwood reddish brown; the wood warps and shrinks
considerably, but does not check badly, stands well when fully seasoned, and
takes good polish. Sweet gum is used in carpentry, in the manufacture of furniture,
for cut veneer, for wooden plates, plaques, baskets, etc., also for wagon hubs, hat
blocks, etc. A large sized tree, very abundant, often the principal tree in the
swampy parts of the bottoms of the Lower Mississippi Valley; occurs from New
York to Texas and from Indiana to Florida.
 Fig. 230. Fig. 231.

141. Hickory.—Fig. 231. Wood very heavy, hard and strong, proverbially tough,
of rather coarse texture, smooth and of straight grain. The broad sapwood white,
the heart reddish nut brown. It dries slowly, shrinks and checks considerably, is not
durable in the ground, or if exposed, and, especially the sapwood, is always
subject to the inroads of boring insects. Hickory excels as carriage and wagon
stock, but is also extensively used in the manufacture of implements and
machinery, for tool handles, timber pins, for harness work and cooperage. The
hickories are tall trees with slender stems, never form forests, occasionally small
groves, but usually occur scattered among other broad-leaved trees in suitable
localities.
Hickory excels as carriage and wagon stock, but is also extensively used in the
manufacture of implements and machinery, for tool handles, timber pins, for
harness work and cooperage. The hickories are tall trees with slender stems,
never form forests, occasionally small groves, but usually occur scattered among
other broad-leaved trees in suitable localities.
142. Maple.—Fig. 232. Wood heavy, hard, strong, stiff, and tough, of fine
texture, frequently wavy grained, thus giving rise to “curly” and blister” figures; not
durable in the ground or otherwise exposed. Maple is creamy white, with shades of
light brown in the heart; shrinks moderately, seasons, works and stands well,
wears smoothly and takes fine polish. The wood is used for ceiling, flooring,
paneling, stairway and other finishing lumber in house, ship and car construction; it
is used for the keels of boats and ships, in the manufacture of implements and
machinery, but especially for furniture, where entire chamber sets of maple rival
those of oak. Maple is also used for shoe lasts and other form blocks, for shoe
pegs, for piano actions, school apparatus, for wood type in show bill printing, tool
handles, wood carving, turnery and scroll work.

Fig. 232.

The maples are medium sized trees, of fairly rapid growth; sometimes form
forests and frequently constitute a large proportion of the arborescent growth.
143. Oak.—Fig. 233. Wood very variable, usually very heavy and hard, very
strong and tough, porous, and of coarse texture; the sapwood whitish, the heart
“oak” brown to reddish brown. It shrinks and checks badly, giving trouble in
seasoning, but stands well, is durable and little subject to attacks of insects. Oak is
used for many purposes; in shipbuilding, for heavy construction, in common
carpentry, in furniture, car and wagon work, cooperage, turnery, and even in wood
carving; also in the manufacture of all kinds of farm implements, wooden mill
machinery, for piles and wharves, railway ties, etc. The oaks are medium to large
sized trees, forming the predominant part of a large portion of our broad-leaved
forests, so that these are generally “oak forests” though they always contain a
considerable proportion of other kinds of trees. Three well marked kinds, white,
red, and live oak are distinguished and kept separate in the market. Of the two
principal kinds, white oak is the stronger, tougher, less porous, and more durable.
Red oak is usually of coarser texture, more porous, often brittle, less durable, and
even more troublesome in seasoning than white oak. In carpentry and furniture
work, red oak brings about the same price at present as white oak. The red oaks
everywhere accompany the white oaks, and like the latter, are usually represented
by several species in any given locality. Live oak, once largely employed in
shipbuilding, possesses all the good qualities (except that of size) of the white oak,
even to a greater degree. It is one of the heaviest, hardest and most durable
building timbers of this country; in structure it resembles the red oak but is much
less porous.

Fig. 233.

144. Sycamore.—Fig. 234 (button wood, button-ball tree, water beech): Wood
moderately heavy, quite hard, stiff, strong, tough, usually crossgrained, of coarse
texture, and white to light brown color; the wood is hard to split and work, shrinks
moderately, warps and checks considerably but stands well. It is used extensively
for drawers, backs, bottoms, etc., in cabinetwork, for tobacco boxes, in cooperage,
and also for finishing lumber, where it has too long been underrated. A large tree,
of rapid growth, common and largest in the Ohio and Mississippi valleys, at home
in nearly all parts of the eastern United States.

Fig. 234. Fig. 235.

145. Tulip Wood.—Fig. 235. Tulip tree. (yellow poplar, white wood): Wood quite
variable in weight, usually light, soft, stiff but not strong, of fine texture, and
yellowish color; the wood shrinks considerably, but seasons without much injury;
works and stands remarkably well. Used for siding, for paneling, and finishing
lumber in house, car and shipbuilding, for sideboards and panels of wagons and
carriages; also in the manufacture of furniture, implements and machinery, for
pump logs, and almost every kind of common woodenware, boxes, shelving,
drawers, etc. An ideal wood for the carver and toy man. A large tree, does not form
forests, but is quite common, especially in the Ohio basin; occurs from New
England to Missouri and southward to Florida.
146. Walnut.—Fig. 236. Black Walnut. Wood heavy, hard, strong, of coarse
texture; the narrow sapwood whitish, the heartwood chocolate brown. The wood
shrinks moderately in drying, works and stands well, takes a good polish, is quite
handsome, and has been for a long time the favorite cabinet wood in this country.
Walnut formerly used, even for fencing, has become too costly for ordinary uses,
and is to-day employed largely as a veneer, for inside finish and cabinet work, also
for turnery, for gunstocks, etc. Black walnut is a large tree, with stout trunk, of rapid
growth, and was formerly quite abundant throughout the Alleghany region,
occurring from New England to Texas, and from Michigan to Florida.
Fig. 236.
 CHAPTER XIII.
Wood Finishing.

147. Wood Finishes.—Finishes are applied to wood surfaces (1)

that the wood may be preserved, (2) that the
appearance may be enhanced.
Finishing materials may be classed under one or the other of the
following: Filler, stain, wax, varnish, oil, paint. These materials may
be used singly upon a piece of wood or they may be combined in
various ways to produce results desired.
148. Brushes.—Good brushes are made of bristles of the wild
boar of Russia and China. These bristles are set in
cement and are firmly bound by being wrapped with wire in round
brushes or enclosed in metal in flat brushes. Fig. 237.
 Fig. 237. Fig. 238.

A large brush, called a duster, is used for removing dust or loose

dirt from the wood, Fig. 238. Small brushes, used for tracing, usually
have chiseled edges, Fig. 239.
Bristle brushes are expensive and should be well cared for.
Brushes that have been used in shellac and are not soon to be used
again should be cleaned by rinsing them thoroughly in a cup of
alcohol. This alcohol may be used later for thinning shellac.
 Fig. 239.

Varnish and paint brushes should be cleaned in turpentine. If they

are to be laid away for some time, a strong soap suds, or lather
made from some of the soap powders, should be well worked into
the brush, after the preliminary cleansing. It should then be carefully
pressed into proper shape and laid away flat on a shelf. When the
brush is to be used again, it should first be washed out, to get rid of
all the soap.
Brushes that are used from day to day should be kept suspended,
when not in use, as in Fig. 240, so that their bristles shall be kept
moist, without their touching the bottom of the bucket or can.
 Fig. 240. Fig. 241.

Since alcohol evaporates rapidly, shellac cans with cone tops

should be used or, better, a can in which the brush handle may
extend through the top.
Fig. 241 shows a can which is made double. Varnish is kept in the
inner portion and water in the outer ring. The cover fits over the inner
can and into the water space, thus sealing the varnish air-tight but
removing all danger of the cover’s sticking to the sides of the can.
The brush is suspended from the “cleaning wire” so that its bristles
rest in the liquid.
If delicate woods are to be varnished, stone or glass jars would
better be used to hold the liquid, for metal discolors it slightly.
 Fig. 242. Fig. 243.

149. General Directions for Using Brush.—(1) Hold the brush

as in Fig. 242. (2) Dip
the end of the brush in the liquid to about one-third the length of the
bristles. (3) Wipe off the surplus liquid on the edge of the can, wiping
both sides of the brush no more than is necessary to keep the liquid
from dripping. A wire stretched across the can as in Fig. 243
provides a better wiping place for the dripping brush. In wiping the
brush on the edge of the can, some of liquid is likely to “run” down
the outside. (4) Using the end of the brush, apply the liquid near one
end of the surface to be covered. (5) “Brush” in the direction of the
grain. (6) Work towards and out over the end of the board, leveling
the liquid to a smooth film of uniform thinness. The strokes should be
“feathered,” that is, the brush should be lowered gradually at the
beginning of the sweep and raised gradually at the close, otherwise,
ugly “laps” will result. The reason for working out over the ends
rather than from them will appear with a little thought. (7) Now work
toward the second end. The arrows, Fig. 244, show the general
directions of the final or feathering strokes.

Fig. 244.

Edges are usually covered first and adjoining surfaces afterward.

It frequently happens that surplus liquid runs over a finished
surface, especially when working near the arrises. This surplus can
be “picked up” by wiping the brush upon the wire of the bucket until
the bristles are quite free of liquid, and giving the part affected a
feathering sweep.
If the object has an internal corner, work from that out over the
neighboring surfaces.
Panels and sunk places should be covered first. Afterward, the
raised places, such as stiles, rails, etc., may be attended to.
Wherever possible the work should be laid flat so that the liquid may
be flowed on horizontally. This is of especial advantage in
varnishing. Vertical work should always be begun at the top and
carried downward.
 Tracing consists in working a liquid up to a given line but not over
it, such as painting the sash of a window. Tracing requires a steady
hand and some practice. A small brush is generally used and the
stroke is made as nearly continuous as the flow of the liquid will
allow. Fig. 245.

Fig. 245.

150. Fillers.—Fillers are of two kinds, paste and liquid. They are
used to fill up the wood pores and thus give a smooth,
level, non-absorbent surface, upon which other coverings may be
placed. Paste fillers are for use upon coarse grained woods such as
oak and chestnut, while liquid fillers are for close grained woods
such as Georgia pine.
 Fillers are not a necessity, especially the liquid, but the saving
affected by their use is considerable. Not only are they cheaper than
varnish but one or two coats of filler will take the place and permit a
saving of two or three coats of the more expensive material.
Liquid filler should be applied evenly with a brush and allowed to
dry twenty-four hours, after which it may be sanded smooth with No.
00 paper. It is used mainly upon large work such as porch ceilings
and interior finish, like Georgia pine. On fine cabinet work, one or
two coats of thin white shellac is used as a filler upon close grained
wood. Shellac forms a surface which after twenty-four hours, can be
sandpapered so as to make a very smooth surface. Varnish applied
to the bare wood has a tendency to darken and discolor it. Filling
with shellac preserves the natural color.
Paste filler is sold by the pound in cans of various sizes. The best
fillers are made of ground rock crystal mixed with raw linseed oil,
japan and turpentine.
For preserving the natural color of the wood, filler is left white; for
Flemish, it is colored brown; for antique and weathered finishes, it is
dark. Fillers can be purchased ready colored.
151. Filling with Paste Filler.—(1) Thin the filler with turpentine
until it makes a thin paste. (2) With a
stiff-bristled brush, force the filler into the pores of the wood and
leave the surface covered with a thin coating. (3) Allow this to stand
until the filler has “flatted,” that is, until the “gloss” has disappeared
and the filler becomes dull and chalkish. The time required for this to
take place varies. Twenty minutes is not unusual. (4) Rub the filler off
just as soon as it has flatted—do not let it stand longer, for the longer
it stands the harder it is to remove. Rub across the grain as much as
is possible, using a wad of excelsior. Finish fine work by going over it
a second time with a cloth, rubbing with the grain as well as across,
that the “high lights” may be clear of filler.
On fine work use a felt pad to rub the filler into the pores, and rub
off with a cloth only.
Twenty-four hours should be allowed the filler to harden. One
filling is sufficient for ordinary work; on fine work the above process
is sometimes repeated after the first filling has hardened.
 The striking contrasts in the grain of wood such as oak and
chestnut, obtained by the use of colored fillers, are due to the dark
filler’s remaining in the open grain but being wiped off of the close
grain—the “high lights.”
On quarter-sawed oak, each flake is sometimes sanded with fine
paper, No. 00, to remove the stain that the contrast may be sharper.
Excelsior and rags used in cleaning off filler must not be allowed to
lie around but must be burned for they are subject to spontaneous
combustion and are dangerous.
152. Stains.—Stains are used to darken the high lights of wood
preparatory to the application of a relatively darker
filler. By varying the intensity of the stain different results may be
obtained with the same color of filler. Stains are also used without
fillers.
There are three kinds of stains: (1) water, (2) oil, (3) spirit. Each
kind has its advantages and its disadvantages.
Wood stains are cheap, penetrate the wood deeply, and are
transparent. They cause the grain of the wood to “rough up,”
however, and for this reason are used mainly upon hard woods
which require darkening before the application of a filler. The wood is
sanded before the filler is applied. Where water stain is not to be
followed by filler, it is customary to thoroughly moisten the surface to
be covered with water alone. After this has dried, the surface is
sanded with fine paper and the stain applied. The stain does not
raise the grain as it otherwise would.
Water stains may be applied with a brush or a sponge. They are
sometimes heated that they may enter the wood more deeply. Any
coloring matter that can be dissolved in water will make a wood dye
or stain.
Oil stains, like water stains, are often used to stain wood before
filling. They are more generally used where no filling is desired. They
are easier to apply evenly than water or spirit stains. They do not
raise the grain of the wood like the other stains. On the other hand,
they do not penetrate and therefore cannot color hard woods dark.
Neither do they give the clear effects.
Most oil stains are applied with a brush, after which the surface of
the wood is immediately wiped clean with a cloth.