How to create your cybersecurity “Google Maps”: A step-by-step guide for security teams
Cybersecurity isn’t just about firewalls and antivirus. It’s about understanding how your defenses, people, and processes work together. Just like Google Maps revolutionized navigation, process mapping can revolutionize how you understand and manage your security landscape.
We used to wrestle with paper maps to navigate new places. This was dangerous and inconvenient. Reading a map while driving means you do neither well. Then came the seemingly magical turn-by-turn GPS systems from the likes of Garmin and TomTom. They cost hundreds of dollars and were a fabulous luxury. When Google Maps came out, suddenly maps were toast and turn-by-turn became indispensable. Most of us can no longer imagine living without online maps for planning trips, navigating new cities on foot or in a car. New use cases emerged; we use maps today like search engines, filtering for ratings and times of operation or type of food or merchandise.
Today most teams are navigating the streets of cybersecurity with the equivalent of paper maps. Some use spreadsheets that are manually updated. Others use dashboards that may have some automation elements. In the worst case, they have to parse log files, pulling together manually a string of events or indications to map a cybersecurity process like an incident response, one turn at a time. This is why root cause analysis is so incredibly painful and time consuming. And it’s a big part of why cybersecurity today remains inefficient and inexact.
So how can we move cybersecurity from paper maps and piecemeal analysis to an integrated, cohesive, comprehensive live navigable systems that gives us the equivalent of turn-by-turn visibility and planning?
By adopting a process mapping mindset and building live visual representations of security journeys — a Google Maps for security workflows.
Step 1: Define your critical paths
You don’t need to map everything — only elements and tools that track a security process or workflow.
- Identify key processes: Start with your most important security workflows. This might include incident response, vulnerability management, threat hunting, or compliance audits.
- Map the terrain: Break down each process into its individual steps. Who is involved? What actions are taken? What tools are used? Be meticulous and detailed.
Step 2: Lay out your security maps
The beauty of Google Maps is the strong visual architecture that simplifies “choose your own adventure”. For security processes:
- Choose your mapping tool: There are many options available, from simple flowchart software with dynamic nodes to specialized cybersecurity process mapping platforms. The ideal tool lets you create dynamic, interactive process maps that can be updated in real-time and filtered on any critical attribute (role, condition, location, type of process)
- Integrate with your tools: Link your map to your SIEM, ticketing system, chat, email and security orchestration tools, etc. This allows your map to reflect the live status of your security operations and to visualize who does what and when it happens. The integrations should provide a timeline of interactions in a visual flow to let you navigate the process of interest easily and quickly.
- Build your map: Connect the steps of each process into a visual flow. Use color coding to highlight different teams, statuses, or potential bottlenecks. Add notes and annotations to provide context. The map must provide complete chains of activities and visibility into nested actions and reactions to properly capture that ways that cybersecurity teams navigate their work.
Step 3: Use the map to optimize security processes
Now that you have a map and visual landscape of your key security processes, you can deploy a powerful Security BI tool that lets you visually inspect and analyze how different journeys lead to different outcomes. This is the most critical component of security optimization — optimizing the human factor and focusing on what people actually do (as opposed to what dashboards or attestations say they do).
- Analyze traffic patterns by type: Map how specific types of events flow through your processes and how different tasks are executed. Where are the delays? Are there any unexpected detours? Are people skipping steps or going out of compliance? Or are they optimizing the process themselves and enhancing efficiency?
- Investigate specific incidents: Use your map to investigate specific incidents or actions, from responding to indicators of compromise to patching high-severity zero-days. See what is happening and what is being missed.
- Identify process risks and optimize playbooks: Update your processes to streamline workflows, eliminate unnecessary steps, and automate repetitive tasks. Use your map to test and validate your changes.
Mapping your never-ending security evolution
Although it’s an amazing product, we all run into errors on Google Maps — stores or restaurants that are closed, distances that are slightly off, directions that tell you to turn left at an intersection with a “No Left Turn” sign. In a similar fashion, your security process maps will need to evolve to keep up with changes in your organization, your tooling, and your processes. Your security landscape is constantly changing, so you’ll need to regularly review and update your map to reflect new threats, tools, or procedures.
Security itself is a process, not a product. Humans process visual information more efficiently than any other format. We have also evolved as way finders, with an innate sense of mapping. There is a reason online mapping tools are among the most popular applications in history. By applying these lessons to cybersecurity, we can leverage the power of the map to improve the efficiency of cybersecurity teams and finally get a clear picture of the most important piece of information for good security — a map of intention and actions that lets us relive, learn, and improve.