As an executive and someone responsible for outreach on behalf of my organization, I do a ton of talking on Information Security matters. I also get to see a fair amount in the post-mortem analysis of some fairly interesting technical exploits. Time and again information security practitioners and the executives they work for want to know what they should be doing to protect their enterprises. The simple answer is frankly to just do the basics (at least as a starting point). Now, that answer can be misleading, as the basics or fundamentals require steady adherence to principles which require qualified teams to take a systematic approach to keeping an enterprise safe from would be attackers. But, if you are great at the basics or fundamentals you will be in better shape than most.
There’s no shortage of vendor tools promising the end to your security nightmares. Comparatively speaking, some of those tools are great and likely will do some of what they promise, while others can be a fancy visual showing of an already confusing landscape. What are cyber threat actors trying to accomplish after all? Whatever you have behind a “wall” of protection that has value to you and therefore can be monetized by most cyber threat actors. Ok, so all you have to do is protect your enterprise from attackers, right? Yes, in the simplest answer ever given.
The problem is that some practitioners and most executives have no idea what this looks and feels like. They just approved an increase in the InfoSec budget and the CISO has promised the implementation of several controls and solutions and maybe even an event management tool, so were safe, right? Other business lines have straightforward metrics taught at every business school in the country that shows you exactly how to calculate ROI for an investment. Information security managers have various tools and templates that show a similar value, but the problem arises in communicating these results to the c-suite. Yes, some of the solution is in “the ask.”
Information Security is about enterprise risk management. Most organizations have hundreds/thousands of security events and probably tens/hundreds of actual security incidents all of which require some level of adherence to the incident response model (prepare, identify, contain, eradicate, recovery and lessons learned). But how much effort needs to be applied all depends on where those risk fall on your overall enterprise risk management register. Using proven risk methodologies, you can begin to “rack and stack” information security risks among all of your other enterprise risk issues. Your limited resources are then used to target the issues potentially causing the greatest impact and likelihood of occurrence.
The chasm exists when security professionals are unable to effectively communicate this delta to business leaders who then provide either a complete blanket approach to addressing InfoSec issues (expecting absolute system integrity) or they tend to guard the business treasure with angst exercising the least engagement necessary hoping upon hope that nothing happens on their watch. Happiness and effectiveness lies somewhere in between.
The InfoSec triad of Confidentiality – Integrity – Availability is the foundation of all instruction in the security realm. From this triad flows security frameworks, system controls and every other fancy high-level control, approach and protocol in the security world. If you have a highly capable and mature security apparatus you are likely following the tenets of the triad and using a viable template, like the NIST framework, to structure your approach to InfoSec. If you are winging it, well you are probably doing a lot of things, some of which is helpful while other aspects are not.
When I talk about the fundamentals I’m speaking of those areas when engaged and practiced allow you the greatest return on your investment.
1) effective patch management
2) access and identity management
3) effective password management – along with the use of 2FA
4) effective use of encryption of data at rest and in transit
5) Implementation and effective use of the commonly referenced SANS 20 security controls only to name a few (clearly not an exhaustive list).
Let’s encapsulate this in a relatively decent understanding of the cyber threat landscape and you are off to the races. If you can get to a point where these fundamentals become second nature, you will be better situated than most.
Back to the premise of this piece, I believe practitioners lose sight of the fundamentals because there’s too much noise and not enough signal on the landscape. Because of the sheer increase in our reliance on tech and all things it brings; frankly there’s just too much information coming at those expected to protect these environments. We must learn to focus on the fundamentals because it’s a darn good starting point.
Another version of this article appears here.