Unquestionably, the expectations on a CISO are becoming ever more formidable. There’s an increasing amount to worry about and, as we’ve seen, attacks are getting more sophisticated and complex. It’s been said that data represents the “crown jewels” of organizational assets, and that’s never been truer than in 2021.
As somebody who regularly speaks to CISOs across different industries, sectors and levels of cyber maturity, I’ve seen first-hand where the headaches exist and what causes these headaches. While all organizations are different and have different risks, finding solutions for those headaches is possible. Here’s what I recommend.
Too Much Data = Too Many Vulnerabilities
While having too much data isn’t necessarily a problem, it can lead to a form of analysis paralysis. Data gives us the ability to measure and track progress, but it shouldn’t prevent us from making inroads.
Vulnerability scans, penetration testing, threat hunts, expanding attack surfaces, multi-cloud environments, insecure APIs and the like can all produce oodles of security issues and data, and these security issues can compound over time and leave an organization vulnerable to attack.
Vendors will try and sell a solution that fixes all your problems in one go, the reality is that there is no such thing as a security silver bullet. Achieving security maturity is done by people, process and technology all working together to increase the internal cyber culture.
An example of this is when a user selects a “strong” password from the get-go, this decision was the product of good security culture and involved people, process and technology. This one event does not make an organization secure, it’s the compounding effect of hundreds of daily decisions that help increase cyber maturity.
Context is Key
Deciding what to fix and when to fix it is critical. While the security provider may well understand what your environment / application looks like, they may have some difficulty adding the appropriate level of context onto the issues.
Unfortunately, and unlike taking a headache tablet, there is no one solution to this problem. Fortunately, there are solutions that can be applied to increase cyber maturity for all organizations:
Concentrate on the Basics: It almost always comes down to the basics of information security. All too often we see organizations fail at the basics (patching, passwords and policy). We know that security at an enterprise level is difficult, nuanced and multifaceted. Ensuring that hosts and devices are not un-patched, that robust password management is in place and that security cannot be circumvented by weak policy is critical in ensuring cyber maturity.
Prioritize Key Systems and Hosts: Not all hosts are created equally, some are more important to a business than others. Where are the crown jewels and are they secured and hardened to a level that is acceptable? Are these systems externally facing or are they internal hosts? These are some of the questions that need to be asked, once this is decided, appropriate hardening can take place. It’s important to identify here that while the protection of key systems is important, it’s also key to harden any adjoining environments. This analysis should be done by a penetration tester.
Speak to your Security Provider: More often than not, the security provider will understand your environment as well as you do… consult them when you plan to make impactful security decisions or impactful decisions to your overall IT environment. If they’ve recommended a fix for an issue and it isn’t practical for your organization, what other controls can be implemented to minimize risk to that asset?
RESEARCH REPORT
2020 Trustwave Data Security Index
The 2020 Trustwave Data Security Index report depicts how technology trends, compromise risks and regulations are shaping how organizations’ data is stored and protected. The report is based on a recent survey of 966 full-time IT professionals who are cybersecurity decision makers or security influencers within their organizations. Over 75% of respondents work in organizations with over 500 employees in key geographic regions including the United States, United Kingdom, Australia and Singapore.
