The Importance of Being Earnest
Jim Woodcock
CISO
As Wilde’s Algernon says “The truth is rarely pure and never simple. Modern life would be very tedious if it were either…”. Wise words indeed, and never more so than now – welcome to the definitely impure, heinously complex, and anything but dull world of Cyber Security…
For someone accountable for Cyber Security, the scope of your management domains and the array of tools to help you discharge your responsibilities is vast, as is the burden of expectations. It is very easy to get seduced (like virtually everyone in Wilde’s play, where being seduced seems to be an almost hourly hazard,) by the myriad of tools and snazzy marketing messages that promise to take away much of your pain through the implementation of the latest shiny things. The reality though is that the most sensible investments you can make are all too often a little closer, and largely require that you ‘get the basics right’.
Many firms struggle to realise their return on investment from the advanced tooling that they are attempting to layer on top of fragmented foundations. Most of these tools require accurate and consistent input from existing capabilities in order to function optimally, so if your directory service is full of stale records, or your DNS reverse lookups inconsistent, then that will permeate into anything you build that uses these as an input source.
Although not exhaustive, here are 5 ‘basics’ that, if you are earnest in getting them to work well, will deliver significant value in improving your security posture and provide a sturdy foundation for more advanced tooling in the future.
1. Get your asset management tight
You do not need to be a genius to realise that having an adequate endpoint protection deployment across 100% of your applicable estate is better than having an excellent one deployed across only 50% of it. Understanding your estate is one of the most critical aspects of technology operations and security is no different – if you don’t know that a device exists then it follows that the device will likely accumulate vulnerabilities over time, increasing the likelihood of it being exploited as part of a successful attack. It is also important that you consider data assets so that appropriate CIA controls can be applied where they are most important. You need to know what you have so that you can manage it appropriately. Maintaining the accuracy of this information is of course key to longer term successful information security management, risk-based decision making and cyber resilience. Don’t be like Miss Prism and put the baby in your handbag and your manuscript in the pram, a case of poor asset management if ever there was one.
2. Mature your vulnerability management capability
Vulnerabilities come thick and fast these days, and it is easy to view vulnerability management as a pureplay numbers game – it is not, prioritisation and agility are key. Make sure that you assess vulnerabilities against the risk that they represent to the business and prioritise their remediation. Have a regular cadence of deploying patches that keeps the overall vulnerability count under control but make sure that you understand where a new vulnerability represents a clear and present danger to your business that you have a well-tested process in place to deploy critical updates quickly. After all, to borrow from Lady Bracknell, “to lose something once may be regarded as a misfortune, to lose everything looks like carelessness”.
3. Educate your people to become accountable
Depending on the maturity of security awareness in your organisation, your people will be your biggest asset, your biggest liability, or most likely somewhere in between. It is important that you help people understand that in all technology enabled businesses they have a key, front-line role to play in defending the business assets from threat actors. This goes beyond not falling for phishing emails, and should extend into your peoples ‘life outside the office’ around their behaviours using social media platforms and other online services. Changing culture is not easy and needs to have very visible top-level support in a business to have any chance of success. A mindset of collective ownership and responsibility, getting people to become the ‘human firewall’, is a significant weapon in your defensive cyber arsenal. Where IT security is concerned, Algernon is right again: “If I am occasionally a little over-dressed, I make up for it by being always immensely over-educated”.
4. Implement and test a response plan
There is no such thing as perfect cyber security. It is important that businesses accept this and for all levels of the organisation to be prepared to respond to a security incident. Defining and testing your response plan should be regular so that when (not if) you have to execute on that plan for real, it is comfortable and for the key participants it is second nature. By modelling different attack scenarios you will be able to learn something that will help you improve your plan every time you run through your response. Documenting and regularly maintaining a response plan with key contacts as well as ensuring this is available and accessible through multiple online and offline repositories (in the event of a serious incident) is key. When doing this, ensure that you have the right names for the right people (or you might find yourself facing a surprise reveal in the final act when your data analyst turns out to have been the son of the CIO all along).
5. Check the health of your operational metrics
How often have you experienced security issues in areas where the operational metrics are always green? Often when you pick away at this ‘green-ness’, particularly delving into tolerance areas, you’ll find that, much like a watermelon, the green exterior gives way to a red inner. Always remain objective, throw away those rose-tinted glasses when reviewing operational metrics and be prepared to challenge. Where items are green due to being ‘within tolerance’, make sure that the tolerance is appropriate as it may have been defined in a different era of cyber activity. Explore also what lurks in the tolerance ‘gaps’ and look to use other data to triangulate and validate baseline numbers e.g. the number of Windows servers in scope for patching should marry up with the number of Windows servers in your asset management metrics. Don’t shy away from doing this exercise properly, bunburying is not an option… (if you don’t know what bunburying is, Google it – it will add to both your vocabulary and your repertoire of techniques for getting out of meetings…)
Being earnest about the basics is not as exciting as implementing the latest cyber tooling but if it’s exciting you’re after then try going to see a farce in three acts. Putting in the effort and getting the basics working well adds significant value in its own right but is generally a pre-requisite for more advanced tooling working properly and at its best.
Finally, as Wilde said, remember “Experience is simply the name we give our mistakes”.