Security Practitioners are often asked ‘What keeps you up at night? To which some of them have very detailed responses. Unpatched vulnerabilities, forgotten systems, missed alerts – there are quite a few things in the list of a person whose job is on the line if the company gets breached. This is not fair or a sustainable solution. If we don’t sleep well, we get cranky, when we get cranky every minor miss can become a major irritant.
https://www.cisa.gov/shields-up
We live in an imperfect world
Let’s start with that. Mistakes happen, links get clicked and malware gets installed. A security practitioner will never go to bed with the satisfaction that the vulnerability report looks green, the alerts in the queue are zero, and every user in the organization has been on top of their cybersecurity game. The challenge is to prevent getting hacked despite all of that. Accepting reality is a good place to start, also remember that compensating controls do a lot more than compensate. A well-spun web of controls contains little things that matter the most and very often saves the day. A robust backup solution, failovers, and a disaster recovery solution that is tested from end to end.
https://commons.wikimedia.org/wiki/File:Defense_In_Depth_-_Onion_Model.svg
Prioritize
Whoever invented the phrase boiling the ocean must not have been a cybersecurity practitioner at heart. We can’t fix everything so pick the one that will stop you from being dragged to the court aka help meet the regulatory requirements for privacy, payment processing, or securing patient health information, if applicable. Ensure you have done the due diligence to file a cyber insurance claim if the need arises. Choose Multi-Factor authentication even if there’s only one control that you can apply right away to reduce the risk of a security compromise.
NIST Cybersecurity Framework
Escalate
Let your leadership know the facts to help them take an informed decision. Let them know about the exposures, the potential for damage when cyberattacks happen, and the risks related to not having safeguards in place. The last thing a security practitioner should do is keep the bad news to themselves and only share the good news. That can often lead to sleepless nights filled with scenarios of what-ifs.
Dashboard
Management has a short attention span. Don’t lose them with excel sheets and CVE ratings. Make it visually attractive. Highlight the areas that are in red, along with those in yellow and green. Leadership can then drive the initiative to move the reds to the green. Have the numbers ready when they ask for it. For example, if we are missing a SIEM solution for continuous monitoring and alerting, let them know how much it’ll cost, and this is how long it’ll take to roll it out.
CIS Dashboard for presenting to the Board
Sleep, Rinse, Repeat
Security is never done, so now that you’ve relieved yourself of the dark dreary corporate cybersecurity secrets, you might as well sleep relaxed. Rinse and Repeat on a periodic basis. Keep generating the reports on a consistent basis, take actions on a prioritized basis and when you look back at the end of the year, you’ll be amazed to see how much you’ve achieved. Good Luck!