Roger Grimes on Prioritizing Cybersecurity Recommendation
It is a good level:
A part of the issue is that we’re consistently handed lists…listing of required controls…listing of issues we’re being requested to repair or enhance…lists of latest tasks…lists of threats, and so forth, that aren’t ranked for dangers. For instance, we are sometimes given a cybersecurity guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, and so forth.) with a whole lot of suggestions. They’re all nice suggestions, which if adopted, will scale back danger in your atmosphere.
What they don’t inform you is which of the beneficial issues may have probably the most influence on finest lowering danger in your atmosphere. They don’t inform you that one, two or three of this stuff…among the many a whole lot which were given to you, will scale back extra danger than all of the others.
[…]
The answer?
Right here is one huge one: Don’t use or depend on un-risk-ranked lists. Require any listing of controls, threats, defenses, options to be risk-ranked based on how a lot precise danger they may scale back within the present atmosphere if carried out.
[…]
This particular CISA doc has at the least 21 major suggestions, a lot of which result in two or extra different extra particular suggestions. Total, it has a number of dozen suggestions, every of which individually will doubtless take weeks to months to satisfy in any atmosphere if not already completed. Any particular person following this doc is…rightly…going to be anticipated to judge and implement all these suggestions. And doing so will completely scale back danger.
The catch is: There are two suggestions that WILL DO MORE THAN ALL THE REST ADDED TOGETHER TO REDUCE CYBERSECURITY RISK most effectively: patching and utilizing multifactor authentication (MFA). Patching is listed third. MFA is listed eighth. And there’s nothing to point their skill to considerably scale back cybersecurity danger as in comparison with the opposite suggestions. Two of this stuff aren’t like the opposite, however how is anybody studying the doc imagined to know that patching and utilizing MFA actually matter greater than all the remainder?
Tags: cybersecurity, patching, two-factor authentication
Posted on October 31, 2024 at 11:43 AM •
6 Feedback