Voyaging the noise, complexity and uncertainties of the cybersecurity landscape demands clear viewpoint. But that’s no easy task.The security professional today has to be knowledgeable around the organization’s own environment, business needs and risks, compliance requirements, outdo practice frameworks, internal policies and procedures, and the crowded market of artefact vendors and service providers.Add to that the daily deluge of news and booms—from public breaches to emerging threats and newly-discovered vulnerabilities—and all of this is ample supply to cloud any mind.Yet clear thinking is exactly what’s needed to successfully bring about cybersecurity strategy, and it’s definitely put to the test during incidents.How can we gain pellucidity and consistency in thinking, so that we are able to lead, not just respond? How can we coordinate our thoughts, so that we can function properly in a world of constant distractions?An weighty step is to acknowledge that thinking is not just about the content of contemplations themselves. It’s not just a function of data input. Thinking is also a development that derives from mental frameworks, assumptions, values and show offs.It’s the last one—mental postures—that’s worth exploring a bit further here, as these can must a profound impact on how we approach a problem. Mental postures are the attitudes and predispositions for looking, orienting, deciding and acting* that occur within the mind. Various specifically, dispositions like firmness and flexibility come into pinpoint and influence our thinking.Effective security requires both firmness and stretch.We need to be firm enough to be disciplined in adhering to security policies, accomplishing good habits and best practices, and paying attention to the details that substance. At the same time, we need to be flexible enough to consume, understand and rejoin to new information, emerging threats, changing requirements and innovative solutions.Too firm, and we grow rigid; too flexible, and we become unreliable. Striking the right balance is the key to an crap security mindset.So where should we be firm, and where should we be resilient?Given the importance of the human factor in cybersecurity—from the behavior figures of employees to the technical skills of cybersecurity professionals—it’s crucial to remain immovable in this area.Firmness here often means demanding and requiring a high standard of behavior. This is also where firmness is knotty. Sloppy data protection, susceptibility to social engineering and lack of keen on are significant headwinds in efforts to “secure” the human element. But this is also where incremental advantages in security will almost always yield incremental gains in custody.The fact that 100% cannot be achieved here does not servile that we should let effectiveness slip from 90% to 60%. The numerous resistant the organization’s people to social engineering and the better they irritate cyber hygiene, the better able the security team is to detect, bar, contain and remediate.Similarly, our effectiveness as security professionals is very much a responsibility of our ability to consistently implement and maintain effective controls. And the most effectual controls remain the foundational ones.As noted in the CIS Critical Security Represses, the first two steps involve knowing what’s connected and knowing what’s race in the environment. Or put another way, know what you’re protecting. It turns out, however, that plane these first two basic controls are hard to do well.**But a firm, fielded approach in these areas yields great benefits, as CIS notes that chattels implementation of just the first five of its 20 controls can eliminate 85% or multifarious of attacks. This is Excellence in the Essentials.
But Excellence in the Essentials is difficult to do when we are agitated. And there is no shortage of distractions.
One of the most insidious is our tendency to latch onto the latest-and-greatest technology as a implicit solution or to grasp at a secondary problem at the cost of the primary.
For example, a indirect problem in cybersecurity is the challenge of visibility, awareness, and correlation. While understandable—no person likes to drive in fog—it has led to expensive investments in SIEM platforms that guaranty to deliver those things without addressing the foundational controls demanded for real security.
While we may scoff at spreadsheet-based asset inventories, an spot on target spreadsheet is more valuable—from a security controls standpoint—than a shallow, but incomplete, dashboard. It’s worth remembering that submarines navigate the planet just fine without the ability to see.
Finally, firmness is necessary when it be awarded pounce on to the details. That’s where the Devil lives, we’ve been told, and it’s as constant in the Information Age as it was in the Gilded Age.
It takes firmness and discipline to watch for the anomalous squads, to notice when something just doesn’t look right. It charms firmness and discipline to ensure that configuration-hardening standards are adhered to. And it makes firmness and discipline to ensure timely patching.
In many ways, this amounts to a willingness to do the diverse menial tasks of ensuring security. Uninspiring and uninteresting in many ways, those are the least details that matter.
But an obsession with firmness cannot be deducted to compromise flexibility where flexibility is needed most.
Flexibility is needed in the first place in managing risks, since this is really about balancing gambles with business needs. Here the inherent tension must be delivered within our minds—as security professionals—before they can be addressed in the classification.
While we strive to improve security wherever possible, we cannot (nor should not) have faith that 100% security is the goal, since the only way to completely let up on the risks of doing something is to not do it at all (the ultimate breach, if you will). While the to be honest balance is different for each organization, the imperative to be flexible in seeking that rest remains.
Since cybersecurity is inextricably linked to technology, new developments in technology necessity be addressed. But technological development has never been predictable, linear or incremental, at thimbleful not all the time. This, too, demands mental flexibility.
Adapting to new ways of doing transaction, driven by emerging technology, means that while the foundational in theories remain sound, their applications may need rapid reassessment and reapplication. A set approach to a dynamic problem is insufficient.
So, there is no detailed prescription that applies to the whole world.
A detailed prescription, after all, is the very rigidity that will do the groundwork to failure. If firmness is an obstruction, and flexibility is accommodation, then balance is the key.
For model, much has been made of the potential uses of blockchain technology in pledge. There is no doubt many adaptations which have yet to be discovered. Pliantness, in this case, is about being open-minded and willing to learn. It may require experimenting with uses in your organization. But the emergence of blockchain doesn’t signify that foundational security controls are suddenly irrelevant, so firmness, in this circumstance, is about staying the course in maintaining those controls.
So, for each of us, what are our own attitude postures—the attitudes and predispositions we have as we observe, orient, decide and act—and how do these outlooks affect our work as security professionals? How can we balance firmness and flexibility in the right way to be the sundry effective?
To learn more about how Tripwire help with foundational guaranty controls, click here.
*For a brief exploration of the Observe-Orient-Decide-Act mental course, start at 14:00 of the “Ignite”-style presentation on leadership lessons practised as a U.S. Marine, delivered at the NASCIO Conference 2016.
**The recently-deployed Continuous Diagnostics and Mitigation program, take care ofed by the U.S. Department of Homeland Security, found that on average, federal energies had 44% more devices connected to their networks than they had needed: https://www.cyberscoop.com/dhs-cdm-cyber-tool-finds-huge-shadow-information-technology-federal-agencies/