We must get back to the basics!

Even now we still don’t cover the basics. 

In many cases, the foundational pieces are not in place, starting with policies and procedures. 

Any program first needs to set rules of the game, and the world of cybersecurity is no different.  We need to establish policies that will be the guiding principles for everything that we do to strengthen our organizations’ security posture.  We need to set down policies that state what outcomes we expect and the things we intend to protect. 

Lagging at the policy level will impact all the way down into standards and procedures and all else.  You are leaving things open to interpretation and not giving the structure that you need to ensure constituency, repeatability, and sustainability – elements that are key to the success of any security program. 

One of the problems I continue to see in our industry is that many tend to focus heavily on technology, but the benefits and expected outcomes of such investments never materialize because the fundamentals are not set up.  It is like having a racing car.  You might have the best car ever made, but if you do not have a great driver, the chances of winning any races are slim.

In our world, good technology is not going to produce the desired results unless we implement an efficient program, with the necessary policies, processes, and skills.   Yet, many expect that specific technologies will solve our problems; this is still very prevalent in our industry. 

It is time to change that mindset.  Although it may slow things down initially, the first thing you need to do is to establish the right policies for your organization.  Like anything we build, the foundation is the most important thing: it is what keeps the structure from collapsing.  It is also the glue that keeps a program together.  

Once your policy is set, you must branch out to specifics, like standards and procedures. 

Because of limitations in resources and budget, I strongly believe we should focus on good detection and the elements needed to ensure it.  We need to be extremely good at detection; the faster we detect something, the faster we can react and stop it.

Secondly, we cannot defend something we do not know exists.  Today it would be exceedingly rare to find an organization with great asset management.  That is a huge problem.  Not so long ago everything you owned resided within your own four walls.  That is not the case anymore. 

You’ve got to know what you need to defend and have a process in place to update your assets.  This way your information about them is consistent, repeatable, and sustainable. 

Once you know where every asset is, what it does, and who owns it, then you can start building the capabilities of detecting and selecting the technologies you need.  Consolidating and aggregating this information is a logical next step.  Afterwards comes the process of refinement.  This step avoids getting overloaded by information that is irrelevant.  At this stage you are reliably getting alerts that are not heavily false positives while increasing the efficacy of your security operations center (SOC).

Integrated with all this, incorporate a robust change management process to ensure you are up to date on anything that happens in the environment.  Detection and change management go hand on hand and are foundational for any organization.

Finally you start strengthening and building on the security principles of confidentiality, integrity, and availability.  You start locking down access and getting the right roles and responsibilities established to gain control of things.

If in fact, we want a return on our investments, we must get the basics in place and shy away from shinny objects.