Cybersecurity is all about risk management and reduction. You cannot get rid of all risk. Well, I guess you could, but you (and everyone else) would probably not want to work in a true zero-risk environment.
It would be too locked down, super slow, and incredibly inflexible. Cybersecurity is all about identifying the most likely and impactful risks and reducing them.
To repeat, cybersecurity is about risk management. Identify the biggest risks and mitigate those the best you can. That is your job.
Unfortunately, most within the industry don’t do it well. There are thousands of threats and hundreds of shiny objects that distract most cyber defenders away from directly focusing on the most important risks. We are distracted and focusing on less risky things while not focusing on the right, more likely, more damaging risks. It is literally the number one reason why hackers and their malware creations are so continually successful over the decades.
I do not blame most defenders. We are tasked with protecting all the valuable digital data, but our industry almost never uses or talks about our own industry’s data to drive what we should be focusing on first and best. I know, it is ironic.
Part of the problem is that we are constantly handed lists…list of required controls…list of things we are being asked to fix or improve…lists of new projects…lists of threats, and so on, that are not ranked for risks. For example, we are often given a cybersecurity guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, etc.) with hundreds of recommendations. They are all great recommendations, which if followed, will reduce risk in your environment.
What they do not tell you is which of the recommended things will have the most impact on best reducing risk in your environment. They do not tell you that one, two or three of these things…among the hundreds that have been given to you, will reduce more risk than all the others.
More often we are told we need to do all the hundreds of things well at once. And no one can do more than a few things very well at once. And so, defenders are very likely to concentrate on things that will not impact risk while at the same time, not focusing as much on things that matter more. It is bound to happen. The list of controls is not risk-ranked. And any time anyone is concentrating more on a less risk-reducing control means you are being less efficient at reducing risk than you otherwise could.
The solution?
Here is one big one: Do not use or rely on un-risk-ranked lists. Require any list of controls, threats, defenses, solutions to be risk-ranked according to how much actual risk they will reduce in the current environment if implemented.
This is easy to say and harder to do.
But any time you see an unranked list of cybersecurity things, risk-rank it as the first step, before you start to consider which ones you will rely on. Everything else is inefficient.
It does not help that nearly every “official” cybersecurity document with recommendations or requirements is ALWAYS un-ranked. All the recommendations, good at reducing risk or not so good, are co-mingled together, often randomly, or in ways that defy explanation.
Here is a recent example: CISA’s Proposed Security Requirements for Restricted Transactions.
I am a huge fan of the Cybersecurity Infrastructure Security Agency (CISA), and Director Easterly and her staff. I think they have the best U.S. government agency dedicated to fighting hackers and malware ever! But I am a bit of an editor on their published documents. Specifically, CISA documents are often full of unranked recommendations (and sometimes missing some critical ones).
This specific CISA document has at least 21 main recommendations, many of which lead to two or more other more specific recommendations. Overall, it has several dozen recommendations, each of which individually will likely take weeks to months to fulfill in any environment if not already accomplished. Any person following this document is…rightly…going to be expected to evaluate and implement all those recommendations. And doing so will absolutely reduce risk.
The catch is: There are two recommendations that WILL DO MORE THAN ALL THE REST ADDED TOGETHER TO REDUCE CYBERSECURITY RISK most efficiently: patching and using multi-factor authentication (MFA). Patching is listed third. MFA is listed eighth. And there is nothing to indicate their ability to significantly reduce cybersecurity risk as compared to the other recommendations. Two of these things are not like the others, but how is anyone reading the document supposed to know that patching and using MFA really matter more than all the rest?
And I am ignoring that the biggest possible risk reducer…that of giving aggressive security awareness training to your employees which is better at reducing risk than any of them added up all together…is not even mentioned. But I do not want to get off topic.
And this is a huge problem that does not get enough focus.
If someone is breaking into your house over and over, using the windows, what good is putting more locks on your door going to do? But imagine that thieves are breaking in through your windows and the people gave 20 things to do, only one of which was to better secure your windows, and that recommendation was co-mingled in the middle with all the rest. How likely would a homeowner be to look at the list of 20 things and figure out that one of the things in the middle would solve their problems and all the other things in front and around it would not matter at all?
Well, that is how we often practice IT security. We make lots of recommendations…hundreds of recommendations, but we usually do not pick out the ones that mean more than all the others. We certainly do not highlight them.
And so, we end up teaching ourselves to work in a distracted manner trying to implement a ton of things that really will not matter that much while often neglecting the things that will matter. It is not that we neglect them completely or ignore them…it is just that they are added into the dozens to hundreds of things as if they have the same importance. And they do not.
If you want to become a superior computer security professional, stop creating or accepting lists of un-ranked things. When you create a list of things that require action of some sort, rank them. If you create a list of controls, risk-rank them. If you create a list of things that need to be fixed, risk-rank them. If someone hands you a list of un-ranked things, hand it back and tell them to risk-rank them…or rank them yourself before performing.
Running off to do a bunch of things before you risk-rank them just is not very efficient. If your objective is to best reduce risk as efficiently as you can, risk-rank everything that should be risk-ranked. Stop accepting un-risk-ranked lists. Become known as the person in your company that does not accept un-risk-ranked lists. If you do it, more people in your organization will do it. And you can build a great career solely on being a person that does that…because most practitioners do not.
If you are interested in more of this type of common sense wisdom, I wrote a best-selling book on the idea called A Data-Driven Computer Defense. It has sold over 50,000 copies over three editions. Or you can just follow my free articles on the KnowBe4 blog because I am a broken record about the subject.