Phone: 516-336-9880. Email: firstname.lastname@example.org
We Transform Cybersecurity Risks into Highly Valued Outcomes
Despite innovation and new tools, poor cyber hygiene continues to occur across both small and large enterprises. Why does this keep happening? The short answer is smart tools are not and never will be the panacea for dumb monkeys! In lieu of wasting time and money on lots of smart tools, consider educating the monkeys, or hiring smart monkeys in the first place.
Security in any organization is never going to be perfect. The truth is it is only as good as its weakest link and sometimes the weakest link is the leadership or the rainmakers responsible for generating the lionshare of revenues used to pay for everything. Consequently, they don’t want to be told what to do or how to do it. They need to be gently influenced in a manner that shapes and nurtures proper cyber hygiene.
Cyber hygiene should be thought of as the basic obligations we follow to maintain the confidentiality, integrity and availability of valued information.
Valued information can be anything from personally identifiable information to proprietary trade secrets. The estimated value of such information coupled with the likelihood of its integrity, confidentiality or availability being compromised is an academic method of assessing how much we should invest in security controls. For example, we would not buy a $500 lock to protect a $10 bike. But, we might train the rider to take the $10 bike inside to store on a $20 wall mounted bike hanger instead of leaving it outside on a back porch for anyone to take. The value of having the bike available when needed combined with the value of the bike may be enough to justify the decision.
If only managing all information assets were this simple!
Look at any newspaper or news report and it quickly becomes evident that many human beings have a hard time following rules. Our most basic set of rules for humans is the ten commandments:
Yet the human race has a hard time following these ten rules coming from the highest authority. With that in mind, how effective can anyone be at consistently following the plethora of regulatory, compliance and governance rules which continue to manifest not only internationally, but also in the United States on a state by state basis if they have not been ingrained into them repetitively? Just like we know to wash our hands, brush our teeth, shave, use deodorant, maintain our vehicles with oil changes and inspections; we must also know how to manage and care for our information systems based on some very specific controls that are designed to help us stay safe. One resource in particular has simplified a list of 20 such controls which they have broken out into Basic, Foundational, and Organizational control areas. The resource to which I refer is the Center for Internet Security. They are presently on version 7 of the controls, which break down as follows:
In reviewing these controls, pay close attention to the first two basic controls. These are all too often overlooked or mismanaged in many organizations and this almost always comes down to poorly trained monkeys not following a consistent and repeatable process because they thought they could rely entirely upon allegedly smart tools. We say allegedly because in many instances the outcomes are very different from the sales and marketing pitch. Why?
It’s not always the vendors fault. In many instances the client does not invest the time and resources needed to truly understand the care and feeding of the tools. The take away from this should be to keep things lean and mean. Having a team of smart monkeys that are true experts in using a small set of tools to consistently achieve a desired outcome is better than having a team of ignorant monkeys surrounded with tools they have no idea how to use. It’s truly mind boggling how often this very scenario is the on the ground reality in corporate environments, including those that are publicly traded and have a greater fiduciary responsibility to their shareholders.
At Russell Nomer Consulting, we have experienced the good, the bad and the ugly through various engagements. Let our wisdom, our experience and our network of professionals help you transform your cybersecurity risks into highly valued outcomes.
Information is Beautiful is a website that keeps track of reported data breaches. As you look at their content, ask yourself how many go unreported and why?
Also ask yourself how would you know if you have been breached? Many have no idea. Troy Hunt started haveIbeenpwned as a public service to share breach information and what type of data was compromised so that individuals and businesses could see the importance of cyber hygiene why also staying on top of such occurrences.
Check it out for yourself and if you find yourself among the pwned, reach out to us for guidance on three immediate things you can do to help mitigate the risks.