Roger Grimes on Prioritizing Cybersecurity Recommendation
This can be a good level:
A part of the issue is that we’re consistently handed lists…listing of required controls…listing of issues we’re being requested to repair or enhance…lists of latest tasks…lists of threats, and so forth, that aren’t ranked for dangers. For instance, we are sometimes given a cybersecurity guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, and many others.) with a whole bunch of suggestions. They’re all nice suggestions, which if adopted, will cut back threat in your setting.
What they don’t inform you is which of the beneficial issues may have probably the most affect on greatest lowering threat in your setting. They don’t inform you that one, two or three of this stuff…among the many a whole bunch which were given to you, will cut back extra threat than all of the others.
[…]
The answer?
Right here is one huge one: Don’t use or depend on un-risk-ranked lists. Require any listing of controls, threats, defenses, options to be risk-ranked in line with how a lot precise threat they may cut back within the present setting if carried out.
[…]
This particular CISA doc has no less than 21 important suggestions, a lot of which result in two or extra different extra particular suggestions. General, it has a number of dozen suggestions, every of which individually will seemingly take weeks to months to satisfy in any setting if not already completed. Any individual following this doc is…rightly…going to be anticipated to judge and implement all these suggestions. And doing so will completely cut back threat.
The catch is: There are two suggestions that WILL DO MORE THAN ALL THE REST ADDED TOGETHER TO REDUCE CYBERSECURITY RISK most effectively: patching and utilizing multifactor authentication (MFA). Patching is listed third. MFA is listed eighth. And there’s nothing to point their means to considerably cut back cybersecurity threat as in comparison with the opposite suggestions. Two of this stuff usually are not like the opposite, however how is anybody studying the doc purported to know that patching and utilizing MFA actually matter greater than all the remainder?
Posted on October 31, 2024 at 11:43 AM •
0 Feedback
