The Top Three Challenges with Most InfoSec Programs
There are a few universal challenges when it comes to most cybersecurity programs. Here's how you can help your company around them.
Cybersecurity might appear like a world of high-stakes espionage and thrilling problem-solving, but the reality is often less glamorous.
The foundation of a robust security program is built on mastering the fundamentals, understanding the value of compliance, and fostering a culture of collaboration.
Here is my take on these three core challenges and strategies to overcome them.
1. BoringSec: Getting good at the boring parts of security
Cybersecurity is an ever-changing field that looks flashy and fun.
From the outside, it looks like we spend our whole day thwarting attacks and hunting down bad guys. For some roles, this is true, but most of the work is setting up fundamental building blocks.
Most of the building blocks are... boring.
Most of the work in cybersecurity is not about hacking or bug bounties.
Most of the work in cybersecurity is about the basics. It’s about getting really good at the blocking and tackling of detecting, responding, and remediating.
This "boring" work is actually what makes most of the cybersecurity work. It's not actually boring for most, it's just not as flashy as Twitter can make it out to be.
A company's "security hygiene" is the most significant challenge I have faced in my career. It is often a tedious part of ensuring a successful security program, but an area that can pay off dividends.
The "boring" parts of security in my experience include, but are not limited to:
Knowing your network (It is the top CIS control for a reason)
Endpoint agent health and saturation
Using the functions and features you paid for smartly (this takes time and balance)
Getting very good at patching (whether through patch deployment or rehydration)
Updating base operating system (OS) images
Making the tools run themselves
Have an inventory of authorized and unauthorized devices on your network. It is the top CIS control for a reason and, subsequently, one of the most challenging things to do.
Solving this challenge takes time but is the easiest of the three in this post.
2. Navigating Compliance: More Than Just a Checklist
Compliance doesn't equal security
Security practitioners have been saying this for decades, and it's true. Compliance is not the full picture of security.
Security practitioners say compliance frameworks are always behind and irrelevant to modern threats. This may be true in some cases, but not meeting those requirements can be downright negligent.
Even still, compliance can add value to your security program and to your business. In some industries, it's the price you pay to play.
Lean into the groups that external partners that hold your program accountable. Help them understand where the relevant risks are and what you're doing to knock those down.
Will you put in place controls that add little security value? Yes.
Will you be better off doing it? Also yes.
Leaning into the value here means you can keep your stakeholders happy. It means you can create a more clear path to focus on creating even more value out of your security program.
3. Shifting from a "No" to a "Yes" Culture in Security Teams
The immediate answer of "no" from cybersecurity teams is one of the biggest challenges, and something holding back many cyber programs from being taken seriously.
Change the mindset. Go from being a "No, you can't do this" organization to a "Yes, you can do this if you do these things too."
Shadow IT and circumventing security was born from the "no"
Create a better culture by proactively going out and talking to the rest of the company. Don't wait for people to find you, go find them.
Seek to understand. Seek to communicate risk and trade-offs. Have an opinion on a path forward, but know that the security team may not always have all the answers. Ask for help. Ask what's possible.
Learning should be happening all around. Work together to get to "yes."
Getting good at the boring parts of security
Finding the value in compliance and moving security beyond regulations
Getting past the immediate "no" from the security group itself
There is no magic bullet to solve these problems. Each company has a different culture and set of challenges, but getting everyone on the same page is key. It lets your security program and company move on to the more strategic (and fun!) parts of security.