Do your cybersecurity actions make sense?

Wait, what?

Sometimes we cybersecurity folks can get carried away. More recommendations! More! More! You would think we were getting paid by the recommendation. Allow me to suggest that questioning whether the security recommendation some testing tool throws out is a sign of a mature program.

I recently wrote an article saying cybersecurity is really about risk management. (Read about that here.) I am revisiting the subject after reflecting on the confluence of some recent cybersecurity events.

• Completion of an information security audit for a foundation.
• Work on NIST 800-171 compliance for a couple of commercial customers.
• Planning for a TAG session (San Antonio here I come!) on grantee cybersecurity.

In each of these activities I have come, in different ways, to that question, “does this security action make sense?” I will elaborate.

Information Security Audit

During our information security audit with a foundation customer, we looked at each of their online services and checked to see if multifactor authentication (MFA) was in place. It turned out that there was one online service that did not have MFA enabled. After some discussion, we concluded that the service did not need MFA, for a couple of reasons. The service does not store any user data. Nor does the service interact with any other online services. Finally, only one staff member uses the service. As cyber security purists, we might want to recommend enabling MFA for this service. When we ask whether that security action makes sense, we must say no.

Getting to Know NIST 800-171

We are conducting an audit for a couple of customers that expect they will need to show compliance to the NIST 800-171 security standard. I mentioned in an earlier post that we were using a tool, ComplyUp, to manage the audit process. There are about 150 questions to answer as part of the audit. What I like about the ComplyUp tool is that it provides context for why each question is being asked. There might be ten questions associated with each security substandard. These questions imply that you should be taking certain actions to provide an appropriate level of security.

Because of the context that the tool provides, we are better able to understand if each recommended cybersecurity action makes sense to implement. For instance, we know that one of these customers runs all their applications in the cloud. As a result, a recommendation to use virtualization and a VPN does not make sense and can be ignored.

TAG Session Planning

I had a call with two colleagues a few days ago to plan for a session that we will be putting on at the upcoming TAG conference. One of my peers introduced the phrase, “progress over perfection.” Her point was that it is more important to make progress on your information security program than it is to wait until you can do a perfect job. This is especially true for organizations just beginning to plan out their cybersecurity programs. These organizations can easily become overwhelmed looking at the myriad security actions being suggested. Once again, it is valuable to step back and ask if a given security action makes sense to implement.

Can the Tool Tell You Why?

We use several tools in our information security audits. We like the way these tools can quickly scan websites and IP addresses Looking for software modules that are not running the current software version. Of course, the tools also generate associated security actions.

The tools can only provide a limited answer to the “does this security action make sense?” question. They can tell you to patch a JavaScript module because there is a patch update available. They cannot tell you how much the latest JavaScript patch will reduce your security vulnerability. The tools cannot tell you the projected impact of a breach that occurs because the JavaScript module is not running the latest version of software.

The bottom line? It is OK to ask if a security action makes sense. You can and should choose how far to go in implementing recommended security actions. Cyber security tools are getting more intelligent all the time. Right now, though, they lack the maturity that you can bring in evaluating which security actions makes sense and which do not.