While businesses are as unique as the products or services they sell, CISOs across the board grapple with the common challenge of crafting an effective security program for their respective organizations.
Why is it that effectively protecting an organization’s most sensitive data and technological capabilities is so confounding?
I recently had the pleasure of sitting down with Dewaye Alford, VP of Security Operations at Digital Hands, and posed this precise question. He agreed with the premise and added that a second, if not equally significant, challenge facing many companies today is their inability to effectively detect suspicious or malicious activity. In facing these challenges, he said that organizations must always start with their users, and many do not.
“Users are your biggest weak point,” he claimed, “and they are the hardest to detect problems for.” Identifying how an organization’s users interact within its network and environment is key to beginning the process of building a sound security program, something which many overlook as they turn to one of the many enticing commercial turn-key security solutions.
Indeed, there is no shortage of out-of-the-box security solutions, and many companies are seduced by the slick ads prevalent in the marketplace today that promise the world as far as cybersecurity is concerned.
“We get the fun of working with a lot of security tools,” shared Alford, “and a lot of them promise some sort of silver bullet. Unfortunately, we have found that that’s not usually the case.”
Citing a particular instance when he had to work with an organization’s developers and engineers to make an out-of-the-box platform work, he said that what the company had purchased had to essentially be rebuilt from scratch and was a complete waste. There really is no one-size-fits-all, and if starting with users is the key, then that should come as no surprise as every set of users is unique.
When companies do end up purchasing an out-of-the-box product, it appears that many CISOs either do not have the time or inclination to effectively test their products thoroughly, and Alford recommended what he termed “the closed loop process” in addressing potential problems.
He explained that when first setting out to identify an appropriate new product for security control, a CISO ought to determine what the goals are for the product or service in the first place. Once that has been solidly ascertained and the goals clearly defined, they should implement the product against those goals. The next step is to rigorously test the product to ensure it is meeting the stated goals, and finally, test results should be reviewed and analyzed. Once all of that has been done in that exact order, a CISO should circle back to the original goals and see if any tweaking is needed based on what they have now seen. It should become a continuous cycle of investigation and testing, and this should be initiated every single time there is a new step or product introduced to an organization’s security program.
And despite the multiple and repetitive steps, “cybersecurity needn’t become complex or cumbersome,” he assured me, and outlined the five steps that he commonly shares with CISOs from small organizations to large enterprises, who he said, “basically all have the same requirements.” They include:
He cautioned that testing is only effective if it is conducted in the correct order - only once 1-4 have already been applied. And, of course, all of this will be meaningless if people work within their own silos, without communication, collaboration, or commitment to the governance set out by the organization. It must be comprehensive and applied across the board.
In the end, “Cybersecurity can be simple,” said Alford, “not easy, but simple. It just takes a sound strategy to pull it all together.”
Indeed, in our ever-evolving and complex cybersecurity landscape, some things can still be relied upon to remain simple.