Last Updated on March 16, 2023
The pandemic has lambasted many cybersecurity programs with a one-two punch. Not only has COVID-19 exacerbated enduring issues like budget and talent constraints, but also it has introduced new problems, like vaporizing the perimeter we used to keep data behind. “I think there’s a significant opportunity for providers, vendors, manufacturers and the folks who are responsible for actually managing risk in organizations to really hit the reset,” Reg advises. “We kind of messed some things up in the first ten years. Trust is a problem, complexity, the perimeter, all of this stuff… If we don’t take this opportunity to hit reset, we’ve missed a real chance at starting over in some ways.”
But while we might wish we could just crawl under a rock and wait this out, the times call for cybersecurity practitioners to rise up and find opportunities within these massive challenges.
Industry thought leader Reg Harnish has been advising cyber professionals to “really hit the reset button” and rethink what we’re doing. A recent guest on The Virtual CISO Podcast, Reg is founder and former CEO of GreyCastle Security, CEO of the MSSP OrbitalFire and founder and CEO of the cyber advisory firm Slingshot Cyberventures.
But obviously we can’t restart security from Ground Zero. What should “hitting reset” look like? From Reg and podcast host John Verry, Pivot Point’s CISO and Managing Partner, here are 5 ideas:
“I think there’s a significant opportunity for providers, vendors, manufacturers and the folks who are responsible for actually managing risk in organizations to really hit the reset,” Reg advises. “We kind of messed some things up in the first ten years. Trust is a problem, complexity, the perimeter, all of this stuff… If we don’t take this opportunity to hit reset, we’ve missed a real chance at starting over in some ways.”
One: Go data-centric
They don’t call it information security for nothing. With new regulatory mandates like the California Consumer Protection Act (CCPA) and the DoD’s Cybersecurity Maturity Model Certification (CMMC) making nonnegotiable demands on many information governance programs, now is the time, as Reg puts it, to: “Know your data—what you have, its importance, its criticality, its replacement value. Understand its classification and what it’s worth to the business, and then focus your controls on the stuff that’s actually important… And get rid of the stuff that isn’t producing a return for the business. With storage being cheap, we got into this mode where we were just collecting everything… But if data’s not producing output, then it’s just a liability.”
“We’ve got to be better stewards of data,” Reg continues. “If you look at everything from ISO 27001 to NIST 800-171, the first step in every one of these processes is ‘inventory your data.’ And everyone just seems to skip that step. I think it’s going to be even more important going forward.”
Two: Be more supportive of the business vision and mission
For Reg, aligning security with business vision starts with figuring out, “… how to translate complex cybersecurity concepts into business language.”
Reg uses a personal fitness analogy: “Ask yourself, is it worth going for a walk or maybe you run, or do you do pushups, do you eat a salad, to get more sleep, drink more water? What’s it worth to you? … Is what I’m doing worth it, and have I reached my goal?”
Three: Get the basics right
As Reg and John both note, going back to the basics doesn’t mean nuking your cybersecurity program into the Stone Age. It’s more about doing what’s proven to always work and demonstrate a strong ROI—but with a focus on improving execution.
Practically nobody argues that foundational security controls like encryption, patch management and data backups are core business survival strategies. But are we consistently encrypting sensitive data? Do we routinely test our backup/recovery process? Do we conduct regular vulnerability assessments to make sure all our systems are patched?
If not, then spending money (and admin effort) on “higher level” controls like threat modeling is putting the cart before the horse.
Four: Reallocate human resources
Along with shifting priorities and processes, we’ll also need to shift our people. For many firms, this could mean leveraging outsourcing.
“We’re going to figure out how to virtualize our workforce in a way that makes sense, because if you look at any of the frameworks, I mean, there’s thousands of controls. A couple of people can’t be masters of thousands of controls,” Reg states. “So we’re going to figure out how to get experts working in every one of those areas without having to hire an expert. Everyone needs an encryption expert, but you might only need them for four hours a month. So you’ve got to figure out how to attract, and retain, and deploy, and allocate, and manage resources in a completely different way.”
Five: Do the absolute minimum
Implementing the absolute minimum security posture you need to mitigate risk in alignment with risk tolerance is actually a best practice. As John highlights: “ISO 27001 basically says implement controls that are proportional to your particular contextual risk and your risk appetite. So it’s not ‘do more.’ When someone says to me, ‘We’d like to do everything ISO 27002 says,’ I say, ‘Wait a second… What are you doing now? How do we know that’s not already effective?’”
“By aspiring to do more that’s unnecessary, what we’ve done is increase the complexity,” adds John. “Which increases the risk that we’re going to make a mistake on the stuff that was already working. Or we run the risk that when I get to my certification audit I didn’t do two of the twelve things I said I was going to do, despite the fact that eight of the twelve were all I really needed anyway. So now I’ve got a nonconformity and also I have an issue in my environment that I didn’t have before.”
“An effect risk management program helps ensure you do the absolute minimum you need to, to manage risk to an acceptable level,” agrees Reg. “I’m encouraging everyone to figure out what you can throw away, stop paying for, turn off or get rid of—to scale back and think about the things that are really working. Because if you’re doing more than you need to, you just wasted the company’s money or your customer’s money.”
If your security program is facing hard questions from stakeholders on issues like ROI or a lack of trust and confidence, there’s never been a better time to hit reset on how you operate and how you communicate.
To hear our podcast episode with Reg Harnish all the way through, along with all our other podcast shows, click here.
If you don’t use Apple Podcasts, you can access all the content from The Virtual CISO Podcast here.