Last Updated on February 23, 2023
One of the problems with achieving “security” is defining what that means. A great benefit of trusted frameworks like ISO 27001 and NIST 800-53 is they put parameters around security: if you can demonstrate you are operating these controls to mitigate those risks then you are secure.
But a great challenge with trusted frameworks is their comprehensiveness (aka complexity). Plus, as we all know even continuous compliance does not automatically equal security.
Where can we look beyond trusted frameworks to verify our security is working?
To reframe the questions about how to “protect the nation’s cyberspace” as well as our individual organizations, a recent episode of The Virtual CISO Podcast features Ron Gula, President at Gula Tech Adventures and formerly co-founder and CEO of Tenable Network Security. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
More big-picture focus is needed
Ron views security as “a higher kind of function” from standards compliance. “How can I be attacked?” asks Ron. A lot of times people don’t sit down and think about, ‘What are all the things that could go wrong here?’ And then how do you go looking for those things.”
“More often than not, I don’t see people thinking about these bigger-picture decisions that are making the smaller, tactical, ‘Am I secure and how do I secure it?’ questions a lot, lot harder,” Ron asserts.
Cybersecurity is risk management
Cybersecurity arguably amounts to information-related risk management backed by comprehensive risk assessment practices. So, do we have an industry-wide risk assessment problem that manifests as weak security?
“Because if we didn’t [suck at risk assessment], then how is this going to happen? How am I going to be negatively impacted?” wonders John.
The sheer complexity and distinctiveness of the IT environments we’re trying to defend could be the ultimate stumbling block. Solution sets can prove too generic in application to get the whole job done.
Balancing operational efficiency with security controls
All things being equal, simpler is better. Yet trying to homogenize everything can hamper IT’s ability to meet business needs.
“It’s always that challenge of effectiveness and efficiency of operation versus information security implementation,” John clarifies. “If you have an immutable device, that’s going to win every time in terms of long-term security. The question is, will it negatively impact your competitiveness?”
To hear this thought-provoking discussion with Ron Gula and John Verry all the way through, click here.
Can cybersecurity be a business enabler and not a cost sink? This podcast explains how: EP#65 – Chris Dorr – Why Information Security Is Key to Business Strategy