Cyber Security + Compliance Controls: What Does It All Mean, Rick?
I’m sure you have all seen the Rickie Fowler commercial where the interviewer rants about all of the confusing financial terms involved with getting a mortgage. If not, you can find it below:
Confusion in Cyber Security
Throughout my career, I have worked with hundreds of organizations. Regardless of the vertical or size of the organization, I have found that many executives and security professionals feel like the interviewer in the Rickie Fowler commercial when it comes to their organization’s digital security. They don’t know where to start, for instance, nor are they aware of where and how today’s ever-evolving risks and threats affect the respective organization. As a result, they’re not sure how to best invest in digital security, focus their limited personnel around defending against digital threats and/or build a sustainable and effective security and compliance program.
In my line of work, it has also been my experience that foundational controls are often taken for granted, overlooked, considered boring and/or simply ignored. Compliance is, for the most part, a reactive process. Organizations throw everything and everyone at preparing for an audit, only to go back to business as usual when it’s over until the next audit cycle.
Like the interviewer in the Rickie Fowler commercial, business and security executives face a daily barrage of sales calls claiming that they can strengthen their organization’s digital security by buying the new shiny thing. In their pitch, the sales person references all of the new digital threats that are in circulation, all of security terms that are applicable to these risks and how they can, in turn, use this new shiny thing to solve all of their security and compliance challenges. Business and security executives then inevitably turn to their teams, like the interviewer in the Rickie Fowler commercial, and they ask a series of rapid-fire questions. “What does it all mean?” “Should we be doing this?” “Are we doing this? “Why aren’t we doing this?” If you’ve ever seen Finding Nemo, you’ll understand when I refer to this phenomenon as the Dory Affect.
It’s not like I don’t understand. I get how everyone wants the shiny new toy. They’re cool, they’re pretty and they’re fun to work with. Focusing on old foundational controls is boring and can be tedious for today’s young security analysts and even us older cybersecurity professionals. Yet investments in these shiny new toys usually fail to provide a timely ROI and end up exposing a weak foundation. This, in turn, causes organizations to go into reactive mode by shelving the new shiny toy and scrambling to shore up a weak foundation. Some good that did.
But it’s not like organizations can avoid cybersecurity altogether, either. Unfortunately, it is still an all too often and common occurrence to read about yet another organization that has fallen victim of a security or compliance incident. This type of experience also forces organizations into a reactive mode where they might be inclined to purchase a shiny new toy so as to diminish growing public outcry in the wake of a breach.
Creating a Strong Foundation for Your Security ‘House’
In most cases, such a security incident usually boils down to weak cybersecurity and compliance controls. By contrast, a strong cybersecurity and compliance foundation doesn’t just help organizations better utilize their limited resources and budgets. It also creates the groundwork for building a sturdy structure that can weather future storms. From this secure basis, organizations can build the frame of their house according to the Golden Triangle: skilled and talented cybersecurity professionals, effective processes for vulnerability management and other essential security programs as well as tools for facilitating the organization’s defense against threats.
Once the house is built, it’s time for organizations to continually inspect their homes for weaknesses. Irfahn Khimji, regional manager for Canada at Tripwire, is familiar with this step in this process. He explains in a blog post that organizations will be successful only when they examine both the inside and outside of the home:
The challenge comes if the organization is limited to an Outside-Only view or an Inside-Only view. With the Outside-Only view, the scope of assessment is limited to only that which is visible externally. While one can see what an external attacker would see, it does not give a true representation of the overall risk of the asset. With the Inside-Only view, the vast majority of risk is assessable, but there will always be a small view that can only be seen from the outside.
The challenge, of course, is to find the right platform that can balance both of these approaches.
Shoring Up Your Security Foundation with Tripwire
Like Rickie Fowler recommending the interviewer contact a financial organization to make sense of his struggles, I’d recommend that you take a minute to visit Tripwire’s website. There you can learn more about how Tripwire’s products use cybersecurity and compliance controls to build that strong foundation for its customers. When you’re ready, you can then reach out to Tripwire knowing that we’ve got your organization’s security groundwork covered.
From the enterprise to the cloud, from the shop floor to managed services, Tripwire is a recognized leader in providing foundational cyber security controls and compliance solutions. You can learn more here.