Roger Grimes on Prioritizing Cybersecurity Recommendation
It is a good level:
A part of the issue is that we’re continually handed lists…checklist of required controls…checklist of issues we’re being requested to repair or enhance…lists of recent initiatives…lists of threats, and so forth, that aren’t ranked for dangers. For instance, we are sometimes given a cybersecurity guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, and so on.) with lots of of suggestions. They’re all nice suggestions, which if adopted, will scale back danger in your surroundings.
What they don’t inform you is which of the really helpful issues can have probably the most influence on greatest decreasing danger in your surroundings. They don’t inform you that one, two or three of this stuff…among the many lots of which have been given to you, will scale back extra danger than all of the others.
[…]
The answer?
Right here is one massive one: Don’t use or depend on un-risk-ranked lists. Require any checklist of controls, threats, defenses, options to be risk-ranked in keeping with how a lot precise danger they’ll scale back within the present surroundings if applied.
[…]
This particular CISA doc has no less than 21 foremost suggestions, a lot of which result in two or extra different extra particular suggestions. Total, it has a number of dozen suggestions, every of which individually will probably take weeks to months to satisfy in any surroundings if not already completed. Any individual following this doc is…rightly…going to be anticipated to judge and implement all these suggestions. And doing so will completely scale back danger.
The catch is: There are two suggestions that WILL DO MORE THAN ALL THE REST ADDED TOGETHER TO REDUCE CYBERSECURITY RISK most effectively: patching and utilizing multifactor authentication (MFA). Patching is listed third. MFA is listed eighth. And there’s nothing to point their means to considerably scale back cybersecurity danger as in comparison with the opposite suggestions. Two of this stuff will not be like the opposite, however how is anybody studying the doc purported to know that patching and utilizing MFA actually matter greater than all the remaining?