Roger Grimes For Prioritizing Cybersecurity Advice
This is a good point:
Part of the problem is that we are constantly given lists…lists of required controls…lists of things we are asked to fix or improve…lists of new projects…lists of threats, etc., that can be counted as risks. For example, we are often given a cybersecurity guide (eg, PCI-DSS, HIPAA, SOX, NIST, etc.) with hundreds of recommendations. They are all good recommendations, which if followed, will reduce the risk in your area.
What they don’t tell you is which recommended items will have the most impact on reducing risk in your area. They don’t tell you that one, two or three of these things…out of the hundreds you’ve been given, will reduce the risk the most.
[…]The solution?
Here’s a big one: Don’t use or rely on risk-free lists. It requires any list of controls, threats, protections, solutions to be ranked according to how much actual risk they will reduce in the current environment if implemented.
[…]This particular CISA document has at least 21 recommendations, many of which lead to two or more specific recommendations. Overall, it has several recommendations, each of which will likely take weeks to months to implement in any area if it has not already been implemented. Any person following this document…properly…will be expected to check and apply all those recommendations. And doing so will completely reduce the risk.
The takeaway is: There are two recommendations that DO MUCH MORE TOGETHER TO REDUCE CYBERSECURITY RISK in the most effective way: patching and implementing multifactor authentication (MFA). Amendment is on the third list. The MFA is listed eighth. And there is no indication of their ability to significantly reduce cybersecurity risk compared to other recommendations. No two of these things are the same, but how is anyone reading the document supposed to know that amending and implementing MFA is more important than all the others?
Posted on October 31, 2024 at 11:43 AM • 0 Comments
Source link