After reading the great list of the Top 10 Worst Cybersecurity Strategies from Matthew Rosenquist I started thinking about what a similar list might look like for best cybersecurity strategies. We often focus on what not to do in cyber…and this makes sense, it’s more efficient to avoid problems.
Where is the advice on what you should be proactively doing? How can we emulate the successes of other successful teams? I offer a lot of stories of how successful organizations have built security habits in my upcoming book, Well Aware…and you should totally preorder my book right now…but here are some of the best overall strategies:
10.Build a Culture of Security – Wait, I thought this was going to be a list about cybersecurity? Well my friends, Culture Eats Cybersecurity For Breakfast. We need to find ways to influence our cultures to make sure our cybersecurity technologies or strategies aren’t bypassed by all those clever humans out there trying to get stuff done.
9. Enable MFA Everywhere – MFA or “Multi Factor Authentication” is table stakes for any organization. This probably won’t happen overnight, but start with your highest priority services and work your way from there. At some point, you’ll be able to start requiring MFA for any new service.
8. Build Relationships – Cybersecurity is a team sport. You need partners. If you believe that “security is everyone’s job” like I do, then get out there and connect with folks so that you’re not doing this alone. Connect with key department managers, or Legal, or your CFO. Make sure you understand their unique needs and motivations and help them solve problems.
7. Log Everything – SIEM is really hard. But the costs of storage are trivial when we compare the cost of not being able to answer the question – what the heck just happened. If your tool only has a day or a week of data, you might not be able to do the correlation of events across the whole Cyber Kill Chain.
6. Weave A Tangled Web – With SIEM, you’re looking for a needle in a haystack. Deception technologies flip this on its head so the needles come to you because the bad guys are the only ones hitting your honeynets, or tokens, etc.
5. Practice Makes Perfect – When you experience an incident, we know from research that human cognitive ability decreases significantly. If you conduct drills or tabletop exercises, people are more prepared and know what to do from memory.
4. Be A Part of A Community – if you’re not already connected to the ISAC or ISAO in your industry, these are an incredible resource for you and your team to stay on top of threats. If you are a part of your ISAC or ISAO, make sure you are participating. A rising tide raises all ships.
3. Jump on the Zero Trust Bandwagon – Zero Trust isn’t just an architecture, it’s a philosophy. Microsegmentation is great, but your team needs to understand it and to live it. Do your tools, vendors, or service providers support it? How do you integrate it into your cloud or into APIs?
2. Eliminate Blind Spots – You don’t know what you don’t know. Penetration testing is a great example of this, but we should celebrate finding holes because this allows us to fix them and improve. Security Operations Centers and MSSPs are wonderful, but there are a number of services that provide SOC validation services or attack simulators to help ensure those run smoothly. Also, look at your team…do you have a diverse group that brings together different perspectives? Or are they just an echo chamber for the same old ideas?
1. I’m The Map – Yes, this is a Dora The Explorer reference. The #1 item on the CIS top 20 controls is to have an inventory…devices, software, and data. As Socrates tells us…we should “know thyself, for once we know ourselves, we may learn