Roger Grimes on prioritizing cybersecurity advice
This is a good point:
Part of the problem is that we are constantly being given lists…lists of required controls…lists of things we are being asked to fix or improve…lists of new projects…lists of threats and so on that are not ranked by risk . For example, we are often given cybersecurity guidelines (such as PCI-DSS, HIPAA, SOX, NIST, etc.) with hundreds of recommendations. All of these are great guidelines to follow to reduce risk in your environment.
They don’t tell you which of the recommended things will have the greatest impact on the best risk reduction in your environment. They don’t tell you that one, two, or three of these things… out of the hundreds they’ve given you, will reduce more risk than all the others.
(…)
The solution?
Here’s a big one: Don’t use or rely on risk-free ranking lists. Require any list of controls, threats, protections, and solutions to be risk-ranked based on how much actual risk they will reduce in the current environment if implemented.
(…)
This particular CISA document has at least 21 main recommendations, many of which lead to two or more other, more specific recommendations. In all, it contains several dozen recommendations, each of which could take weeks or months to implement in any given environment, if not already implemented. Any person following this document is… rightly… expected to appreciate and follow all of these recommendations. And it will completely reduce the risk.
The catch is that there are two recommendations that WILL DO MORE THAN ALL THE OTHERS ADDED TOGETHER TO MITIGATE CYBERSECURITY RISKS most effectively: patching and using multi-factor authentication (MFA). Third on the patching list. Eighth on the list is the Ministry of Foreign Affairs. And there’s nothing to show their ability to significantly reduce cybersecurity risk compared to other guidelines. Two of these things are not like the others, but how can anyone reading the document know that patching and using MFA really matters more than all the rest?
