When I’m not fighting the good fight against the dangerous world of cyber crime, you’ll often find me out on the field coaching youth soccer. In my experience as a coach, if you ask any group of kids new to the game of soccer “who wants to be a striker?” pretty much every hand will go up.
But ask the same group “who wants to play in defense?” and the likelihood is that none will go up, often what I refer to as “no one wants to be a defender" syndrome.” Defending tends to be more of a process, but any team ‘worth their salt’ will of course be built on solid, disciplined and largely regimented defensive players. It’s all well and good having great, creative flair players up front, but if your defensive abilities are sub-par, the team will never reach their full potential.
I see this same paradigm in the way that departments and organizations approach cyber security. Cyber security is still somewhat regarded from a front-line perspective. “We invested in sophisticated Firewalls, Anti-Virus, SIEM and Vulnerability Scanning, so we’re all set.” What concerns me about this is it’s an all too familiar pattern. If the above were true, breaches would be on the decline and corporate fines would be rarely issued. But sadly, neither of these statements are true. Learn about the recent $5 Billion class action lawsuit against Virgin Media caused by a misconfigured database.
The point is, that the ‘Front Line’ approach outlined above seems to be the obvious choice. It has a quick fix feel about it because you tend to get immediate results and gratification from what are certainly some robust and critical security technologies. However, my question is ‘what does your back line look like? Or indulging my perhaps increasingly tenuous soccer analogy, ‘how good are your utility defenders?’
I encourage you to ask yourself these very important questions: Does my organization at any given time know what assets we have, where they all are, what they are used for and whether or not they are securely configured? As I say, at all times and not just after a periodic scan? If you take a framework approach to security such as that outlined by the Center for Internet Security (CIS), you will see that these are essential, key elements that they urge and recommend you address first. Yet in my experience, both are routinely ignored.
The first 6 Basic CIS Controls are regarded as being the non-negotiable controls that every organization is recommended to adopt, starting with asset control and very quickly moving to secure configuration for those assets. These controls might not be as eye catching as a vulnerability scanner, firewall or cutting edge SIEM tool, but they are essential and underpin the effectiveness of any responsible security program.
One final, yet very important point – none of this works without a commitment to process. The items that appear to be hard work such as inventory control or asserting secure configuration baselines, require a commitment in terms of time and process. The good news though is that once mastered, these all quickly become routine and very repeatable and if you look, you will find solutions out there that can assist you enormously.
Implement firewalls, anti-virus, SIEM, etc. These tools are all an essential part of the multi-layered nature of effective cyber security. But before you do, make sure you have the basics in place. The back line may not be as enticing as the strikers, but the latter simply cannot function without the former.
Learn more about the Basic CIS Controls by watching out latest webinar, Back 2 Basics: Understanding the 6 Basic CIS Controls.
Share this post