Roger Grimes on Prioritizing Cybersecurity Recommendation – Tech Journal

Roger Grimes on Prioritizing Cybersecurity Recommendation

It is a good level:

A part of the issue is that we’re always handed lists…listing of required controls…listing of issues we’re being requested to repair or enhance…lists of recent tasks…lists of threats, and so forth, that aren’t ranked for dangers. For instance, we are sometimes given a cybersecurity guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, and many others.) with a whole lot of suggestions. They’re all nice suggestions, which if adopted, will cut back threat in your atmosphere.

What they don’t inform you is which of the really helpful issues may have essentially the most impression on finest decreasing threat in your atmosphere. They don’t inform you that one, two or three of this stuff…among the many a whole lot which were given to you, will cut back extra threat than all of the others.

[…]

The answer?

Right here is one huge one: Don’t use or depend on un-risk-ranked lists. Require any listing of controls, threats, defenses, options to be risk-ranked based on how a lot precise threat they may cut back within the present atmosphere if carried out.

[…]

This particular CISA doc has at the least 21 foremost suggestions, lots of which result in two or extra different extra particular suggestions. General, it has a number of dozen suggestions, every of which individually will probably take weeks to months to satisfy in any atmosphere if not already completed. Any particular person following this doc is…rightly…going to be anticipated to guage and implement all these suggestions. And doing so will completely cut back threat.

The catch is: There are two suggestions that WILL DO MORE THAN ALL THE REST ADDED TOGETHER TO REDUCE CYBERSECURITY RISK most effectively: patching and utilizing multifactor authentication (MFA). Patching is listed third. MFA is listed eighth. And there’s nothing to point their means to considerably cut back cybersecurity threat as in comparison with the opposite suggestions. Two of this stuff should not like the opposite, however how is anybody studying the doc purported to know that patching and utilizing MFA actually matter greater than all the remainder?

Posted on October 31, 2024 at 11:43 AM •
6 Feedback

#Roger #Grimes #Prioritizing #Cybersecurity #Recommendation

Leave a Comment

x