What Should You Do to Improve Your Cybersecurity Posture?
We asked 70 cybersecurity professionals, old and new: What is one of the biggest bang-for-the-buck actions that an organization can take to improve their cybersecurity posture?
We highlighted what a few of our contributors had to say below. Tweet us @threatcare whether you agree or disagree, or to show us your own answer to the question!
I think the instinct here would be to say, “user training.” But the rate of return on training isn’t very good. No matter how much you train your users to identify a phishing email or some other attempt to steal credentials, there will be at least one user who is having a bad day and makes a mistake.
The best bang-for-the-buck action a security team can implement is adopting a framework like the Critical Security Controls or the NIST Cybersecurity Framework. A framework will help you understand your organization’s cybersecurity maturity as well as help you plan future initiatives. Something that all of us struggle with is where to spend our limited resources. Frameworks take out a lot of the guesswork and show you, often with supporting evidence, where to apply the pressure. Similarly, planning and implementing a framework can help you understand your operational maturity level and provide metrics that’ll feed back into your organization. Security isn’t simply one team’s job—it is all of our jobs. With that said, security teams need to be the ones to lead the effort to improve the overall capabilities of an organization’s security deployment.
— Ian Anderson, @ian_infosec
The same question sounds like a definition of a bubble. The fact of the matter is that we’re doing a horrible job at actually building better and safer technology. We are *fixing* and *monitoring* things too much rather than investing in building more resilient foundations.
Additionally, it is quite simply an industry that’s being built on top of scandals and fear, and those who are exploiting this climate for a quick buck outnumber those who are genuinely in it for the long run and trying to change things.
— Claudio Guarnieri, @botherder
Hire the right people—especially if they’re your first security person. Don’t skimp; if you’re going to do it, do it right. These are the people who are going to onboard and advocate for additional security team members. These folks will decide your overall strategy and, ultimately, whether or not it’s effective.
— Ken Johnson, @cktricky
Create a culture of security that contains empathetic and FUD-free (fear, uncertainty, and doubt) end-user training. Scared or intimidated end users will not be willing to work with the security team or self-report incidents like clicking on a malicious email. Periodic phishing tests will not necessarily reinforce security, but frequent interactions with empathic InfoSec professionals within an organization will keep security on the minds of end users.
— Tracy Z. Maleeff, @InfoSecSherpa
At the end of the day, the same actions to protect an organization before the term “cybersecurity” became popular are the same actions that need to be taken to protect an organization now. Ensuring that security is “built-in” instead of “bolted-on” goes a long way for a healthy security posture. When security controls are implemented in the design, build, and test phases of the architecture, features such as unnecessary ports/protocols/services are turned off and best practices are followed regarding account management, auditing, identification, and authentication—just to name a few.
— Chinyere Schwartz, LinkedIn
Remember to subscribe to our weekly Pulse to get first-hand access to our Amazon order link.