Defensible Tech TeamJuly 6
Your business does not need a labyrinth of vulnerability assessment frameworks. Instead, exceed “reasonable standards of security” with the fundamentals done right.
Security and compliance frameworks clutter the security landscape. And there are so many vulnerability assessment frameworks out there: NIST CSF, CIS Controls, NIST-800 53, NIST 800-171, ISO 27001, SOC2, PCI, and others. In fact, there are frameworks for mapping frameworks onto each other. These share the goals of mitigating risk and protecting the businesses who implement them against the growing onslaught of cyber attacks. But trying to make sense of all these frameworks and mapping security programs to them often detracts from the actual work of securing a business.
When discussing frameworks, security and compliance teams often look at them in terms of "reasonable security measures" as they’re defined in several of these frameworks, including NIST. However, reasonable is no longer enough. The presence of both sophisticated attackers and large-scale attacks mean there is a real risk to the sensitive data entrusted to your business. Instead of puzzling through that labyrinth of frameworks, your business needs to focus on building a security program focused on safeguarding sensitive data. Here’s how to exceed a “reasonable standard of security.”
Implementing vulnerability assessment frameworks in a real-life IT environment can be difficult for several reasons. For starters, frameworks paint security needs and goals in broad strokes, and often lack context to actually understand the risk. A sound security program requires context around what data is actually at risk in specific parts of the network. Furthermore, frameworks often contain thousands of controls. It is unmanageable to look at that many often-abstract security controls and translate them into actionable security steps that improve your business’s posture, especially since they are designed to be generally applicable, and lack the context to help your business prioritize the most important controls.
This can be a problem for small- to mid-sized businesses. Vulnerability assessment framework criteria are often designed for larger, enterprise-scale organizations, instead of small- or mid-sized businesses. Though compliance goals may put those frameworks under consideration, businesses of many sizes tend to implement complex frameworks that detract from the resources available to actually secure data. Fully implementing these frameworks demands more budget, skills, and time than many small- to mid-sized businesses have available.
Security frameworks are also poorly targeted for modern IT systems. Many of them still focus on on-premise or data center solutions. However, most organizations of all sizes are moving toward a hybrid IT infrastructure, mixing on-premise, cloud, and SaaS solutions. Though these evolved solutions are excellent for achieving business goals in a more flexible and scalable fashion, security frameworks tend to evolve more slowly than actual business infrastructure. Thus, they fall short. Trying to build a security program around a framework that does not reflect the actual infrastructure makes it difficult to understand the real risks and secure the client data that exists in the infrastructure.
Recent changes in the security landscape have been more about scale than about fundamental activities. Businesses are still being threatened by cyber crime groups, nation-states, and hacktivists, whose major goals include stealing money or data, or disrupting business operations. That hasn’t changed. Instead, it is the scale of those demands and disruption that is changing. Between tools like modern ransomware platforms and targets like modern complex IT systems, attackers can demand more money and cause more widespread disruption.
In this landscape, we do not need new vulnerability assessment frameworks. We need a more fundamentally sound approach to information security, focusing on what really puts data at risk. Businesses need to perfect handling the security basics: for example, on disabling features, functions, services, and configurations unless there is a demonstrated, documented need, securing credentials from theft, and maintaining an accurate and patched asset inventory.
Though it sounds straightforward, rigorous application of security fundamentals can provide deep benefits to businesses, and prevent the expensive and embarrassing attacks that take over the headlines. For example, the recent Colonial Pipeline ransomware attack caused large-scale consequences, but the initial compromise itself was not sophisticated. The attackers got in through a compromised VPN account that did not require multi-factor authentication. It did not require a sophisticated technique or military grade exploit. Instead, they gained access because of a failure in the fundamentals.
Security, like many things, requires a foundation of the basics, and building from there. Consider a medical analogy. If a patient states that they smoke, eat poorly, and barely exercise, then there is a high likelihood they will experience significant health issues in the long run. In cyber security, if you are not keeping up with security patches and do not require multi factor authentication, then it is likely a matter of WHEN, and not IF you will experience a significant data breach. It doesn’t necessarily take a doctor or a CISO to figure this out, but it may require a coach or personal trainer to help build the necessary hygiene habits and keep them on track.
Even though a business may be aware of security basics, they may not currently have the right person in-house to keep them on track and translate those security fundamentals into action. That is what a Defensible vCISO can do: bring the expertise to get a business on a better course of implementing security fundamentals, and stay on that course in the long term.
Of course, going beyond reasonable security does not mean spurning frameworks or best practices altogether. Specifically, Defensible’s vulnerability assessment methodology does start from the CIS controls: the most practical and most commonly accepted framework, the CIS controls lay a strong groundwork for becoming both secure and compliant, thus satisfying many foundational business concerns. Defensible’s solutions focus on building from a sound foundation of security, focused strongly on the first six CIS controls: fundamental security hygiene that helps make businesses less vulnerable to attack.
Starting from here, Defensible takes clients beyond what NIST defines as “reasonable security standards.” Defensible brings businesses the expertise they need to look at their internal operations and focus on security basics. We take the time to learn about their business operations, and then give them the coaching and guidance necessary to become great at security fundamentals. Implementing those fundamentals helps businesses prevent many of the known risks in the current security landscape. In short, we build a foundationally sound security program with the right value, tailored to each client’s operations, risk, size, and scope.
To secure your business and your data against the current threat landscape, your business does not need more vulnerability assessment frameworks. Instead, your business needs a solid security foundation and the expertise to do security basics well. With vCISO services, risk management advice, and security services Defensible brings enterprise-level security to businesses of all sizes, while giving you the knowledge to build a strong foundation for securing data.