It’s not all that shocking that organisations consider cybersecurity a complex, ever-changing challenge. According to a recent Dynatrace survey, 76 per cent of chief information officers (CIOs) are “worried IT complexity will make it impossible to manage performance effectively.” Organisations are routinely bombarded with news of the latest data breaches, code vulnerabilities and evolving attack vectors and it’s easy to see how information security and risk management professionals have become convinced that effective cybersecurity and resilience solutions must be as complex.
In fact, my experience has shown me, that the opposite is true. As renowned security expert Bruce Schneier noted 20 years ago in his 1999 blog entry, “A Plea for Simplicity,” the “worst enemy of security is complexity.” Why? Because the more complex a system or process becomes, the harder it is to visualise how it works, evaluate potential points of failure and ensure it’s working effectively. Organisations become reliant on individual subject matter knowledge, introducing new vulnerabilities.
It seems counterintuitive, but prioritising simple strategies is the best way to defeat evolving security and resilience threats.
Keeping it simple starts with understanding your environment. You cannot manage what you do not know or understand. Strong visibility and governance provide a foundation for the protection and defence activities that support and sustain enterprise resilience. Governance helps the enterprise ensure effectiveness during standard operations and when impacted by adverse events.
Understanding the organisation’s capability defines the relationship and dependencies between how the business delivers value and its supporting people, processes, technology, and environmental elements. Understanding organisation, goals, objectives, and success criteria are critical to managing successful and secure operations. Organisation objectives assist in meeting goals such as understanding how data, information services, and information transactions support specific business activities. It is important for staff at all levels to understand how their efforts support these business objectives.
While having a strong organisation alignment goal, understanding the organisation also puts in place the first line of defence against increasingly complex cyberattacks, visibility.
The easiest way for attackers to gain access is to leverage existing vulnerabilities in applications, services or hardware. Shadow IT is a common threat vector since published and newly discovered vulnerabilities, in unmanaged applications, can provide threat actors privileged access with minimal effort.
Where are you vulnerable? Why? How do you fix it? Answering these simple questions allows organisations to prioritise how it improves cybersecurity. While finding vulnerabilities across various solutions used by employees isn’t easy, the concept isn’t complicated: Know where you’re vulnerable to improve your response.
Here, organisations are often best served by leveraging vulnerability detection software from a reputable third-party provider. Given the sheer number of vulnerabilities present across custom-built, cloud-based and open-source applications, attempting to identify, categorise and prioritise them in-house can quickly overwhelm even experienced IT teams. Modern vulnerability scanning solutions can provide an effective guide.
Once collected and maintained it will also serve as a valuable information source for other activities including financial management, portfolio planning, Business continuity planning and training.
Keep it simple as this will ensure that the data you collect can be maintained and continue to deliver value to the organisation.