How you can be the smartest cybersecurity expert in the room

Every 10 years, something comes along in the world of IT that is so big, so important, that shrewd people build wildly successful careers on just that one event.  Past examples have included ERP system implementation, “Y2K”, and cloud computing.  The brass ring is coming around again and this time it’s called “cyber security”.

Security is dominating the conversation

This year we have been awash in headlines about major security breaches, hot new products, and the emerging threat to our way of life from cyber warfare, both public and private.  There is a great sense of urgency worldwide to “get serious” about cybersecurity.  In an article by Dan Lohrmann (“you ain’t seen nothing yet”), we see many reasons why concerns about information security have become front-and-center.  I am a great proponent of following the money trail when determining if something is for real or just a fad.  As outlined by Steve Morgan of CSO, global spending on cybersecurity will top $1 trillion for the five-year period of 2017-2022.  For IT leaders this news on investment is huge.  It means the resources will be available for major new projects that we need to launch, covering everything from hardware and software to the next generations of adaptive technology.  It also means we will be able to invest in top talent and be able to afford the training they will need to become fully adept.

The news is not all rosy, as could be expected.  While the resources and impetus will be there for major security initiatives there is a very significant knowledge gap that exists not only in the general business community, but with those of us who will be tasked with leading the charge.  In other words many CIOs and senior IT leaders are almost clueless about where to focus and how to start building next-gen security functions.  Many third party and consulting firms are stepping up to help, but for each of us to be successful personally we must demonstrate our own individual competence.

So what can we do to go from our current dearth of knowledge to become fully capable?  The answer is already available and surprisingly easy to access.

Cyber security is an open book test

The Council on Cyber Security (CSS) began a project in 2008 to generate a set of controls that would tell leaders exactly where to focus on cybersecurity.  CSS created a publication that outlined 20 security controls, the latest version (v6.1) released last August.  If  leaders implement all of these controls, their total security risk drops by about 94 percent. 

For many the introduction of 20 controls across an enterprise can be daunting and politically risky.  Taking this problem into account CSS further distilled these controls into a “top five” list.  Putting just these controls into effect still leads to an 85 percent reduction in raw cyber security vulnerabilities.

Becoming familiar and proficient with these controls can literally transform an average IT leader into one that projects knowledge and competence in cybersecurity.

To verify this claim ask the question of how many people, yourself included, can name the five categories in the CIS Top Five list?  Although not a scientifically proven conclusion many security industry experts believe that less than one in 20,000 corporate workers in the United States who are asked this question can give a correct or complete answer.  Most IT leaders are assured of knowing some of the elements, but almost none can go through the controls list from one through five and spell out what they mean and how to implement them. 

Having the skill to stand and deliver this information will demonstrate a level of knowledge and insight that few IT leaders possess today.

If you are an overachiever and want to to know all 20 controls, here is a very nicely constructed poster created by the SANS Institute.  For the rest, here is a quick primer on the top five CIS controls.

1. Inventory of authorized and unauthorized devices – since you cannot control an undefined architecture it is important to conduct an audit, both cyber and physical, of all the hardware of any type that is attached to your network.  By understanding what is connected to your infrastructure you can more easily ensure that only the devices of which you approve are allowed to attach to your resources.  Leaders who conduct this inventory for the first time are amazed to see the types of hardware and devices that have been plugged into their network.

2. Inventory of Authorized and Unauthorized Software – the CIS controls exist to push organizations toward standards.  Without common standards in place employees will predictably install all sorts of unapproved software into a company’s environment.  Often, this software is introduced with benign intentions, but leads to the compromise of application security with each unapproved addition.  Even having mismatched versions of the same approved software is often enough to create security vulnerabilities.

3. Secure configurations of hardware and software on mobile devices, laptops, workstations and servers – in the world of security creating common standards for work tools is a great step.  Rather than allowing a patchwork quilt of hardware to exist within your environment, all machines must be of the same type and have the exact same configuration.  Software applications in use must all be updated and patched to the same release version.  One of the most common methods of exploitation used by hackers is to find gaps in security coverage created when different (and sometimes custom) versions of the same products co-exist within an IT ecosystem.  For the same reason the army issues uniforms to its soldiers, uniformity is the key to strong cybersecurity.

4. Continuous vulnerability assessment and remediation – a strong security practice is driven by continuous, dynamic probing of an IT environment.  Too many times organizations design and implement cyber defenses only to check back on them periodically.  Cyberwarfare is an ongoing, evolving struggle where the attacks mutate in real time.  Make your review of vulnerabilities a continual effort and immediately close gaps and holes as they are found.

5. Controlled use of administrative privileges – employees who are granted administrative privileges to corporate systems truly have unlimited access.  Because admins can literally do anything within the IT architecture, careful control must be exercised over these individuals.  This control lists all the areas that must be measured and monitored to ensure that admins act only in ways beneficial to the organization.

When it comes to excellence in cybersecurity most professionals study for years to gain their proficiency.  The problem we have in this day and age is that there are just so few of these people around that security must be part of all our jobs.

By truly knowing just the first five key CIS controls, you will have enough knowledge of cybersecurity practices to develop a strong competency.  Given that so few people, both inside IT and out, are aware of what the CIS components are and how they work, you will be able to speak confidently and professionally about good security controls.  Learn these five (all 20 if you’re up to it) and the next time the topic of cybersecurity comes up, you will truly be the smartest person in the room.