Are you 100% certain that you are on top of security basics?

At the siberX CISO Forum Canada, C. Kelley Bissel, CVP of Microsoft Security reported that CISOs are failing to do the basics. He puts a fair amount of blame for these failures on the company CISO.

“Ninety-eight per cent of attacks are elementary and take advantage of unpatched devices, a lack of multifactor authentication to protect logins, no privileged access controls, no identity management, and password vulnerabilities.”

C. Kelley Bissel, CVP, Microsoft Security

First, it’s not all on the CISO

A strong argument could be made that a CISO in a non-security centric organization is set up to fail. A CISOs job is difficult even with the full backing of leadership. Consider implementing MFA alone: Many executives will push back on the implementation because it isn’t easy.

Another point of pushback is access control. I first felt this pushback when I was implementing SOX controls and logging on physical access to the company servers on the CIO. The CIO was extremely bothered having to log his access and tried to kill the process as being inefficient. The fact is, he didn’t need access 99.96% of the time anyway. He nearly killed the process which would have led to a possible security exception in an audit. Not a failure of the CISO but a failure of the organization to allow the necessary security.

So what are ‘security basics’?

Mr. Bissel outlines the basics as patching, login protection, access control, identity management, and password strength. Certainly, he was simplifying it for presentation but CIS offers a more comprehensive list that includes 56 “Basics” from 18 different controls in Version 8 of the CIS Critical Security Controls.

security basics

See other blog posts for more information on putting in basic cybersecurity.

Consider looking into vCISO service providers. Tracc Development (site sponsor) or any number of service organizations would be happy to help. Omni Group Consulting and Triden Group have excellent talent.

Verified by MonsterInsights