“If I were given one hour to save the planet, I would spend 59 minutes defining the problem and one minute resolving it,” Albert Einstein said.
Abraham Lincoln also said “give me six hours to chop down a tree and I will spend the first four sharpening the axe.”
Those were wise words from wise leaders and visionaries, but from what I have observed, most organizations don’t really consider that when they think in terms of how to better defend their business and their cyber security infrastructure.
Data tells us that most companies aren’t sufficiently rigorous in defining the reality of the problems they think they must solve, and those that they MUST solve. Often because of a variety of different factors, including everything from business issues, budgeting, threat proliferation, user issues, and a hundred other things, the focus that is required to solve the “MUST” problems becomes intertwined with the “must” problems and not much effective problem solving occurs. Without rigor, organizations miss opportunities, waste resources, and end up pursuing security initiatives that aren’t aligned with their strategies, or any strategy to be perfectly frank.
How many times have you seen a security project go down one path only to realize mid flight that it should have gone down another? How often have you seen a cyber security program initiative deliver a “breakthrough” only to find that it actually addressed the wrong problem, and failure ensues? Many organizations need to become better at asking the right questions so that they tackle the right problems, and they need to leverage technology correctly to enable this constant axe sharpening to happen at the speed and scale of today’s digital business.
In this blog and in some of our future writings we will offer a process for technically addressing and remediating the “MUST” problems that are necessary for cyber security optimization for any organization, and we think we can help you prioritize how to focus the efforts within your cyber security program and strategy to hone that axe to a razor’s edge. Our company, GYTPOL has hundreds of customers already using our solution and approach to help improve the quality and efficiency of their cyber security efforts and, as a result, their overall business security posture and performance.
What we want ultimately in cyber security is to not have a compromise happen in the first place, to keep the enemy at bay in other words. Typically this happens as someone in the security group of the organization is often assigned to fix a very specific, near-term problem. But because the organization doesn’t employ a rigorous process for understanding the dimensions and realities of the problem, they miss an opportunity to address the underlying strategic issues. The things that will really help with the realities that the organization “MUST” face, not the ones that it “might” have to face.
Step 1: What is technically required for a successful exploit?
The purpose of this step is to articulate the problem in the simplest terms possible. At this point organizations should be thinking about where they are vulnerable, technically to be specific and then of those vulnerabilities which ones equal a successful compromise for a threat actor? This point in the process should activate a mapping of the technical assets, and an analysis of which of those assets is technically vulnerable to an exploitation? Using technology that can help here should act as a call to arms that clarifies the importance and first “MUST” point of focus of the issue and helps secure and vector the resources that are needed to address it. This first effort will help in answering two questions:
What is the basic need?
What is the essential problem, clearly defined and concisely focused? It is important at this stage to focus on the need that’s at the heart of the problem rather than trying to jump to a solution. Defining the scope and scale of the potential compromise space in its totality is of absolute importance. .
What are the connections?
Answering this question requires understanding the intricacies of the digital infrastructure to be sure you have a real, fact based, technical analysis of what talks to what within your organizations infrastructure. At this step you should avoid the temptation to favor a technical solution to “fix” these intricate connections. Instead here you should work to make sure you again know the totality of what is connected and where an attack could go from a singular exploit to a network level compromise.
Follow us for the full series of our strategic process for fundamentally securing your organization.