Most organizations are overwhelmed, understaffed, and/or underfunded when it comes to cybersecurity. These constraints create a critical need to prioritize on the most critical cybersecurity measures. However, often these priorities are unclear or hard to determine, leading to less-than-optimal cybersecurity product purchases and/or activities.
This is because the metrics about which overarching cybersecurity priorities matter most are by-and-large not well-established or well-accepted by the cybersecurity industry – making it very difficult for customers to know what to do first and what is a “nice to have.”
WHY DOES THIS MATTER?
Don’t we already have this problem solved? Clearly, a lot of time has been spent by various organizations to come up with 10,000’s of controls. However, anyone who has tried to implement security across an organization has likely experienced that there are too many topics to cover and there are no good sources to explain what the top areas to focus on should be.
In fact, many players in the cybersecurity industry’s “marketing machine” spend considerable effort to sell customers on one kind of product or another without really helping them with overall prioritizing. Customers can only do a few things. “I only have time to do the top 10 – but what are those?!”
In order to figure out what those top 10 are for a customer’s organization, we as the defender ecosystem need generally accepted structure and metrics.
WHY IS THIS HARD? HASN’T IT BEEN DONE BEFORE?
Unfortunately, like well thought-through answers, the answer to the question what is the exact number and prioritization is often “It depends…”.
It depends on: What systems? What applications? What data? Scale of IT landscape? Functional aspects? Non-functional aspects? Financial/organizational constraints? OWASP, the Open Web Application Security Project, or the BSI Baseline Protection Manual catalogues, for example, give us a simple to-do’s based on concrete metrics because they cover a specific problem, use-case, and technology (web applications).
So, if your cybersecurity needs to cover more than the covered point solutions (usually the case for enterprise cybersecurity, where a lot of the intelligence is in the system-of-systems “glue” between systems) – and you cannot go down a high-assurance architecture route either (usually the case for enterprise cybersecurity, as well) – then what?
Numerous generic compliance frameworks, standards and guidance give a great broad overview of many things you may consider doing. The presented guidance is very detailed in some well-understood areas, but spotty in other, less clear-cut areas. Nevertheless, NIST 800.53 and similar frameworks are great guidance if you have the time and budget to get through it (or are mandated to use it).
WHAT SHOULD YOU DO?
Time and money (and also cybersecurity competency) limit how much you can do. Cybersecurity teams are often overworked, understaffed, fire-fighting breaches, etc. These limitations determine how far down the list of “to-do’s” you can realistically ever get.
It is not the primary purpose of this article to postulate a “top 10 to-do” list but rather to discuss the needs and challenges to get to industry-wide vetted metrics of what matters most in cybersecurity (potentially with some adaptations based on industry, IT landscape, regulatory/legal environment, etc.)