I started with a simple question addressed to my fellow cyber security professionals:
If you could implement *one thing* in your organization that would receive universal adoption without push-back, what would it be?
My aim was to take all the words that were used in reply (both on LinkedIn and Twitter) and create a word cloud, for analysis. I’ve done this a few times over the years and the results were always interesting. If you don’t know what a word cloud is — it’s basically a visualization to understand some results like this. More on word clouds or tag clouds, here.
The word cloud for this experiment looks like this:
I’m very interested in your analysis of this, but here’s what I think…
- Patching — Still #1 by a country mile. In fact, patching is 14% of the word cloud. That means 14 out of 100 words were patching (or similar, when I normalized answers). Security professionals still struggle with patching in spite of the fact that it’s received so much press and attention in light of the many recent breaches. It’s pretty incredible to think that patching is still something cyber security teams struggle with in 2020, but given our track record I’m truly not surprised.
- CMDB and Updates/Updated — Asset and change management database and updates-related items were both at 11.9% of the word cloud, in a dead heat. It makes sense that security professionals see these two as challenges, given that over the years ITSM has largely been ignored in many organizations big and small. Now with the cloud migration and digital transformations in full swing, security professionals (and their peers in IT) have potentially lost all control over where, what, and how the company does IT. If you’re trying to secure corporate secrets or assets and you can’t even identify where you have corporate assets, this becomes a big problem quickly.
- Multi-Factor Authentication — I’m excited multi-factor authentication is being talked about, except that if it’s such a high priority it means that MFA likely isn’t getting wide adoption. Or maybe it needs to get broader adoption? Worth exploring certainly. Multi-factor authentication is available for so many applications and use-cases, with such little effort there are hardly any excuses not to do it today. I carry both theGoogle Authenticator and Microsoft Authenticator apps on my phone, it doesn’t cost anything and it’s a great way to add a nice level of security. Additionally, if you’re on Office 365 (and really, who isn’t today?) you can have the Microsoft Authenticator functionality built right into the platform with AzureAD, so what’s holding people back?! MFA got 9.5% of the total word cloud mentions.
- Training — Training was actually tied with multi-factor authentication but I’m giving it’s own consideration here. Honestly, there is so much to dig into with “security training” or “end-used training” or the ever-popular “developer training” that I can’t go into it here. Just know that I believe if you’re still struggling to ‘train’ people in your organization you are likely doing it wrong. Of course training is important, but the delivery and timeliness, including one-time versus continuous training, is all so critical. And truthfully we as a community have done it so wrong, for so long, it’s hard to jump in and convince someone this time we’ll get it right. Training also received 9.5% mention.
- Budget & Passwords — Budgets are going to start declining in cyber-security. Why? Because we don’t have the tools or hard evidence to prove to leadership that the checks they’ve been writing have done any damn good. Think of how big some of these companies’ budgets are that have had the mega-breaches … folks it’s not about the budget but how you analyze and mitigate specific risks that are relevant to your organization. So much to unpack in budget… What can I say about passwords except … oh hell. We’ve been trying to kill the password for, well forever. It’s not worked out so well. Maybe we’re getting closer, but I think that all these strong opinions and religious battles over how to replace passwords is doing more harm than good. You want a solution, MFA + password managers. Win. Both of these words had 7.1% of the word cloud.
So my analysis… we’re not climbing the mountain. The collective we are still shoveling sand from one part of the beach to the other and declaring a win when we dig a hole…right before the water comes and fills it back up. It’s said a lot but the phrase “If we do this again in a year, I bet it’s not different.” is heard over and over in cyber security. It’s disappointing.
We have the tools. I’m certain of this.
I have doubts about implementation capabilities, but no doubt that the tools exist in the market. CMDB — the asset lifecycle toolset — is a mature market. Those tools have been available for 20 years, and have even adopted fairly well for cloud (CSPM).
Someone mentioned ticketing systems, too. Are we really struggling with ticketing and workflow, still? I’d like to think that this was an isolated answer — because ServiceNOW and others have been in the market for a long time with integrations and use-cases that are well-developed.
What’s stopping their implementation? What’s holding us back from (forgive me) getting the basics right? I don’t have the answers and frankly this is far too little data, but it’s an interesting starting point.
Thanks for reading, won’t you leave some thoughts? If you want the raw data feel free to ping me and I’ll get it to you in CSV.