Are you 100% certain that you are on top of security basics?

At the siberX CISO Forum Canada, C. Kelley Bissel, CVP of Microsoft Security reported that CISOs are failing to do the basics. He puts a fair amount of blame for these failures on the company CISO.

“Ninety-eight per cent of attacks are elementary and take advantage of unpatched devices, a lack of multifactor authentication to protect logins, no privileged access controls, no identity management, and password vulnerabilities.”

C. Kelley Bissel, CVP, Microsoft Security

First, it’s not all on the CISO

A strong argument could be made that a CISO in a non-security centric organization is set up to fail. A CISOs job is difficult even with the full backing of leadership. Consider implementing MFA alone: Many executives will push back on the implementation because it isn’t easy.

Another point of pushback is access control. I first felt this pushback when I was implementing SOX controls and logging on physical access to the company servers on the CIO. The CIO was extremely bothered having to log his access and tried to kill the process as being inefficient. The fact is, he didn’t need access 99.96% of the time anyway. He nearly killed the process which would have led to a possible security exception in an audit. Not a failure of the CISO but a failure of the organization to allow the necessary security.

So what are ‘security basics’?

Mr. Bissel outlines the basics as patching, login protection, access control, identity management, and password strength. Certainly, he was simplifying it for presentation but CIS offers a more comprehensive list that includes 56 “Basics” from 18 different controls in Version 8 of the CIS Critical Security Controls.

• CIS Control 1: Inventory and Control of Enterprise Assets
• CIS Control 2: Inventory and Control of Software Assets
• CIS Control 3: Data Protection
• CIS Control 4: Secure Configuration of Enterprise Assets and Software
• CIS Control 5: Account Management
• CIS Control 6: Access Control Management
• CIS Control 7: Continuous Vulnerability Management
• CIS Control 8: Audit Log Management
• CIS Control 9: Email and Web Browser Protections
• CIS Control 10: Malware Defenses
• CIS Control 11: Data Recovery
• CIS Control 12: Network Infrastructure Management
• CIS Control 13: Network Monitoring and Defense
• CIS Control 14: Security Awareness and Skills Training
• CIS Control 15: Service Provider Management
• CIS Control 16: Application Software Security
• CIS Control 17: Incident Response Management
• CIS Control 18: Penetration Testing

See other blog posts for more information on putting in basic cybersecurity.

Consider looking into vCISO service providers. Tracc Development (site sponsor) or any number of service organizations would be happy to help. Omni Group Consulting and Triden Group have excellent talent.

• Author
• Recent Posts

Follow me

Paul Bergman

CEO at Tracc Development, Inc.

Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He is also CEO of a mentoring non-profit in San Diego, Lamp of Learning. He writes on cybersecurity and board management for both corporate and nonprofit boards.

Follow me

Latest posts by Paul Bergman (see all)

• The Imperative for Cyber Talent on Corporate Boards - March 29, 2024
• Talking CMMC preparation - March 12, 2024
• Protecting Your Business: Strategies to Combat DNS Attacks - February 20, 2024