Security Frameworks (NIST, CIS, CSF)

Security Frameworks (NIST, CIS, CSF)
What are organizations lacking in their cybersecurity posture?

Top Answer: I view cybersecurity as an 80/20 problem overall. 80% of it is hygiene and things that we've seen before — things that we can automate, in cases where automation is a viable and economic solution. It’s within the remaining 20% that the bad stuff happens. So how do you address both at the same time? It's always been interesting to have this conversation in the context of Bugcrowd, because people assume that I'm all about humans coming in to solve everything. But that's not true. There's always going to be a gap that's created by the innovation of the adversary, which only has human creativity and human adoption of process as its solution. But you should automate wherever you can. The companies that we work for weren't started just to fight Russia or China, so this is not our main game.

Are compliance checklists an effective way to improve cyber hygiene?

Top Answer: The threat model is the important thing, especially in the security domain. When I think about SOX compliance, for example, I'm thinking about a threat model to finance: if you wanted to do something bad to our financials, what would you do? That's where the control should come from, not a bunch of checkboxes. I hate compliance checkboxes, because you can have all the compliance in the world and still have bad security, although it's becoming more of an analytical framework than it used to be. Companies don't typically want to invest in good security, but if you had really good security, you could have good compliance as a by-product. The business will say, "Just tell me what it takes to check these boxes so we can sell this deal," and I have to explain that it would be the same amount of effort to actually do it well. Then the boxes will be checked and we can both sleep at night.

Relative to phishing and ransomware. How confident is your organization, that the security controls you have place today will protect you?

Top Answer: In the day and age, we live in it's more about when you will experience a breach vs if. It's more about, do you have the abilities to recover and protect PII. Doing your due diligence and reasonable care, mitigate the risk and have controls in place to make it harder for the attackers to get in, if not impossible.