Virtually Simple: A Guide to Simplifying Cyber Security

One of my favorite modern-day public figures is Sir Richard Branson (I know this is a cyber security site, but stay with me). This is a man who has made an insane amount of money, achieved global fame and done amazing acts of charity. Recently, I read an article of his and was struck by a sentence, which I will paraphrase: “Any idiot can make something complicated, but it takes a genius to simplify something.” I was moved by this, especially since it came from someone as successful as Branson. The common theme I get from what he said is that the more complex we make something look or seem, the more it is falsely perceived as brilliant. This is very common, especially in the world of cyber security.

Simplifying Cyber Security

The industry loves to throw around big words of fear, uncertainty and doubt, buzzwords such as “cloud” and “big data” and technical terms that have nine syllables in them. What this ultimately does is confuses and turns off the people who really need to know the most about cyber security: the everyday end users. As was clear in the Target breach, you can have the best tools to thwart a cyber attack, but if the end user doesn’t have basic cyber security “survival skills,” it is all for naught.

“You can’t boil the ocean” or “You can’t eat an elephant in one bite” are phrases often used to describe taking a large problem and making it manageable. I believe this to be true as it pertains to information security. With that said, I think this issue would be easier to understand if I draw the comparison of the virtual world to the physical world. In my years of working in information security, the people who “get it” are the ones who can draw these comparisons to make information palatable for the everyday user and C-level folks who don’t necessarily understand it.

A Real-World Comparison: Questions to Help You Simplify Security

For example, on my house, I have five doors that serve as direct entrance points into my home. When I am not at home, I lock the doors of my house to deter a burglar from just walking in. I have different locks on the doors, so there isn’t one single point of entry. I don’t leave keys on the front porch for someone to come in, nor do I give the keys to a random neighbor and say, “Hey, come in whenever you want.” In my house, I have assets that are very important to me. I have a safe full of important documents, cash and family heirlooms that is hidden out of clear sight. I don’t leave the safe open in front of my window for all to see. I also have five of my most important assets: my wife and four children. I have to make sure that they know if someone rings our doorbell, they should look through the peephole and ask the person to identify himself or herself before they open the door.

I highly doubt that I would find anyone who would challenge any of the concepts or theories that I have presented here on how to keep your house safe. So, the question is, why is it different for the virtual world? We should ponder the following questions to try to simplify the matter at hand:

  1. How do we lock our doors (laptops, servers, domain controllers) when we are away from them?
  2. Do we have different keys to get in the “house” or one key for everything (multiple passwords for multiple functions)? Do we give our keys to random people, allowing access to everything we own (password sharing)?
  3. Do we have our most critical assets out for all the world to see, such as files and drives of sensitive information stored on a desktop or unsecured thumb drive?
  4. Are we protecting the people in our house? Do our end users know when it is safe to “let someone in” or when to share information?

From my experience, by simplifying and correlating the virtual and real-world experience, security professionals can have better conversations with people that allow them to see the seriousness of cyber security.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today