January 25, 2019 By Kevin Beaver 3 min read

Information security is an interesting field — or, perhaps more accurately, a constant practice. After all, we’re always practicing finding vulnerabilities, keeping threats at bay, responding to cybersecurity incidents and minimizing long-term business risks.

The thing is, it’s not an exact science. Some people believe that’s the case, but they are only fooling themselves. Some security professionals strive for perfection in terms of their documentation. Others want their users to make good decisions all the time. I’ve even had people ask if I could do my best to provide a clean vulnerability and penetration testing report when doing work for them. Scary stuff.

I believe we’ve reached this point of striving for perfection largely due to compliance. Rather than truly addressing security gaps, we’re stuck in the mindset of checking boxes so that someone, somewhere can get the impression that work is being done and all is well in IT. Striving for perfection only serves to skew expectations and set everyone involved up for failure. The reality is you’re never going to have a perfect state of security, but you can have reasonable security if you take the proper steps.

Ready, Set, Practice

To improve enterprise security, organizations must do what I refer to as fine-tuning the oscillation of their security program. What do I mean by that? Let me give you a car racing analogy.

I compete in the Spec Miata class with the Sports Car Club of America (SCCA). It’s a super-competitive class with very little room for mistakes. Everything that we do as Spec Miata racers has to be fined-tuned — that is, if we’re going to win. Everything matters, from how hard we get on the brakes to how quickly we turn the steering wheel to how we get on and off the throttle. Even the turn-in points and apexes of corners are extremely important. Each little thing we do either works in our favor or works against us.

In car racing, fine-tuning the oscillation means getting better and better at the little things over time. In other words, we minimize atypical events — the mistakes that would show up as spikes on a graph — and get more consistent the more we race. You can certainly make improvements throughout a single race, but most fine-tuning comes with experience and years of seat time.

Make Small Adjustments Over Time

Information security is no different. In the context of your overall security program, threats, vulnerabilities and subsequent cybersecurity incidents represent the oscillation. If you’re looking for a visual, fine-tuning the oscillation means minimizing the amplitude and maximizing the frequency of a sine wave to the point where you have a tiny squiggly line that represents your security events. It’s almost a straight line, but as I said before, there’s no such thing as perfection in security.

Instead of having low-hanging fruit such as missing patches and weak passwords, you’re staying on top of patch management and password policy enforcement. Instead of a lack of network visibility, you have systems and technologies in place that allow you to see things happening in real time. Instead of experiencing a security incident, you’re able to prevent or mitigate the threat. Instead of a breach, you have business as usual.

Rather than playing by the terms of malicious actors seeking to bring down your business, you are the one in control. This is all done through acknowledging your weaknesses and blind spots and making small adjustments over time.

Minimize the Impact of Cybersecurity Incidents

Start viewing your security program from this perspective by asking a few simple questions. What areas need the most attention? Do you have some quick wins that you could start with to get your momentum going? Most organizations have a handful of areas with known security gaps that are creating big exposures — things like third-party patching, unstructured (and unprotected) information scattered about networks, and user security awareness and training. Aim to quickly close the gaps that create the greatest risk so you can spend more focused time on the smaller, but more difficult, problems.

Stretching out that sine wave and fine-tuning the oscillation of impactful cybersecurity incidents should be your ultimate goal. Be it racing cars or running a security department, time, money and effort are the essential elements. If you’re going to do either one well, it’s going to require good information, solid decision-making, and intentional and disciplined practice over and over again. That’s the only way you’ll get better.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today