A Chapter of the New Book ‘Heuristic Risk Management’ by Michael Lineso
June 7, 2022
CyberEdBoard executive member Michael Lines has worked with Information Security Media Group to promote awareness of the need for cyber risk management, and as a part of that initiative, the CyberEdBoard has posted draft chapters – the last one we published is here – from his upcoming book, “Heuristic Risk Management: Be Aware, Get Prepared, Defend Yourself.”
Michael Lines tells ISMG: “With this draft excerpt, we have come to the end of the series of these publications on ISMG. The final book is nearing completion and will be published before the end of the year. If you are interested in seeing the completed book in its entirety, be on the lookout for its publication on Amazon and other online book retailers globally. Thank you for your interest and stay safe!”
So you have identified the likely attackers, the threats that their attacks pose, and how at a high level they will carry out these attacks. Now what?
The traditional (and wrong) answer is to cover all your bases by adopting the most comprehensive set of controls possible. Whether it is NIST CSF, NIST 800-53, ISO 27002, or ISF, more is better, right? Wrong!
This is the stage where, in my experience, many information security programs typically go off the rails. Rather than focusing on the fundamentals that matter, often I have seen security leaders and CEOs mandate the most comprehensive set of information security controls possible. The thinking is that if every possibility for failure is eliminated -by mandate, failure is therefore impossible. Instead, this approach is itself a prescription for failure, under the metaphor of “boiling the ocean.”
When you attempt to cover every possible control, the result is that you will likely spend your time and effort focused on mandated activities that are easy, cheap, or sexy – in a technology sense, simply so that you can show progress. Instead, you need to focus on those activities that are most effective in reducing risk, which is often hard, expensive – from a manpower perspective, and not sexy.
In reviewing the history of major data breaches in large corporations, the root cause has often been traced back to failures to properly implement and manage fundamental security controls. Examples of these fundamental control mistakes include ineffective patching, failure to properly configure equipment, or not changing default credentials. What is curious is that these are organizations that spend tens if not hundreds of millions of dollars on information security and have security organizations with hundreds if not thousands of dedicated security staff. How can these events happen so frequently with all this attention to security?
They happen because of the error of mistaking increasing complexity with increasing security: Activity does not equal effectiveness. The government perpetuates this problem by adding more security regulations and requirements after every significant security breach. The result is that security is decreased, rather than increased, within affected organizations by the increased distraction that these mandates bring.
The answer to the problem of ever-increasing complexity is to start with the fundamentals, ensure that you are doing them well, evolve them incrementally and only implement the controls that you can properly manage. In the information security world, the best description of what constitutes the fundamental controls are those which are produced by the Center for Internet Security Inc., or CIS.
CyberEdBoard is ISMG’s premier members-only community of seniormost executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community – CyberEdBoard.io.
Michael Lines is an information security executive with over 20 years of experience as a Chief Information Security Officer, or CISO, for large global organizations, including PricewaterhouseCoopers, Transition and FICO. In addition, he has led several advisory services practices, delivering security, risk and privacy professional services to major corporations. Lines writes, blogs, speaks at conferences and webinars, and provides interviews on a wide variety of information security topics, primarily concerning what it takes to develop and run effective information security programs and why so many companies continue to suffer security breaches due to ineffective risk management.