Dark Reading’s 2021 Strategic Security Survey was highly informative, not only in what it did include but also in what it did not. In particular, when asking 150 technical and cybersecurity professionals to rate the effectiveness of cybersecurity practices, there are 3 practices in particular that leaped out at me as missing from the survey results table. Want to guess which they are?
Asset Awareness, Secure Configurations, and Patch Management are the foundational practices for any cybersecurity program. Whether this is something that was left from the survey by the survey designer or whether nobody brought this up as an issue I don’t know, but I find this exclusion both highly interesting and disturbing. Michael’s Rule #1 of Cybersecurity: You can’t protect what you don’t know you have!
Knowing what you have, configuring it properly, and keeping it patched are foundational security measures, but again and again, I find these are the areas where companies are most deficient in their security programs. Why? I think there are multiple reasons, ranging from operational challenges to conflicts on responsibility between IT and IS, to the sheer volume of work required to do it right. It’s not sexy, but it’s what keeps your security ship afloat. The fact that it is done so poorly across so many organizations (especially the government) says a lot about the crisis that exists in business and why so many organizations, large and small, are constantly being breached, ransomed, and exploited.