In Tripwire’s recent survey of IT professionals and executives, respondents reported high confidence in both the value and the application of basic, foundational security controls—accurate and complete hardware and software inventory, system hardening through secure configurations and patch and vulnerability management—in their enterprises.
From the perspective of the Council on CyberSecurity, this is excellent news!
First of all, this result is very consistent with the ongoing message of the Council and the Top 20 Critical Security Controls. The “basics” really matter because they provide great cyber-defense value in terms of stopping the kinds of attacks seen today.
The value of foundation controls is established by any large-scale analysis (private sector or government) of cyber incidents – the vast majority of cyber problems seen today result from basic flaws in management, configuration, processes and “hygiene..
Their importance is reinforced by their presence in almost every framework, standard, or regulation. Yet enterprises often fail to focus on and implement basic controls due to frustration, impatience, unwillingness to build in the right management processes, or the marketplace temptations of a new “magic bullet.”
Secondly, the survey results hints at better agreement between what security and IT professionals see as valuable, as well as what corporate executives see. When these views get out of alignment, we see unfocused security programs, poor communications between executives and technologists, massive waste of resources and energy, and tension between operations and security professionals.
At the Council on CyberSecurity, we strongly believe that improving this ecosystem alignment is essential to scalable enterprise security.
Even better, when basic security controls are well planned, they are specific, implementable, automatable, track-able and reportable. And they can come with significant management and operational benefits, including better visibility and management of resources and lowered costs, such as minimizing ‘breakage and lower recovery times, etc.
Of course, “foundational” controls are just that – foundational and necessary to cyber success, but not complete.
There is still plenty of work to be done even if you have an effective, ongoing program of basic security controls. But in our experience, you must get a solid security foundation in place, or you will waste much of your money, technology and – worst of all – the time and energy of your people.
Tony retired from the National Security Agency in June 2012 after 34 years as an Information Assurance professional: mathematical cryptographer, software vulnerability analyst and executive manager of the premier cyberdefense organizations at NSA. His journey down the road to “cyber-geekery” started on an Apple II Plus, sometime during the Bronze Age of computer security.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interested in becoming a guest author for The State of Security, contact us here.
- Making Best Practice Common Practice
- Professionalizing the Cybersecurity Industry
- Demonstrating Enterprise Commitment to Best Practice
- Boards Should Worry, Too: 5 Corporate Principles to Better Cyber Risk Oversight
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock