5 Things You Should Do Right Now To Reduce Risk

By Eric Noonan • March 1, 2013

Due diligence and fiduciary responsibility for corporate executives is now widely acknowledged to include exercising sound judgment and effective controls in the domain of cybersecurity. There’s no escaping the responsibility to protect corporate information and infrastructure and eventually the law will catch up with this reality. Until it does here’s what you should be doing to right now to exercise due care in managing cybersecurity risk.

1 – Be pragmatic, there are more risks than you can possibly address. If you try to do everything you will end up doing nothing.

2 – Get a baseline of the controls you currently have in place, how effective they are and compare yourself with NIST 800-53 or the Consensus Audit Guidelines. (HINT: Remember step 1 and don’t overthink this, your assessment shouldn’t be a six month exercise.)

3 – Do something! Prioritize your risks and address ONLY the things that can show measurable improvement, i.e. reduced risk. If you’re stuck in analysis paralysis just start with Consensus Audit Guidelines and address the ones that you’ve found to be vulnerabilities in your baseline.

4 – Document and tell your story using words and numbers that matter. Telling the board that SQL injection vulnerabilities have been reduced because you implemented a Web Application Firewall is why security often doesn’t get “a seat at the table”. Talk in term of compliance and risk, they get that.

5 – Stop buying tools and adding complexity until you’ve mastered the ones you already own and have laid in the process (documented) to use them effectively and in an integrated fashion.

As Einstein said, “Everything should be made as simple as possible, but not simpler.” Apply this approach in exercising due care with respect to cybersecurity.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security