The core principle is this: fish nets over fishing lines. In the case of security monitoring, fish nets are alerting on anomalies, where anomalies are defined as universal constants that have been broken. Fishing lines are manual search procedures. Phrase this principle like this addresses the two seemingly intractable problems with security monitoring:
Continue readingCategory: Series: Core Controls for the Transcendent CISO
The more systems that are secure by default, the less twiddling your IT team has to do for each deployment. Less twiddling means fewer chances to make errors that lead to security breaches.
Continue readingThis core principle can be summed up by the famous Reagan Cold War quote: trust but verify. Transcendent CISOs trust their people with privileged access, but are simultaneously very stringent about authenticating them.
Continue readingThat first word—continuous—is the core of this control. “Continuous” has seen a bit of hype in tech circles in other contexts. In particular, I’m thinking of continuous integration and continuous delivery from the world of DevOps and continuous improvement from the world of Digital Transformation. Why not think of security the same way?
Continue readingThe same Golden Rule that applies to hardware applies to software: know what you have. No user on your systems should be able to install an executable onto a company device without the approval of security. This may seem like a draconian policy (and a short-circuit process does have to be in place for certain technology-heavy teams like R&D or the dev team), but it’s necessary.
Continue readingThere are only six controls in the Top 20 list that are designated “Basic,” and an inventory of your hardware is number one. I actually would like to rephrase this control slightly, so it better fits the core principle I wanted to highlight: if there was ever a Golden Rule in enterprise security, it’s this: know what you have.
Continue readingCISOs have an impossible job. When it comes to developing a roadmap for my company’s security program, where is the best place to start? That what this series is about.
Continue reading