We’re all familiar with personal hygiene. In fact, we’re on a personal hygiene journey throughout our whole lives. Parents across the world have the difficult job of keeping their children clean and orderly. My parents, like many others I imagine, used fear, uncertainty and doubt to keep my teeth brushed and hair washed. I’d sometimes bend the truth in my reporting of teeth brushing duration and frequency, but this was always identified in the annual dentist audit, sometimes leaving me with points to address, at other times requiring drilling to remind me to take better care.
The teenage years were an inconsistent mess, where often ‘perceived hygiene’ was more important than actual hygiene. For example, Jazz cologne was used as a compensating control for my natural fragrance, as my body’s showering regime fell outside of policy. Then comes a gradual transfer of responsibility. As a grown-up, I settled into many years of relatively strong hygiene, and then, having had my own kids, I began the process of instilling fear, uncertainty and doubt to encourage them to clip their nails, brush their teeth and wash behind their ears.
In the same way that a daily or weekly hygiene routine is bottom of the list of things to do for many tweens, cyber-hygiene may have the same lack of priority among fellow colleagues, including our security teams and our executives. Yet in the same way COVID-19 has encouraged us to ramp up our personal hygiene, the increasing threat environment in recent years has forced us to improve our cyber-hygiene. It operates on several levels – personal, departmental and across our security infrastructure. The stats ram home two messages:
- Security teams are overwhelmed by metrics and reporting to enable them to try to understand hygiene levels. Our latest survey of over 1200 senior security leaders tells us they spend 54% of their time on this
- Attacks normally succeed due to failed controls, which could have been prevented with good hygiene
Cyber-hygiene covers many more areas than your average teen needs to be concerned with in regard to their personal hygiene. Doing the fundamentals right (some call this the basics, but alas, it’s far from basic to achieve) is no longer optional, as adversaries continue to leverage a service economy and an automated approach to achieve their aims. Given their mission is to get a return on their investment, contrary to many internal assurance processes, they are motivated to find flaws in our hygiene rather than demonstrate that we’re compliant with policies and regulations.
To respond, there is only one option: to automate our assurance process and achieve full transparency by taking out any ‘massaging’ of the numbers. In cyber terms, this means moving to automated and continuous identification of control failure; in particular, proactive, continuous measurement of control gaps. For example, machines not running AV, applications not scanned, leavers with active permissions, devices not scanned, missing phishing tests, out-of-date software and unauthorized software. Equally important, there needs to be an ‘in the moment’ understanding of accountability of each asset so that remediation can be attributed and swift action taken.
This is a difficult problem, but we must solve it. There is no alternative. We cannot accept inaccuracy in our CMDB and no longer accept that 90% is good enough. That is unless we know exactly what the 10% is and what it means. Also, we can no longer assume that if we bought a tool, it’s still switched on and working effectively.
We’ve moved past the teenage years where ‘perceived hygiene’ might be good enough – we need strong hygiene all the time if we’re to stay clean. We need excellent data quality around our hygiene metrics and measurements to be sure of our security posture. This means complete, accurate, clear, timely, comprehensive, integrous, precise and reconciled risk data must be available automatically to verify that we can see all our assets. This needs to show our assets are built as expected, our controls are covering them and our controls are well configured.
The benefits are numerous. If we reduce the risk of a breach via a failed control, we have a lot less work to do on metrics and reporting and we can spend more time securing rather than measuring. Hygiene might not be the most exciting security topic, but it’s the most important.