Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Every Cybersecurity List Should Be a Risk-Ranked List

    blog.knowbe4.comhubfssocial-suggested-imagesblog.knowbe4.comhubfsSocial Image RepositoryEvangelist Blog Social GraphicsEvangelists-Roger Grimes-1.Cybersecurity is all about risk management and reduction. You cannot get rid of all risk. Well, I guess you could, but you (and everyone else) would probably not want to work in a true zero-risk environment.

    It would be too locked down, super slow, and incredibly inflexible. Cybersecurity is all about identifying the most likely and impactful risks and reducing them.

    To repeat, cybersecurity is about risk management. Identify the biggest risks and mitigate those the best you can. That is your job.

    Unfortunately, most within the industry don't do it well. There are thousands of threats and hundreds of shiny objects that distract most cyber defenders away from directly focusing on the most important risks. We are distracted and focusing on less risky things while not focusing on the right, more likely, more damaging risks. It is literally the number one reason why hackers and their malware creations are so continually successful over the decades.

    I do not blame most defenders. We are tasked with protecting all the valuable digital data, but our industry almost never uses or talks about our own industry’s data to drive what we should be focusing on first and best. I know, it is ironic. 

    Part of the problem is that we are constantly handed lists…list of required controls…list of things we are being asked to fix or improve…lists of new projects…lists of threats, and so on, that are not ranked for risks. For example, we are often given a cybersecurity guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, etc.) with hundreds of recommendations. They are all great recommendations, which if followed, will reduce risk in your environment. 

    What they do not tell you is which of the recommended things will have the most impact on best reducing risk in your environment. They do not tell you that one, two or three of these things…among the hundreds that have been given to you, will reduce more risk than all the others. 

    More often we are told we need to do all the hundreds of things well at once. And no one can do more than a few things very well at once. And so, defenders are very likely to concentrate on things that will not impact risk while at the same time, not focusing as much on things that matter more. It is bound to happen. The list of controls is not risk-ranked. And any time anyone is concentrating more on a less risk-reducing control means you are being less efficient at reducing risk than you otherwise could.

    The solution?

    Here is one big one: Do not use or rely on un-risk-ranked lists. Require any list of controls, threats, defenses, solutions to be risk-ranked according to how much actual risk they will reduce in the current environment if implemented.

    This is easy to say and harder to do.

    But any time you see an unranked list of cybersecurity things, risk-rank it as the first step, before you start to consider which ones you will rely on. Everything else is inefficient.

    It does not help that nearly every “official” cybersecurity document with recommendations or requirements is ALWAYS un-ranked. All the recommendations, good at reducing risk or not so good, are co-mingled together, often randomly, or in ways that defy explanation. 

    Here is a recent example: CISA’s Proposed Security Requirements for Restricted Transactions.

    I am a huge fan of the Cybersecurity Infrastructure Security Agency (CISA), and Director Easterly and her staff. I think they have the best U.S. government agency dedicated to fighting hackers and malware ever! But I am a bit of an editor on their published documents. Specifically, CISA documents are often full of unranked recommendations (and sometimes missing some critical ones).

    This specific CISA document has at least 21 main recommendations, many of which lead to two or more other more specific recommendations. Overall, it has several dozen  recommendations, each of which individually will likely take weeks to months to fulfill in any environment if not already accomplished. Any person following this document is…rightly…going to be expected to evaluate and implement all those recommendations. And doing so will absolutely reduce risk.

    The catch is: There are two recommendations that WILL DO MORE THAN ALL THE REST ADDED TOGETHER TO REDUCE CYBERSECURITY RISK most efficiently: patching and using multi-factor authentication (MFA). Patching is listed third. MFA is listed eighth. And there is nothing to indicate their ability to significantly reduce cybersecurity risk as compared to the other recommendations. Two of these things are not like the others, but how is anyone reading the document supposed to know that patching and using MFA really matter more than all the rest? 

    And I am ignoring that the biggest possible risk reducer…that of giving aggressive security awareness training to your employees which is better at reducing risk than any of them added up all together…is not even mentioned. But I do not want to get off topic.

    And this is a huge problem that does not get enough focus. 

    If someone is breaking into your house over and over, using the windows, what good is putting more locks on your door going to do? But imagine that thieves are breaking in through your windows and the people gave 20 things to do, only one of which was to better secure your windows, and that recommendation was co-mingled in the middle with all the rest. How likely would a homeowner be to look at the list of 20 things and figure out that one of the things in the middle would solve their problems and all the other things in front and around it would not matter at all?

    Well, that is how we often practice IT security. We make lots of recommendations…hundreds of recommendations, but we usually do not pick out the ones that mean more than all the others. We certainly do not highlight them.

    And so, we end up teaching ourselves to work in a distracted manner trying to implement a ton of things that really will not matter that much while often neglecting the things that will matter. It is not that we neglect them completely or ignore them…it is just that they are added into the dozens to hundreds of things as if they have the same importance. And they do not. 

    If you want to become a superior computer security professional, stop creating or accepting lists of un-ranked things. When you create a list of things that require action of some sort, rank them. If you create a list of controls, risk-rank them. If you create a list of things that need to be fixed, risk-rank them. If someone hands you a list of un-ranked things, hand it back and tell them to risk-rank them…or rank them yourself before performing. 

    Running off to do a bunch of things before you risk-rank them just is not very efficient. If your objective is to best reduce risk as efficiently as you can, risk-rank everything that should be risk-ranked. Stop accepting un-risk-ranked lists. Become known as the person in your company that does not accept un-risk-ranked lists. If you do it, more people in your organization will do it. And you can build a great career solely on being a person that does that…because most practitioners do not.

    If you are interested in more of this type of common sense wisdom, I wrote a best-selling book on the idea called A Data-Driven Computer Defense. It has sold over 50,000 copies over three editions. Or you can just follow my free articles on the KnowBe4 blog because I am a broken record about the subject.

     

    Return To KnowBe4 Security Blog

    Find out if your organization's MFA solution
    can be hacked by cybercriminals now!

    Did you know that all MFA mechanisms can be hacked, and in some cases it's as simple as sending a phishing email? That's why it's important to know the exact security risks your MFA solution has and how your users' accounts may be compromised.

    masareport-thumbHere's how MASA works:

    • You will receive a custom link to take your assessment
    • Answer a series of technology questions relevant to your MFA solution
    • Get an instant high-level snapshot of potential risks with your MFA
    • Receive your in-depth report packed with actionable insight and detailed analysis on specific MFA attacks and tips for your top defenses 

    Assess My MFA Solution Now!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/multi-factor-authentication-security-assessment

    Topics: MFA

    Roger Grimes

    ABOUT ROGER GRIMES

    Roger A. Grimes is Data-Driven Defense Evangelist at KnowBe4. He is a 30-year computer security professional, author of 13 books and over 1,200 national magazine articles. He frequently consults with international organizations of all sizes and many of the world’s militaries. Grimes regularly presents at national computer security conferences, and is known for his often contrarian, fact-filled viewpoints.

    Read more from Roger »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews