I’m going to answer perhaps the most critical question you need to ask about cybersecurity: what should be my guiding principles to remain as secure as possible?
The answer: make it totally (almost) automatic or dead simple.
Full disclosure, when I hear the phrase “totally automatic,” the 1983 Pointer Sisters hit Automatic starts playing in my head. Want to see and hear a blast from the past? YouTube has a live recording of the song from that era. But don’t follow the Sisters’ method in your cybersecurity, as apparently all of their systems are down, down, down, down.
Totally (Almost) Automatic
The first, and most important, principle of an effective cybersecurity program is automation. Let me try to say this very clearly. People mess stuff up! People forget stuff! I make mistakes all the time, and if you’re totally honest, you’d probably admit you do too. And if I don’t write something down, or put it in my electronic calendar, there is a good chance I’ll forget it.
Your users, your boss, and anyone involved in your cybersecurity program will also make mistakes and forget things. To counter this undeniable fact of human nature, I bring you The Principle of Automation.
The Principle of Automation is simple: automate every aspect of your cybersecurity that can be safely and securely automated. In our LRS NIST Cybersecurity Framework courses, we cover the CIS V8 Controls. It is written directly into the controls that they are to be primarily automated.
In fact, NIST cybersecurity training is all about what automation brings: immediate identification of what needs to be secured, protection of systems and assets without manual intervention, rapid detection of threats and potential security events, accurate and targeted responses, and recovery to the previous, or a more secure state. We invest the time with you to see all of the areas that must be secured and discuss the methods to do so in an automated fashion. Why? It’s faster, more reliable, more consistent, and less prone to error than if it were manual.
Dead simple means as simple as it could possibly be. For example, our LRS NIST Cybersecurity Framework Certification exams are NOT dead simple, but the process to take them is. Side note, each of our LRS NIST Cybersecurity courses includes the associated exam for FREE, along with one no charge re-take.
Quick review because there have been more than 300 words since I said it. The guiding principles to be as secure as possible are: make it totally (almost) automatic OR dead simple. The OR is very important. If you can automate it, then do so. But if it cannot be automated, then make it dead simple.
A complex set of steps for a user, or even a security pro, to follow in order to be secure will lead to being less secure. Wait, perhaps I should simplify that statement. Did you see what I did there? No? Too bad, it’s kinda funny.
Here’s the formula: Unnecessary Complexity = Lower Security
Dead simple enough?
Any extra work on the part of any person in any process that impacts security almost always leads to that process being less secure. Why? People mess stuff up! People forget stuff!
If you want better security in your organization, don’t burden people with onerous, obscure security requirements. Make it dead simple. Make it more difficult to do it wrong than to do it right. When we are running our NIST cybersecurity courses we get into some very detailed information. The NIST Cybersecurity Framework itself has two Framework Profiles, four Implementation Tiers, six Informative References, five Core Functions, 23 Categories, and 108 Subcategories. Not to mention the thousands of entries in the Informative References. There is some complexity in the Framework!
But do you know what we spend the majority of our time on with our NIST cybersecurity training students? Breaking it all down into dead simple chunks.
People learn best when it makes sense, and it makes more sense when it’s dead simple. People take the best action when it’s dead simple. Your NIST Cybersecurity Framework-based program will be easier to implement, less difficult to maintain, and more secure when it’s totally (almost) automatic or dead simple.
Troy Stoneking, Certified NIST Cybersecurity Framework Professional Trainer and Cybersecurity Assessor