Phil Bindley, Intercity's Field CISO and author of Simply Cyber shares his latest article on 'fixing the bridge'.
I was browsing LinkedIn earlier and came across a post with this image. A study was conducted to see how people responded to a simple question of "you have three seconds to the fix the bridge what do you do?".
The vast majority of people in this simple test added the blue brick. Very few removed the yellow brick on the right hand side. I don't want to get into a viral conversation about bridge engineering and there is no right or wrong answer. However, this did make me consider and draw parallels with the approach we take to Cyber Resilience. I will expand.
Simply put and within the promised philosophy of this series why do we keep adding bricks to solve the problems we are facing in Cyber Security and Cyber Resilience? We seem to have become addicted to a "just one more" mentality and adding tools and services in a very disconnected manner as tactical responses to an emerging threat or a necessity or intent to comply with a particular standard.
One of the pieces of research I have been doing recently involves Human Risk Management and the failure of the current approach to what may be widely termed as "Traditional Security Awareness Training". "Why are they still all clicking on the links?". Specifically, the use of nudges to encourage more critical thinking before acting. This and the above image added to a conversation with someone in the process of writing their dissertation on cyber espionage gave me pause for thought.
Perhaps we need to hit the reset button.
Cyber Security technology sprawl is out of control. It results in poorly managed, overly complicated, high cost cyber security technology stacks, and worse of all a potential false sense of security. Let's go back to basics. Start with Security 101. Confidentiality, Integrity and Availability. This is all about managing risk so why don't we take a step back, stop the doing and start thinking, critically thinking, about the risks that our organisations are facing and how best to mitigate those risks in a consolidated, collaborative and comprehensive manner.
It's really easy to understand how we got here, but this is not sustainable, the costs are prohibitive, the skills are not in abundance, and many organisations still treat Cyber Risk as problem for the IT Team to deal with.
Let's get started.
Baseline your organisation against a number of security standards, understand where the gaps are, understand what the risks are then decide what you are going to do about them or not.
Sounds complex? Sounds time consuming? Sounds like something for the "too hard" bucket? It's not, but if you need some guidance on how to get started, let's talk.
