Cybersecurity Controls – All Are Not Created Equal

The last time I bought a new pair of ski boots was the late 90s. Just to give you some sense of how long ago that was, my mom paid for them.

But on my final day of the 2023 winter season, the top buckle buckled and broke off. So I cranked the strap as tight as I could and skied for half a day. It wasn’t the most comfortable, but it more or less worked.

Now, 25 short years later, the old pair needs replacing. (When I told my mom, she quipped, “I don’t think I still have the receipt to return them!”)

So last week, I went to Boston Ski + Tennis to find something new. The process was amazing; my 90-minute fitting session with a “ski boot specialist” led to the exact right boot for me. Throw in the custom inserts I opted for and the fit is super-comfortable.

Contrast this with my original buying experience all those years ago. I don’t remember it clearly, other than the fact that my aunt and uncle were there and they had to lie on the floor to help me get the boots on. Not exactly “high quality” customer service!

You won’t be surprised to learn that my two dissimilar ski boot experiences got me thinking about cybersecurity controls (I’m not embarrassed to admit most things do).?

Just as ski boots can differ significantly in both quality and associated customer experiences, cybersecurity is also both a product and a service. And there is a tremendous range of possibilities regarding where you may fall.?

Which means saying you have “cybersecurity controls” in place in your company is more or less the same as saying you “own a pair of ski boots.” Neither tells you a whole lot about your expected on-the-ground experience.

Take Multi-Factor Authentication (MFA), for example. Is it on one system, all key systems, every system? Is it optional, the default but still optional, required??

How about Managed Detection Response (MDR, often referred to as a Security Operations Center)? These solutions monitor the behavior of your environment (e.g., your EDR solution, your network, your cloud hosting platforms), notify you if something out of the ordinary is detected, and take steps to contain the problem.

But while your MDR may be technically first-rate, if the information is not presented clearly, questions are not answered promptly, and the MDR itself is not efficiently integrated into internal processes, it is not doing what it needs to do.

These are just two examples, but the concept applies across your operation: Metaphorically speaking, are your cybersecurity “boots” held together with an old, broken strap?

Simple Answers Are Not Enough

One-word answers to questions regarding cybersecurity (i.e., yes or no) are guaranteed to overlook what’s really going on. You need a deep evaluation of both tools and processes to know if your program is mature and fully implemented.

Keep in mind as well that when a new process is put in place, it typically requires multiple iterations to get where it needs to be. Cybersecurity is anything but plug-and-play.

The point is, “functioning” is not the same as functioning well. And unlike with a ski boot, signs that a cybersecurity program has deteriorated (or was never up to par in the first place) are rarely visible and obvious.?

Remember to swap out your jury-rigged, strapped security controls for something that will get the job done properly (cushy inserts optional).

Want to get great cybersecurity content delivered to your inbox??Click here?to sign up for our monthly newsletter, Tales from the Click.

This article originally appeared on the Fractional CISO blog.