The Hardest Problems in Security Aren't "Security Problems"

Security faces many problems. Asset inventory, patching automation, config management, and device administration are all perennial challenges. But how many of them are related to security specifically?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by David Spark , the producer of CISO Series, and Geoff Belknap . Joining them is Sneha Parmar , information security officer, Lufthansa Group Digital Hangar .

Build the foundation

Addressing persistent cybersecurity challenges requires focusing on foundational issues and improving organizational integrations. "Since the early 2000s, we have known these to be the critical things to ‘get right.’ Nearly a quarter of a century later, the same problems persist," said Phillip Miller, MA, CISSP , CISO at Qurple . "The real problem is security being treated as a discrete function instead of an embedded reality." The lack of a solid foundation is arguably why we need so many cybersecurity startups in the first place. Without the basics, you’re always aiming at a shifting target. "The number one thing you can do for security is configuration management. CM is a prerequisite for everything else. As Carl Landwehr stated years ago, the economic boom in cybersecurity is a consequence of poor engineering," said Mark W. from MITRE .

Building at scale

To build that foundation, you need operational discipline and a focus on the basics, even when they are difficult to achieve. 郑尔康 of JupiterOne emphasized the challenge of achieving these basics at scale, adding, "I wish more of us in the industry would invest more time/resources/tools into doing better at the basics. And let’s accept that there really isn’t an ‘easy button’ for this." A big part of this operational discipline means doubling down on accountability: "Simply knowing what’s attached to your network and who to contact about it cannot be overappreciated," said Sergei Rousakov of 苹果 .

Excelling at boring

Part of the issue with achieving these basics is the split many organizations impose between cybersecurity and IT. These need to be able to move in lockstep. "It's IT lifecycle management that I maintain is one of the most glaring nemesis to good security," said Jerry Davis, MSc. of Cisa Group . Another reason the basics don’t get done is they seem boring. There’s the real human factor to consider. No one is excited to get these initiatives done. "The difference between mediocrity and excellence is simply doing the basics to a high standard. Boring, unsexy, unexciting, and utterly critical. The real issue is lack of communication and collaboration. But there's no product for that," said Simon Chapman of Conversec .

Knowing what you’ve got is half the battle

Maintaining a robust asset inventory isn’t specifically in the cybersecurity purview but it’s critical for reducing cyber risk and improving operational hygiene. "The Center for Internet Security stated categorically that you could reduce 80% of your cyber risk by having a good asset and software inventory," said Dr. Joe Lewis , CISO at the Centers for Disease Control and Prevention . "Neither of those two things are specifically cyber, but are areas we consistently struggle with." Ramin Ettehad of Oomnitza stressed the importance of integration: "I'd argue that it's crucial for the asset inventory to avoid becoming yet another data silo. It should be a living, integrated layer across your security, business, and IT systems to create a 360° view of all your technology assets. Without this, you'll end up relying on manual tasks, which create blind spots and erode operational hygiene."

Thanks to our other unwitting contributors: Yaron Levi , CISO at 杜比实验室 and Darren Desmond , CISO at The AA .

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now. Thanks to Fenix24 and Conversant Group !

Listen to the full episode.

Thanks to our podcast sponsor, Fenix24 and Conversant Group

Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Join us TOMORROW for "Hacking the Third-Party Risk Management Process"

Join us Friday, January 31, 2025, for?“Hacking the Third-Party Risk Management Process: An hour of critical thinking about practical tips for reviewing risk.”

It all begins at 1 PM ET/10 AM PT on Friday, January 31, 2025?with guests Crystal J., SME, security, governance, risk and compliance, Vanta and Joshua Brown , former CISO, H&R Block.?We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Vanta

Cyber Security Headlines - Week in Review

Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino .?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be Alexandra Landegger , global head of cyber strategy & transformation, RTX . Thanks to Conveyor !

Thanks to our Cyber Security Headlines sponsor, Conveyor

I'm a Security Leader who has built a successful security metrics and reporting program - Ask Me Anything about demonstrating security's value to the business.

This week CISO Series is running its monthly AMA ("Ask Me Anything") on r/cybersecurity.

This week's discussion: I'm a Security Leader who has built a successful security metrics and reporting program.

Our participants:

Christopher Donaldson, director, risk3sixty

Jack Jones, principal consultant, Risk Management Insight

Brandon Pinzon, CISO and advisor, SPKTR Ventures

Jack Freund, advisor and former CRO at Kovrr Risk Modeling, Ltd.

Jump into the conversation here.

Jump in on these conversations

"Cyber leaders what's your biggest frustration when it comes to hiring?" (More here)

"Its Happening Again"?(More here)

"Virustotal: Underrated or Overrated?"?(More here)

Coming up in the weeks ahead?on?Super Cyber Friday?we have:

• [01-31-25] Hacking the Third-Party Risk Management Process
• [02-07-25] Hacking Security Effectiveness
• [02-14-25] NO SHOW
• [02-21-25] Hacking Metrics That Matter
• [02-28-25] Hacking the Modern Audit
• [03-07-25] Hacking the Commodification of Cyber Crime

Save your spot and register for them all now!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at?cisoseries.com.

Interested in sponsorship,?contact us.