Maturing Our Cyber Security Programs

Cyber security is complex and often polarised by budget constraints, cycles of attention, and varying compliance requirements.

It's easy to fall into the trap of thinking we're secure just because we've ticked all the compliance boxes.

But as we've observed time and time again, true security is not about completing a checklist — it's about cultivating a dynamic, comprehensive approach that evolves with the threats we face.

Compliance frameworks are a double-edged sword. On one hand, they provide a structured approach to security, ensuring organisations meet certain standards. On the other, they create a false sense of security, making companies believe that passing an annual penetration test is enough to keep systems safe.

The reality is far more complicated.

As also touched upon in previous newsletters, this traditional approach of the yearly pen test on a specific application is like checking the locks on your front door while ignoring the open windows. It's a start, but it's far from comprehensive.

Cyber security is about people, processes, and technology. It's not just about systems; it's about how people interact with those systems and the processes that govern their use.

Focusing on a single application at one point in time is a missed opportunity to truly improve the security posture. From "on-prem" infrastructure to cloud services and mobile devices to authentication systems, we need to consider the entire ecosystem.

Many organisations will say to this: "Well, we have wider controls. We scan."

That's true, but vulnerability scanning has four major issues:

1. A limited understanding based on predefined knowledge and instructions, unaware of unknown assets or critical paths within the organisation or supply chain.
2. A reactive approach triggered by compliance requirements and cyclical security assessments that may miss emerging threats.
3. A scope-focused approach that can hinder the effectiveness of security measures.
4. Limited scanning depth, such as relying only on unauthenticated scans or requiring authentication credentials to access deeper layers of applications.

With the plethora of security tools available, it's easy to get lost in a sea of alerts.

Signal vs. noise

Compliance-related requirements, which have legal and commercial implications, often skew the signal-to-noise ratio. While these requirements serve their purpose, they can generate a significant amount of noise from day-to-day scanning activities, leading to increased workload.

I found Steve Zalewski recent post on managing security alerts particularly interesting. He raised important questions and sparked a lively debate around the topic.

William Harmer, CISSP, CISM, CIPP brought a valuable perspective to this conversation, suggesting treating security alerts as data points, not just alerts. This allows for the use of data to identify trends and patterns. Some data points may reach a critical threshold, individually or when combined with others.

Sue Bergamo noted that many security teams are overwhelmed by alerts and focus too much on individual ones. She suggests starting with desired outcomes and working backwards to identify important alerts.

The solution to reducing alert fatigue and cutting through the data clutter ?

Prioritise prevention and threat modelling, experts like Eric Staffin and Perry Young agree.

What a goldmine of insights and validation of the fact that, Houston, we have a problem!

Finding the right balance

Maturing a cyber security program isn't an overnight process.

That's why, at Chaleit, we love to build long-term partnerships with clients. Transformation comes as a function of time.

Whether you work with a consultancy or not, you will notice that most security programs don't mature early. You're not going to see a big impact straight away. You only achieve that by using the compounding principle.

Outcomes require iteration, collaboration, a willingness to adapt, and looking at the bigger picture over time.

It's wonderful to interact with security programs that already have a degree of maturity. Technology adoption, efficient workflows, and recognising both the enabling and vulnerable role of employees within security are markers of that.

But what if your program is not there yet? How can you move from a checklist mentality to a more holistic approach to cyber security ?

?

Here are my recommendations:

• Collaborate and iterate. Work closely with your security partners in sprints, prioritising risk management and making incremental improvements.
• Set achievable goals. Implement changes over a longer period, ideally aligning with compliance cycles. This long-tail approach to optimisation can help avoid overwhelming your team and ensure sustainable progress.
• Focus on quality, not quantity. Instead of trying to collect all possible data, focus on the information that truly matters to your organisation's risk profile.
• Align with business risk appetite. Understand your organisation's tolerance for risk and tailor your security measures accordingly.
• Embrace imperfection. Coming back to Steve Zalewski , he emphasises something crucial: it's okay to have an incomplete picture. Paradoxically, you get visibility by not looking for everything. Aim for the most accurate view possible.?
• Invest wisely. Direct your resources towards measures that genuinely improve your security posture, not just those that tick compliance boxes.

The Goldilocks effect

In the end, effective cyber security is about finding the right balance — not too lax, not too restrictive, but just right for your organisation's needs and risk profile.

We still engage in risky behaviours daily (nod to my friend and CISO Shana Uhlmann who so very cleverly navigates this aspect of thinking), like driving our cars, but we mitigate those risks by wearing seatbelts and driving safely. Similarly, investing the right amount in security measures, having the necessary skills, and implementing appropriate mitigations can help manage risks effectively.

Simple is not easy, but we're here to help.

?

?? What are your thoughts on this approach? How has your organisation balanced compliance requirements with practical security needs? Are there any strategies you've employed to mature your cyber security program?

?

I look forward to hearing your insights and experiences.

#CISO #cybersecurity