I have felt for some time that we as cybersecurity professionals are victims of our own excellence. Regardless of our role, we take our delivery very seriously, and we set the bar very very high for ourselves and the organizations we work for.
This is, of course, encouraged by both society and our industry. We all want to be as good as we can be, and professional excellence is highly prized and often well rewarded.
In all my most recent positions I’ve had the benefit of working with a bunch of nerds. I’ve been able to call on specialists in almost any area of cybersecurity at the drop of a hat, and both I and my colleagues love going headfirst down some rabbit hole and see how far we can get.
If I talk to my ISO guy he can rattle off standards and versions and give me a list of 200 things that an organization just has to have in their controls. My architect colleagues can talk for hours about the importance of a mature reference architecture for the enterprise’s cybersecurity practice. If you work offensively you will preach the benefits of a pen test until the cows come home.
Not to mention my technical colleagues in incident management, detection, forensics, access control, infrastructure, or threat analysis.
Each of them are more than capable of talking about and writing about their field of expertise at great length and at a very sophisticated level.
And this is great. It really is.
Except …
I also see many small to medium sized companies who want to improve their cybersecurity posture get bogged down by one specialist after the other, and the well-intended initiatives often wind up getting shelved long before they attain any actual action.
If we want to develop an ISMS we get a list of 42 different documents that need to be prepared, and we can’t possibly perform a risk analysis without making sure it’s scientifically quantifiable.
But .. It doesn’t have to be this fucking complicated, does it?
Just like the best camera is the one you have with you, the best approach to cyber security is the one that actually affects change. If a simplistic approach gets a company off the couch and to actually take action, then that is the correct approach, even if other methods are more elaborate, more complicated, and more “advanced”.
We’ve talked a lot about the 80/20 rule at work. You know, the so called Pareto Principle that states that 80% worth of effect typically come from 20% of cause. “The rule of the vital few and the insignificant many.”
· 20% of your customers account for 80% of your sales.
· But 20% of your customers also account for 80% of your complaints.
(The Pareto Principle will not tell you whether it’s the same 20%)
In our work we loosely translated it to that we can generate an 80% solution in 20% of the time it would take us to create a “perfect” solution (up to our personal haughty standards). More than once one of us would start to slide down one rabbit hole or another, and we would quickly be reminded of the 80/20 rule.
We also noticed that there were times we failed on promised deliveries because we strived for the 100% solution, when it in fact turned out that our 80% was still above what the customers could have generated themselves, and they were still very appreciative. And we would have made our deadlines.
It's “Good Enough”, quite simply. And though that expression oftentimes is used to express a basic lack of trying, in its purest sense it can also be quite correct. “Good enough” is sometimes exactly that.
“Low hanging fruit” is another way we sometimes say it. Does anyone want to guess whether it would take 20% of the time to pick the 80% of the apples that can be reached from the ground?
When I work with an organization who’s getting started taking Cyber Security seriously it’s a way to help us focus. Maybe we find that we can roll out anti-malware on 80% of our asset inventory in the first 20% of the project, or we manage 80% of our access profiles with a simple solution that cost 20% of the fancy one that would cover every eventuality. Our goal should eventually be 100%, in due time … but we should be careful so that we don’t avoid taking those short first steps that have such big impact just because we don’t have the 100% solution yet.
This book is not designed to be an all-encompassing guide to every aspect of every domain within Cyber Security. Quite the opposite. It’s going to walk through how you can take advantage of existing structures and frameworks and use them to get quick action instead of trying to invent the wheel yourself. I will take shortcuts you don’t approve of, and I will try to simplify subjects you have spent your whole life getting better at.
Sorry … Not sorry.
I’m writing this from the perspective of an IT Department. At times it’ll sound like I take a “We against them” approach to parts of the rest of the organization, but it’s IT that has the power to affect actual change in cybersecurity maturity, so this is where I’m starting. To keep things as simple as possible I focus on the group that will make actual change happen.
I will also introduce a new dimension in Cybersecurity Assessments which I think will yield more nuanced results and a quicker path to actionable measures.
Here we go!
80/20 Cybersecurity
Copyright © 2023 80/20 Cybersecurity
Powered by GoDaddy