The Top Three Challenges with Most InfoSec Programs

TL;DR:

1. Getting good at the boring parts of security
2. Finding the value in compliance and moving security beyond regulations
3. Getting past the immediate "no" from the security group itself

Here it is in more detail:

1. BoringSec: Getting good at the boring parts of security

Cybersecurity is an ever-changing field that looks flashy and fun.
From the outside, it looks like we spend our whole day thwarting attacks and hunting down bad guys. For some roles this is true, but most of the work is setting up fundamentals building blocks.

Most of the building blocks are... boring.

Most of the work in cybersecurity is not about hacking or bug bounties.

Most of the work is about the basics and getting really good at the blocking and tackling of detecting, responding, and remediating.

This "boring" work is actually what makes most of the cybersecurity work. It's not actually boring for most, it's just not as flashy as Twitter can make it out to be.

A company's "security hygiene" is the most significant challenge I have faced in my career. It is often a tedious part of ensuring a successful security program, but an area that can pay off dividends.

The "boring" parts of security in my experience include, but are not limited to:

• Knowing your network (It is the top CIS control for a reason)
• Endpoint agent health and saturation
• Using the functions and features you paid for smartly (this takes time and balance)
• Getting very good at patching (whether through patch deployment or rehydration)
• Updating base operating system (OS) images
• Making the tools run themselves

Have an inventory of authorized and unauthorized devices on your network. It is the top CIS control for a reason, and subsequently one of the most challenging things to do.

Solving this challenge takes time but is the easiest of the three in this post.

2. Finding the value in compliance and moving security beyond regulations

Compliance doesn't equal security!

Security practitioners have been saying this for decades, and it's true. Compliance is not the full picture of security.

Security practitioners say compliance frameworks are always behind and irrelevant to modern threats. This may be true in some cases, but not meeting those requirements can be downright negligent.

Even still, compliance can add value to your security program and to your business. In some industries, it's the price you pay to play.

Lean into the groups that external partners that hold your program accountable. Help them understand where the relevant risks are and what you're doing to knock those down.

Will you put in place controls that add little security value? Yes.

Will you be better off for doing it? Also yes.

Leaning into the value here means you can keep your stakeholders happy. It means you can create a more clear path to focus on creating even more value out of your security program.

3. The immediate "no."

The immediate answer of "no" from cybersecurity teams is one of the biggest challenges.

Change the mindset. Go from being a "No, you can't do this" organization to a "Yes, you can do this if you do these things too."

Shadow IT and circumventing security was born from the "no."

Create a better culture by proactively going out and talking to the rest of the company. Don't wait for people to find you, go find them.

Seek to understand. Seek to communicate risk and trade-offs. Have an opinion on a path forward, but know that the security team may not always have all the answers. Ask for help. Ask what's possible.

Learning should be happening all around. Work together to get to "yes."

Wrap Up

There is no magic bullet to solve these problems. Each company has a different culture and set of challenges, but getting everyone on the same page is key. It lets your security program and company move on to the more strategic (and fun!) parts of security.