One Size Fits Nobody

Published on 16th December 2021 Author: Rob Black

Once again, basketball season is upon us.

With it comes the sound of shoes squeaking, balls bouncing, nets swishing, and rims rattling beneath the force of ferocious dunks.

Well… maybe not the dunks, since I’m actually talking about my third-grade daughter’s team, of which I am the coach.

This year, the girls are behind where I would normally expect. Thanks to COVID, they have been away from organized basketball for almost two years – a near eternity in the life of an 8-year-old.

Add to that the fact that third grade is when the hoop is raised from eight feet to ten, and it’s no wonder they get out on the court and can’t do much of anything that looks like basketball.

They walk with the ball instead of dribbling. They watch it as it comes off the backboard instead of rebounding. They hand the ball to each other instead of passing, a hard-to-break habit that drives our assistant coach crazy (Hey Greg!).

Where do you start when you don’t have any of the fundamentals in place?

I live by two principles:

#1. Anything is better than nothing. When your skills are near zero, any movement in a positive direction represents progress. So I try not to overthink it; I just get them involved in doing “basketball things.”

#2. Every team is different. Each year brings with it a different mix of players. Among my 10, there is a tremendous range of size, stamina, coordination, and even interest in the game itself. As coach, I try to figure out where our weaknesses are and plug the holes as needed.

Guess what? The same rules apply with cybersecurity!

Where Should You Begin a Cybersecurity Program?

Recently, we have begun working with a number of clients who have very immature cybersecurity programs. In this regard, and like my basketball team, they are near zero.

The good news is that there is plenty of room for improvement; doing anything of a cybersecurity nature will likely reduce risk. The bad news is that with so many options, it can be hard to decide where to start. Do you focus on protecting against ransomware, intellectual property loss, data compromise, product failure due to cyberattack, loss from former employees?

The list of potential threats goes on and on. And while it’s possible to tackle everything at once, the reality is that most companies can only manage two or three things in parallel given limited time and resources.

For companies seeking cyber insurance (recommended), those insurers are going to insist on certain things, such as Multi-Factor Authentication (MFA) for email and privileged access and end-point protection (Anti-Virus) on all laptops.

Those might be good places to start, as insurers certainly know where the threats are. But keep in mind that the insurers set standards based on what’s happening in the world generally. Like coaching a basketball team, you need to make decisions based on your particular situation.

Every Company is Different

For example, if you are a bank, protecting against wire transfer fraud probably matters a whole lot more than intellectual property security. But, if yours is an engineering firm, guarding against intellectual property theft may be #1 on your list.

For a more granular illustration, consider that our Microsoft365 customers typically get a lot of spam phishing emails using the default MS licensing. So, we encourage them to get an additional email security solution. Similarly sized clients using Google Workspace, however, don’t need this added protection, since Google does a fine job in this regard.

The point is, in all situations, it’s the specifics that should drive action. That’s why we use a prioritization methodology that takes into account our clients’ asset values and environment, attacker trends, and likelihood of compromise, in order to arrive at a “best” approach.

Conclusion

There are no one-size-fits-all solutions in cybersecurity. You need to uncover what matters most to you when putting controls in place and do so in the order that fits your circumstances.

But then again, if you are at square one, it is better to start somewhere, rather than continually spinning your wheels trying to come up with the perfect plan.

To paraphrase famed military leader and (I’d like to think) excellent third grade basketball coach, General George S. Patton, “A good plan well-executed now is better than a perfect plan executed at some indefinite time in the future.”

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).