When we talk about cyber threat, we frequently assume that the threat is external to our organization, although the reality is many of our cyber threats, or better put the causality of our cyber threats is often rooted inside of our organization. Our understanding of cyber threat will assist all of our organizations to be a little more secure.
I always rest easier in the evening knowing that my home is secure. I lock the doors, lock the windows and set the alarm. I have a mental checklist where I check off the tasks to keep my home secure. Locking the doors, locking the windows and setting the alarm within the cybersecurity world may represent cyber controls or standards. My mental checklist represents a cybersecurity policy or baseline or within the US federal government, an ATO. Every night my security standards are validated and applied.
What is often referred to in the media as the cybersecurity gap, is the lack of accountability between our security controls and policies and real-time threat. Let's review three areas to understand the cyber threat to our environments.
1) System versus components. Security of the environment is based upon the system, which is a collection of components. For example, if your organization requires PII compliance, you will use approximately 60 cyber controls that will need to be implemented so that you can become PII compliant. The controls, or more importantly, the implementation of the controls extends to hardware, software, process and human capital. To truly understand the security "health" of your environment, you must understand the security health of all of the components from the firewall to the server to the operating system and software, as they are collected into cybersecurity policy.
2) Compliance does not always equal security. Compliance activities are often more focused on a specific task, like PCI or PII compliance that can sometimes dilute the priority to ensure the entire system is secure.
3) Misplaced confidence. Too often environments will implement a firewall, which is a wonderful first step, although believe that securing the firewall is enough. Unfortunately, the firewall is simply a component of your cybersecurity strategy. Trusting in a single component and declaring that your environment is secure is a lot like judging the performance of your vehicle on how well the windshield wipers work. Granted, the windshield wipers are important, although the performance of the vehicle is dependent on so much more.