“Best Practice” Should be a Process NOT a Catch-phrase
The Four Key Components
Best Practice has been a long held position by many communities to include program management and cybersecurity as the ultimate solution to solving problems within their respective fields. If we only follow them, the state of cybersecurity, in particular, might be much better off. The history unfortunately continues to be an almost continual recognition that it is not contributing to a safer cybersecurity environment.
Remember the massive data exfiltration by hackers of the Office of Personnel Management (OPM)? Even then, we knew the best practice of applying Two-Factor Authentication (2FA) would stop, or at least stall, the major nation-state actors such as China (“The Great Ba”–an upcoming article), Russia, and Iran. OPM did nothing until one of the worst hacks within the US federal government finally occurred. How could we possibly rest our hopes on best practices to be that penultimate solution?
Best practice is a great heuristic simplification of a solution. However, what happens when leaders decide to “risk manage” even the best of best practices away. Until there are decisive repercussions to the the president’s of companies or secretaries of major federal office, we will continue to read the almost daily hacks into our public and private sector agencies.
There are four key elements that need to be applied in order to continue to rely upon and succeed. There is still a significant place for the application of best practices in the field of cybersecurity.
The four elements are:
1. Enumerate Them
If you can’t name them, how can you apply them? Good examples such as applying encryption for both Data at Rest (DAR) and Data in Motion (DIM) is but one example. Until you can name the solution, how can we be expected to face them in either the physical or virtual world?
2. Understand Secondary Effects
And, understand tertiary effects as well.
Applying greater security tools and mechanisms in place will likely affect performance. How does a company or agency respond? Is their planned upgrades of processors and memory that will diminish the effects. This is certainly part of any risk management struggle between the plight of operations versus security. How can we make them complementary versus conflicting? Some of this can be solved by people, processes, or technologies. They should never be competing, but many organizations take an either-or mentality vice how to create a better symbiosis between both.
Operations and Security must be complementary vice competing
A most difficult modern mindset
3. Enforce their Application
This translates to truly holding those accountable versus the Information Technology (IT) staff. Until senior leaders lose their jobs, the hacks will certainly continue. Accountability should always rest with senior leadership. Too often the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) is the scapegoat. The only way for cybersecurity to improve is to raise the implications and impacts to corporate officers and senior government leaders.
Department of Justice (DOJ) is nearing a clear ability and desire to recommend both criminal and civil charges against corporations and contractors who fail to meet their cybersecurity security protection requirements. Especially contractors, based upon a ratified contract with the federal government, need to understand within the next year, the DOJ will begin prosecutions of violations of cyber FAR/DFARS clauses.
4. Continuous Monitoring
For a best practice to be effective it is not a once-and-forget effort. All too often contractors continue to imperil us. They “hang a shingle” stating they are “cybersecurity experts,” but repeatedly it is their systems and the public’s data placed at-risk. Ask yourself, is this a trusim or a marketing ploy by the major contractors with large contracts with, for example, the federal government.
They place us all is peril. Continuous Monitoring is critical to protecting IT networks and environments. Mechanisms, both manual and automated, will be required to ensure security.
Furthermore, best practices are not set. What happens when Three Factor Authentication becomes the next best practice? Will we as a community be flexible or responsive enough to stay ahead of the threats using the next generation of best practice approaches?
Best practices are a great rule of thumb. However, until we seriously manage them as intended, we will continue to stumble. We need to keep focused on continual improvement, and having a better understanding of how to create them is but one point of the challenge in cyberspace.
Dr. Russo is currently the Senior Data Scientist with Cybersenetinel AI in Washington, DC. He is a former Senior Information Security Engineer within the Department of Defense’s (DOD) F-35 Joint Strike Fighter program. He has an extensive background in cybersecurity and is an expert in the Risk Management Framework (RMF) and DOD Instruction 8510, which implement RMF throughout the DOD and the federal government. He holds a Certified Information Systems Security Professional (CISSP) certification and a CISSP in information security architecture (ISSAP). He has a 2017 Chief Information Security Officer (CISO) certification from the National Defense University, Washington, DC. Dr. Russo retired from the US Army Reserves in 2012 as a Senior Intelligence Officer.
