Where should organizations start when it comes to cybersecurity foundations? Our Director of Cybersecurity and Forbes Technology Council member, Mike Lefebvre, shares his thoughts.
Media mention
Forbes: Back to basics: the hierarchy of cybersecurity needs
In the 1940s, American psychologist Abraham Maslow proposed a hierarchy of human needs typically depicted as a pyramid where basic human needs (e.g., food, shelter, water) must be consistently met before higher-level needs (e.g., self-esteem, belonging, self-actualization) are attainable. For instance, Maslow suggests that someone wouldn't seek to boost self-esteem from peers if they had an immediate need to find a place to sleep that night.
Similar "pyramid-of-needs" models have transcended into the business and technology space, and information security is no different. Organizations must get the foundational elements of cybersecurity consistently right before moving up the pyramid.
Unfortunately, in an effort to "solve" cybersecurity, many organizations focus their resources on the upper levels of the pyramid without adequately meeting the foundational elements of the cybersecurity hierarchy.
This raises an important question: Why are organizations chasing next-gen solutions if their basic cybersecurity needs are not being met?
Every firm needs a solid cybersecurity foundation to effectively protect itself from cyber risks. To truly advance an organization's defensive posture, leaders should consider taking a step back to evaluate if they are regularly fulfilling the basics of cyber hygiene.
This article highlights the two fundamental cybersecurity elements that organizations need to get right before chasing advanced maturity: asset management and log management. These are two of the most basic technical cyber needs, yet they are often overlooked or minimized.
Just as humans need to fulfill their basic needs, organizations have to tackle these two primary needs to ensure they have a strong and proper foundation. Here are some critical questions, along with context and technical considerations, to help you answer the fundamental question: Are our basic cyber needs being met?
1. Asset management. Which digital assets are powering your business? Which digital assets even exist in your business? Consider servers, endpoints, clouds, printers, applications, third-party vendors, IoT devices, identities and anything-as-a-service. Can these assets be comprehensively identified and tracked in real time? No, the asset spreadsheet developed for last year's audit does not count.
To put it plainly, if it has an IP address and/or your data, you need to know what it is. These assets are transient, diverse and unevenly secure. Even within a digital asset category, there will be variability in the codebase. For instance, how many versions of a particular plugin can exist on a web browser on a user's laptop across an entire enterprise? Just because this is the basic foundation of the hierarchy does not diminish the challenge.
2. Log management. Contrary to what Hollywood may lead you to believe, logs are the only way we're provided with visibility into what's happening in the digital world. They're not sexy, but logs need to be considered and treated as a sort of "digital holy grail." Nearly every digital action generates a log. The simple act of reading this article has likely generated dozens of logs across your endpoint, the network that passed it to you and the servers that are hosting the article. These logs are paramount for organizations to attempt to make any sense of what's happening in their digital environment.
If it's one of your assets, you need to see what's happening on it. Ask yourself: Are we even capturing logs? Which logs are we missing? Is it because we're not capturing them, or are the logs not verbose enough to provide value? Logs need to be uniformly captured, centralized, normalized and retained. Consider the diversity of devices and applications that generate logs, log configurations, storage costs, data deduplication and time synchronization (time zones and daylight saving time changes can pose challenges).
Asset management and log management strictly provide the baseline of technical fitness needed to truly power a cyber defense program. Of course, these two foundational considerations are just that—the bedrock of the cybersecurity ecosystem that then extends into governance, policies, compliance and regulatory requirements. However, if these needs are not being met, the higher levels built upon them are rooted on a precarious footing.
As Maslow proposed that humans cannot thrive until core needs are regularly met, the same goes for cyber defense. In trying to grow our collective cybersecurity posture, we as tech professionals and business leaders sometimes just need to get back to basics
This article first appeared in Forbes.