This is a good point:
Part of the problem is that we are constantly handed lists…list of required controls…list of things we are being asked to fix or improve…lists of new projects…lists of threats, and so on, that are not ranked for risks. For example, we are often given a cybersecurity guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, etc.) with hundreds of recommendations. They are all great recommendations, which if followed, will reduce risk in your environment.
What they do not tell you is which of the recommended things will have the most impact on best reducing risk in your environment. They do not tell you that one, two or three of these things…among the hundreds that have been given to you, will reduce more risk than all the others.
[…]
The solution?
Here is one big one: Do not use or rely on un-risk-ranked lists. Require any list of controls, threats, defenses, solutions to be risk-ranked according to how much actual risk they will reduce in the current environment if implemented.
[…]
This specific CISA document has at least 21 main recommendations, many of which lead to two or more other more specific recommendations. Overall, it has several dozen recommendations, each of which individually will likely take weeks to months to fulfill in any environment if not already accomplished. Any person following this document is…rightly…going to be expected to evaluate and implement all those recommendations. And doing so will absolutely reduce risk.
The catch is: There are two recommendations that WILL DO MORE THAN ALL THE REST ADDED TOGETHER TO REDUCE CYBERSECURITY RISK most efficiently: patching and using multifactor authentication (MFA). Patching is listed third. MFA is listed eighth. And there is nothing to indicate their ability to significantly reduce cybersecurity risk as compared to the other recommendations. Two of these things are not like the other, but how is anyone reading the document supposed to know that patching and using MFA really matter more than all the rest?
More Stories
Google Is Allowing Device Fingerprinting
Lukasz Olejnik writes about device fingerprinting, and why Google’s policy change to allow it in 2025 is a major privacy...
Global Campaign Targets PlugX Malware with Innovative Portal
Sekoia’s innovative PlugX malware disinfection campaign removed active threats across ten countries Read More
New DoubleClickjacking Attack Bypasses Protections
DoubleClickjacking bypasses X-Frame-Options and SameSite cookies in double-click sequences, exposing UI authentication flaws Read More
Fireside chat with Graham Cluley about risks of AI adoption in 2025
Join me, and the experts from Rubrik, on Weds January 15 2025, where we’ll be having a fireside chat with...
HIPAA Rules Update Proposed to Combat Healthcare Data Breaches
The US government has set out proposals to increase security obligations on healthcare providers to protect patient data amid surging...
Hackers Leak Rhode Island Citizens’ Data on Dark Web
The State of Rhode Island has confirmed that cybercriminals have begun publishing data stolen from its social services portal, the...