I

A survey of cybersecurity professionals would likely result in a few different things as #1 on their ranked list of fun things to do. It is very unlikely, though, that configuring, reviewing and actioning audit log findings would be #1 on anyone’s list. Configuring auditing and logging isn’t too bad, but actually reviewing the logs probably ranks as the #1 thing many don’t want to do. All of that said, auditing events and ensuring logs reviews are completed are among the most critical elements in any good cybersecurity program. Why? There are a few important reasons.

Sometimes a picture is worth a thousand words, and sometimes there are 209 words in a picture. In the middle of that riddle lies a helpful infographic about the dangers of the insider threat. As always, feel free to use it as part of your cybersecurity awareness program.

When someone asks what I do, I generally just say, “I work in cybersecurity.” What they envision I do invariably differs from what I actually do. In their minds, I must be managing a bank of monitors, filled with a multitude of active windows, and fighting off hackers. That is what some cybersecurity professionals do, but alas, that’s not my preferred area of focus. While I’ve filled almost every role at some point in my career, my current specialty is actually very cool, too. It’s called Governance, Risk and Compliance (GRC). I know. Even the title is exciting, right? While it may be something I enjoy, it’s definitely not every cybersecurity professional’s dream role.

For cybersecurity professionals, there are a handful of common security frameworks (CSFs) that can be utilized to categorize risk, identify applicable controls, assess current compliance, and provide a roadmap to implement and sustain a healthy program. Commonly used frameworks include NIST, SOC2, HITRUST, and ISO 27001 just to name a few. For U.S. Federal agencies, the more rigid structure of NIST makes it the prescribed framework and a legal requirement via Federal Information Security Modernization Act (FISMA). SOC2 isn’t legally required but is often the choice for service providers and vendors who process, store, and transmit sensitive customer data. HITRUST is the highly recommended choice for companies handling sensitive health information (PHI). That leaves us with ISO 27001 or as I frame it (pun intended), the framework for the rest of us. Why? The answer lies ahead.

Let’s be honest. When it comes to cybersecurity awareness training, users generally do one of two things, try to click through it as quickly as possible or avoid it altogether. As cybersecurity professionals, we know their awareness of the threats and commonly used tactics to infiltrate networks and exfiltrate data is a critical element in our program. Generally, though, the everyday user doesn’t appreciate the importance of their role. It might seem futile to convince them of the added value in being cyber-savvy, but it’s not. As with anything in life, knowledge is power.

When it comes to cybersecurity frameworks, there are a handful to choose from. The choice of which and the granularity of its implementation can be mandated or voluntary. This sums up the general subject of the two National Institute for Standards and Technology (NIST) flavors discussed herein: NIST Risk Management Framework (RMF) vs. NIST Cyber Security Framework (CSF). Judging by the commonality of the acronym soup, there shouldn’t be much difference, right? The answer is no…but also yes.

Too often, people don’t realize the importance of knowing the history and evolution of something. More specifically, many technology professionals don’t realize the rich history of cybersecurity and the leaps and bounds of its evolution during a relatively short period of time. Instead of boring you with a long, written piece, I created an infographic that depicts it clearly and concisely. If you like it, feel free to save and use it in your own cybersecurity awareness (aka marketing) tools.

This week, hundreds of thousands of spearphishing campaigns were launched. This week’s targets were anyone and everyone. Disseminated messages were configured with requests to visit links to malicious websites, provide Docusign signatures, and initiate bitcoin transfers for astronomically priced antivirus solutions. Summarily, it was business as usual.

I understand many things. Angles aren’t among them. When I say angles in the current context, I’m not referring to geometry where angles make sense and can be definitively measured and used to calculate finite outcomes. I’m talking about the angles some people seem intent upon identifying and leveraging to their personal or professional benefit. We could call them Anglers, but that would be insulting to fishing aficionados.  For ease of understanding, I’ll add the Latin root “mal” (bad), and we’ll henceforth refer to them as “Malanglers”. (Yes, I just made up a word.)

Just over a decade ago, I went through a particularly challenging cybersecurity audit. It was the first of a new iteration of ultra-comprehensive assessments that seem to look at every single policy, setting, and practice. While the organization “passed”, I was disappointed from my perspective as a cybersecurity program manager. I knew we as an organization were better than what the report said and illustrated. As part of my normal after action review, I sought to delve deep and understand why we didn’t do better. We had the technology and the personnel. What was missing?