Manage your data like you manage your money

Track, measure and reconcile your data and data security

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

🔒 Related Stories: Cybersecurity for Executives

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sometimes you have to write a whole book to come to the point of what you were trying to say. At least that’s what happened to me. I started writing about the top causes of cybersecurity breaches. I wanted to explain why the breaches are occurring and how we can do a better job stopping them. I feel like more people can understand the basics of cybersecurity if someone would just explain it in a way they can understand. Armed with this knowledge, they can make better cybersecurity decisions. More importantly, they can invest in and build systems that drive down cyber risk.

The book contains a wealth of information for those who want to understand cybersecurity at a fundamental level. How do the attacks occur? How does encryption work? When doesn’t it work? Do we need network security or not? Is MFA really that big of a deal? What is endpoint security? Should we hack back? What is a security researcher, and why do they seem like they are performing criminal activity? Why did CrowdStrike have that DNC server? And why was 2019 the worst year for data breaches on record? Everyone is moving to the cloud, and I thought the cloud was more secure!?

I take a look at all these questions and more in the book. But in the end, I had to go back to chapter one and add revisions and clarification. What was the point of all this anyway? The content I added has to do with aligning cybersecurity practices with the way companies operate financial systems and processes. Organizations want to know where all their money is going. They want to make sure they get everything owed to them and that no money is stolen or lost. They take many steps and build systems and processes to protect that money. These systems reconcile financial systems and look for anomalies — or in other words, fraudulent transactions and financial mistakes.

Many organizations don’t seem to have the same level of comprehensive measurement when it comes to cybersecurity. They don’t track where every piece of data lives or where it flows. They don’t implement the same level of monitoring for anomalies. Organizations don’t have the same type of stringent controls to prevent someone from stealing that data or making a mistake while managing it as they do for their money.

We measure many activities in cybersecurity, but we don’t reconcile the balance. That’s because we seem to be failing to track all the data, and especially the gaps in controls that turn out to be the root cause of data breaches in some organizations. For example, you may be tracking all your systems in an inventory. Think about this for a minute. The systems themselves don’t cause a data breach. All the things you did for compliance don’t cause a data breach.

What causes the data breach? That’s what we need to be tracking. The more things you have in your environment that can result in a security breach, the higher the risk. Measure the number of ways attackers can attack your systems or get to your data — not the things you have already done or the viruses that got blocked. We need to know how many chances we are giving the attackers to break in.

The other key point is to ditch the manual processes whenever possible; Track risk metrics and activities in the most automated way possible. Use systems and processes you already have that can produce the required data, and then improve on them over time. If we build better systems to measure security controls and gaps, we can better understand where the risk lies and hopefully take steps to reduce it.

Where do my thoughts originate? My background is largely in architecting and building financial systems. In my previous company, Radical Software, I built e-commerce systems for businesses. I learned early on the importance of ensuring every single transaction was correct — the items on an order had to match the total — and all sales needed to add up correctly in the system.

Then I went on to work on large-scale tax and financial systems. I re-architected and helped a team deliver a new sales tax system when an old one was off by about $300,000 per month! I was annoyed when our new system was off by about $20 after the initial release. We fixed it. I’ve always been interested in nerdy business problems like reconciling funds in bank accounts and making sure all the money and records got to the right place. You can do the same thing with your data.

I mentioned the concept of security metrics in relation to the financial health of a business in a blog post which became the outline for the book — 20 questions executives should ask their security teams. Executives should read cybersecurity reports the same way they read financial reports. Financial reports are complicated. Shouldn’t they also be able to read basic security reports? But what should be on those reports? That is where everything comes full circle.

I dive more into tracking data and access to data in the chapters on data protection and identity and access management. I also provide more suggestions on how to track risk in one of the new chapters I added to the book on metrics and reporting. Use the 20 questions I propose to create reports to track the gaps. Your security team may have other suggestions for what goes into those reports. However, the point is to start tracking — and track the right things in the right way.

Your data is part of what drives the value of your business. Treat your data like your money. Track the location of all your data. Just as you search for fraud in your monetary systems, search for anomalies and risk in your systems and processes that manage your data. Track your security controls — those that are in place and those that do not exist or contain misconfigurations. What’s missing or ineffective increases the avenues you have given the attackers to access your data. That’s your risk score. Try to reduce it.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2020

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab