Happy Festivus! It’s the holiday for the rest of us.
If you’re not familiar, Festivus is the holiday celebrated by the Costanza family from the NBC sitcom “Seinfeld.” This non-commercial, secular holiday is celebrated on December 23rd and includes a dinner with a vaguely meatloaf-shaped main course, an aluminum Festivus pole (without tinsel!), Feats of Strength, and the Airing of Grievances.
For this blog, we’ll be participating in the Airing of Grievances, with cybersecurity being our focus. We asked our employees, “What the heck are people always getting wrong when it comes to cybersecurity?” and a group of GreyCastle Knights has come together to share their pet peeves and air their grievances related to cybersecurity programs.
To paraphrase Frank Costanza, “Welcome, newcomers. The tradition of Festivus begins with the airing of grievances. I got a lot of problems with [weak cybersecurity programs]! And now you’re gonna hear about it!” So, get your Festivus pole ready – here are five GreyCastle Knights and their cybersecurity grievances of 2018:
All employees and business units have cybersecurity responsibilities. It doesn’t fall to any one department to “do” or “run” cybersecurity. It falls to the business. While good practices can be implemented department-by-department, you simply cannot have visibility, direction, and buy-in unless there is a strategic function at the top. You also cannot effectively mitigate risk, because you just don’t know what is and isn’t being done.
Compliance vs Security. I often ask prospects and clients: Do you want to be compliant or do you want to be secure?
Because you can be one or the other, or both. Of course, both makes the most sense financially and as fiduciary. This needs to be a conscious decision and if you don’t understand that you have a choice, then it isn’t very likely that you’ll be either.
My grievance is that many organizations do not understand why cybersecurity programs should be based on actual risk. Cybersecurity programs tend to be scattershot and lack coherency when actual risk is not the underlying driver.
For example, a company can spend a huge chunk of their cybersecurity budget getting the latest firewall, when in fact their greatest risk is people losing laptops with personal information on them. We’d all like comprehensive cybersecurity programs, but the reality is that budgets and time are limited. Organizations need to pick and choose where to focus their cybersecurity efforts, and actual risk will guide them to the best use of limited resources.
I find it to be ridiculous when higher-up members of companies demand admin rights/passwords to accounts they don’t administer. I have had to deal with ransomware infections in environments due to many people’s bosses wanting to have admin rights on their accounts because they find it inconvenient when they have to ask IT for assistance in installing programs.
PEN TESTS! Everyone wants or needs a Pen Test immediately but they can’t even articulate why they need a Pen Test.
Did you complete a Risk Assessment that indicated you needed to Pen Test, is your technical security mature to a point where you’re ready to challenge it, is this a compliance requirement? Or (like so many others) did you just decide that, with your ever-limited cybersecurity budget, you MUST get a Pen Test to prove that, yes, you can be hacked!?
Organizations that believe they are safe from getting hacked because they believe they are either “too big/secure/have tons of resources” or, on the flip side, “too small/have nothing worth stealing.”
Organizations who don’t have someone at the C-level or on the board who understands cybersecurity as it pertains to BOTH business and technology. Cybersecurity needs a strong voice.
Companies like Google/Facebook who can afford to pay the fines dished out by regulators and continue to find ways to exploit privacy.
Compliance DOES NOT equal security.
Do you have your own cybersecurity grievances you’d like to air? Join the #Festivus conversation by following @GreyCastleSec on Twitter and tweeting us your cybersecurity-related grievance!