Let’s be honest. The single best thing you can do for security of all things ‘cyber’ is patch your vulnerabilities. Patch and use complex passwords. Wait, let me start over.
The two best things you can do for your cybersecurity of all things is to patch immediately, use complex passwords, and get a penetration test. And a few other things.
Okay, since we’re being honest with each other, let’s just skip the niceness and admit that the truth is that there is no one best way. So, here’s all the best ways:
Okay, for me to start this article about being honest, I have to admit I’m really being pretty careless with the truth. You see, I’m from New York, and as such we grow up knowing that honesty and truth are really subjective things. Like when I started out to say what the best things you could do for cybersecurity were I truly meant it, but probably not the way you think it means.
You see, you thought I really meant it as in, “that’s how you get protected.” But I really meant it like I would say, “that’s really great that you rescued that raccoon.” Which means that because of the society we live in and people quick to record video of everything on their phones to post online, that the best thing you could have done when coming across a raccoon trapped in a garbage bin is to help it out. It’s also great for helping rabies, leptospirosis, and all those other diseases that hitch a ride on raccoons to get around town and meet other animals. But it’s not really the best thing for your safety or you - you know, overall.
In reality, when I said those are the best things you can do for cybersecurity, it’s because your infrastructure exists not just as a technical thing to be protected, but as an economic-socio-political thing to be exploited, ruled over, hoarded, expanded, invaded, integrated, and profited from. So, in that case, those are the best things because they assure you’re doing your part to make the money flow and vilify those who don’t.
So, in conclusion, follow these points to fit to the currently accepted model of cybersecurity protection, and then in your free time you won’t have do what’s actually required to be protected.
So that’s it. Lesson learned. We’re done here. You are now a grandmaster cybersecurity professional! Here’s your hearty handshake of congratulations.
For those of you who didn’t leave, what is it you’re sticking around for? You want me to explain why that above list is not the panacea of cybersecurity? Or do you want me to tell you if not those things, then what is? Let me then tell you something I tell my wife when she asks me where I acquired the coyote scent that I spray in the fridge to keep the raccoons out: “Does it really matter?”
I think if cybersecurity had one slogan or one battle cry, it would be “Everything matters!” - because it does. It might not matter to you, but it matters to someone. So yes, everything, all the time. And that’s important because it also means the job of securing what matters is subjective, confusing, and time consuming. Everything matters.
It matters if you use a signature-based antivirus or one based on artificial intelligence (AI). It might not matter to you, but it might matter to the researchers who test them and really care to provide something better, the politicians who take money for requiring a particular type in a regulation, the people in your social network who are sick of getting viruses from you, the security professionals who write risk strategy documents whose opinion may differ from the security operations people who have to install the product, as well as the people who have to clean up infected systems. The mattering goes far and wide over channels that are social, economic, political, and technical. It all matters to someone.
The list I began with was taken straight from a few of the best practice and compliance documents I pulled up. Those were the things they all had in common. And none of them will actually give you more protection in a real way.
That’s probably upsetting to some of you, and I care, I really do - since I know those lists matter to some people. Some people have staked their whole careers on that list, and I don’t want to make them sad or hurt or angry. Because I care. So, I’m going to say this as gently as possible:
Those lists exist so that people do something about their security. It’s the lowest bar that could have been set to make sure something gets done. I don’t know the intention of whoever first had the idea that doing something was better than nothing, especially when doing something that essentially does nothing is a waste of resources. But here it is. It exists now, and people use it like it matters. And it does to many, and none of them are cybercriminals.
“Dang, if only they hadn’t patched those vulnerabilities when the patch came out! Now we have no way to breach them again!” said no criminal ever…
“Darn, if only they used HTTP instead of HTTPS we’d be able to steal their password!” said no criminal ever…
“Damn, our phishing attacks won’t work against that company because they’ve all had security awareness training!” said no criminal ever…
The honest truth is that those lists exist as the lowest bar of effort to make security matter to those who don’t care. As a security practitioner, your job is not to set up the lowest bar but to use it to reach higher. That requires effort. And it’s hard and takes time and can be confusing. But it should matter to you. You should be trying to make it matter to others. And I mean that. Everything matters.