When I was growing up, my father enrolled me in martial arts at an early age. I liked everything about it. I liked the friends I made, I liked the sense of achievement getting the next belt, I liked breaking boards ,but more than anything, I liked to fight. Furthermore, I liked to win.
The first school I enrolled in, it wasn’t long until I was promoted to yellow belt. It was your typical “pay to play” karate school. The instruction was terrible. I learned to jump kick before I knew how to kick on the ground. Not only was this bad form, it was dangerous. Also, and perhaps the most important thing, I lost every tournament!
We moved to a new town, and I enrolled in a new school of instruction. This instructor was serious! He was a Marine first and a professional boxer next, and he still competed in Mixed Martial Arts tournaments himself! I wish you could have been a fly on the wall when I walked into his class and thought I was fancy with jump kicking in class. I couldn’t even stand on one leg and hold my balance much less jump kick!
Out of habit, I continued to jump when I kicked. He pulled me to the side and told me, “Every time you jump, you owe me 10 pushups!” It broke the habit very quickly because I hated doing push-ups.
Fast forward a few months, and I started back at square one: mastering the basics. He drilled into me to master the basics of proper form. He drilled into me the idea that it doesn’t matter where you come from or what you’re doing; if you master the basics, you will succeed.
I went on to win National Championships in sparring and traveled the country competing in martial arts tournaments using nothing but what I learned as a white belt even though I had earned advanced level belts. Every single day, I practiced good form with the simplest kicks and punches until my technique was better than my opponents.
This applies to cyber security in what I call a three-step campaign to master the basics.
Step 1: Asset Management
The concept is simple, but the practice is difficult. With enterprises constantly growing, shrinking or acquiring other companies, knowing your inventory of assets is extremely difficult. Time, money and resources need to be allocated to asset management first. How in the world are you going to secure what you don’t know you have? All it takes is one host to get a foothold into the domain.
Step 2: Patch Management
Mastering the basics means getting into a good routine. A company culture should exist that allows for scheduled patching to happen during hours with minimal impact to the business. Most companies that I have worked for have decent IT-centered programs for scheduled patching. The trouble that comes in is when a new exploit is released or a vulnerability is announced that happens at a time during the interim.
All too often, teams are scrambling to find the resources they need to patch this efficiently. Proper processes and procedures need to be implemented and burned into a culture that these things happen frequently, and they need to be addressed quickly.
Step 3: Vulnerability Management
A vulnerability management program that constantly scans your environment for new assets should alert you when there are assets that you do not know about which are turned on and otherwise contain vulnerabilities that put your enterprise at risk.
These three steps are what I believe to be the cornerstones of what should provide a solid foundation of a security program. As you can see, two of the three steps aren’t usually an “information security” job position which means good security is a happy marriage of IT and infosec. Information security supports the business, after all. In conclusion, this three-step mastering the basics campaign I believe will provide you with a cost-effective foundation on which to build.