Why cyber hygiene isn't enough

Organizations need to practice regular cyber hygiene. But they must also take steps to mitigate cyber risk—the most serious threats to our security.

In numerous discussions and forums recently, the conversation about the need for a risk management approach to cybersecurity has quickly devolved into a discussion about cyber hygiene and, ultimately, a discussion about compliance (with perhaps some simple metrics thrown in).

+ Also on Network World: Match security plans to your company's 'risk appetite' +

This pattern of following a difficult, but business-oriented discussion of risk to a trivial oversimplification is common within government and industry circles—and even among the most sophisticated CISOs. What we really need, however, is a holistic risk framework and a solid commitment to risk-based measurements in order to accurately understand and defend against the most serious cybersecurity threats facing our country. Too often we focus solely on cyber hygiene, while important, doesn’t fully address the more severe risks organizations face with increasing frequency.

Consider the analogy to personal hygiene. Do we believe everyday tasks such as brushing our teeth, washing our hands and taking a shower will prevent serious illnesses, birth defects or cancer? No. We believe that although good hygiene will help prevent many common ailments and even life-threatening diseases—from periodontal disease to the flu—it fails to thwart those more complex ailments. Because of this, we know we need to continue funding cancer research to find a cure, taking antibiotics for serious or chronic infections and leveraging technology such as MRIs to identify internal maladies that don’t respond to simple hygiene changes.

Simple practices don't prevent serious risks

In a similar way, cyber hygiene lends itself to simple surveys, compliance scans and audits. But will those perfectly acceptable practices help prevent more serious risks? I’d argue not, as those real risks often require something much more analytically sound and scientifically grounded. It is certainly good to be able to report that an organization passed an audit on a required security compliance regime, but it is difficult or impossible to describe how much risk was reduced by that level of compliance (or how much remains).

What is needed is a truly analytical framework that enables executives to communicate in the language of risk and the language of the business. And while I like some aspects of NIST 800-30 (mainly the definitions), it’s certainly not helpful for implementing a risk approach. At the highest level, a risk analytic approach should answer these questions:

  • Which threats are most likely to occur?
  • What are our greatest vulnerabilities?
  • What would be the consequence if a threat event was successful?

Translating these into business terms is key, and measuring them so that risks and countermeasures can be prioritized is essential. Further, the approach needs to be analytically valid and automated, not just a once-in-a-while paper endeavor.

Like human hygiene, organizations must maintain regular cyber hygiene for healthy outcomes. But it’s critical they don’t neglect the tools and processes that mitigate cyber risk—the most serious threats to our security. Both are critical, and it’s essential we understand the differences.

Are you seeing good examples of risk programs? Please share! In subsequent posts, we’ll discuss analytical approaches and review some good examples.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber security

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bryan Ware

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts