Findings. Defects. Whatever you call them, your organization's security posture is full of them. At RSA, we use the umbrella term "Issues Management". So many organizations handle their vulnerabilities, misconfigurations, failed controls, and policy and process gaps the same way: the hard way. The hard way is the reactive way, the just-in-time way, and the kick-the-can-down-the-road way.
The "now" version of you, who is always at risk of falling behind at work, is dealing with these findings and defects in what you think is a reasonable way. "Sometimes you have to kick the can down the road," you tell yourself, just to keep your sanity and keep things moving now. Periodically, however, these kicked cans pile up and cause a lot of stress for the "future" you and probably some lost free time on nights and weekends as well. At those times, the "future" you is thinking that you're a real jerk.
I know. I'm preaching to the choir. You've already heard this or thought this, and right now I'm just giving advice that's easy to say, but hard to do. Early in my career, when I was broke, I asked my insurance agent how I could cut some coverage to reduce my rates. He gave me the "you can't afford not to have good coverage" speech. Financial gurus give the same advice about saving for emergencies and saving for retirement. "You can't afford not to." It sounds contrary at the time. You already don't have enough money, so how does taking more of each paycheck out of circulation supposed to help you? It's annoying to hear, and hard to work through, but the plain, ugly truth is that they're right. It takes personal maturity to learn lessons like this, and just like we as individuals can mature and learn hard lessons, so can our organizations.
So, how does this same "you can't afford not to" lesson apply our organizations? Well, in the case of issues management, it means several things. You have to streamline the issues management process so all the stakeholders can do their part with less effort. You also need to bring these stakeholders' data and tools together so they can share information easier and learn more from each other. This provides new insights. New insights and metrics mean that you can prioritize your issues and work on the things that bring the largest security improvement. Visibility creates accountability. Visibility into trends and metrics across all domains of issues will also facilitate root cause analysis, and ultimately, reduce repeats of the same findings in the future.
This is breaking the cycle, and making things better for your future self. It is similar to eastern philosophy, when they speak of Samsara, the Wheel of Suffering, and karma, they are saying to quit doing things that you know will just cause you more pain later. This also reminded me of what Andrew Jaquith once called the "Escaping the Hamster Wheel of Pain" or what my colleague Patrick Potter recently compared to Groundhog's Day.
Feel a little pain right now. Do the little bit of extra work, use the right tools like RSA Archer's Issues Management and make your future self a happy person.
Author: Chris Hoover
Category: RSA Fundamentals, Blog Post
Keywords: Cybersecurity Maturity Assessment, Cybersecurity Maturity Index, Issues Management, Wheel of Pain, Wheel of Suffering