You are probably thinking to yourself, “oh great, another cybersecurity article”. I feel the same way sometimes, that I’ve become numb to the statistics, and I just want to go back to a time when we didn’t have to consider unscrupulous threat actors trying to take away what we’ve all worked so hard to build. Unfortunately, we may never get back there.
But this won’t be an article about statistics, just a realization and analogy that hit me the other day. I have multiple hobbies, and always love to learn new things. Recently I learned how to juggle (albeit simple 3 ball cascade) and finally figured out a Rubik’s Cube (though it takes me several minutes). I have played music for years but had not touched a piano in probably a decade or more, and finally found an opportunity to revisit that, and during a practice session of “Impertinence” by Handel I was reminded of how all skills take time, patience, and a process for success.
You see, I can play notes on the keyboard. I can play them in the right key, I can play chords, and I can play melodies and harmonies that I make up. But to follow the sheet music of Handel, even if it’s my interpretation of dynamics and feel, I have to be capable of multiple things. Reading music notes on the grand staff, rhythm, and timing as well as pitch, dynamics and ornaments, as well as notations about fingerings, etc. All those things are secondary to an initial analysis and review of the piece that tell me the key signature, time signature, and hopefully mood of the piece.
How does this relate to cybersecurity?
Prior to being able to play a piece by Handel or any other composer, I had to first learn and become competent in some general music theory, as I’m not gifted with perfect pitch. This took its own curriculum and time to learn. In a similar fashion, cybersecurity is about protecting data and systems that support an organization. Before you can protect the organization from cybersecurity attacks, we first must understand the general components of how the organization runs, its vocabulary, the impact of its pieces and how they contribute to the overall vision and mission. Consider this as “fundamental”.
Next as briefly mentioned above, the piece needs to be analyzed. During a musical analysis the performer is looking at the guidelines by which the piece should be played, such as key signature, time signature, dynamics, ornamentation instruction, and sometimes even the title of the piece. By following these rules of music, we can provide the value of the piece: the performance (the data). Think of this like a legal or regulatory outline for which an organization is to operate regarding the valuable information/data. State law, federal law, and regulatory bodies provide an outline of how we are to operate business when handling sensitive or protected information. Granted, they probably have more rules than the Handel piece. During an analysis (or cybersecurity assessment) we are preparing ourselves to align operations and process with the guidance set forth. This ensures that in music the piece sounds as the composer anticipated, while in business the ensures that the information/data/systems are protected and operated as intended.
I mentioned tempo in the title, and time signature a few times during the information above. Here’s where it all hit me. I’ve been practicing “Impertinence” for weeks. For my current skill level at piano, I must play it over-and-over-and-over to work on weaknesses and mistakes if I try to play it at speed (roughly 152 bpm). So, to learn the piece, follow the rules, and perform it properly…I had to start slow. Take a few measures, learn them slowly, get them right, then move on to the next section. Even knowing music theory, how to read music, and even having played guitar for decades doesn’t mean I can just sit down and play this piece without challenges.
To protect businesses from cybersecurity threats these days is very similar. We must first have a foundational understand of why the organization exists, and what value and impact it provides to its community. From there we can analyze the rules governing the operations of systems, data, and people operating within the organization. And after all of that, we get to probably the most challenging part considering the world’s instant gratification mentality. We must slowly and carefully practice the processes to get better at the multiple facets of cybersecurity.
If you are following the Center for Internet Security controls for example, there are 153 safeguards grouped into 18 categories. Much like I practice slowly (the tempo) at first until I identify my weaknesses, and then slowly increase until I’m up to speed, we can do the same with cybersecurity. Work slowly through categories/safeguards, identifying where the organization is weak, work on those and get them stronger until the posture is at a desired place, and then regularly come back and do it all over again. Music is the same, once a piece is worked up to near perfection, and we set it aside to take on another challenging piece, we often come back and enjoy that piece again, and continue to improve it, add embellishments and ornaments to it making it even better.
Cybersecurity is not a tool to buy off the shelf. It’s not a set it and forget process. It’s a continual investment in a process bringing together people and technology to ultimately deliver an exceptional performance.
Contact Axxys today and let us get us in tune with your organization’s cybersecurity practices.