Storagepipe Is Now Thrive

Learn More

GridWay Is Now Thrive

Learn More

Blog

Living Simply in a Complex World

Living Simply in a Complex World
08.19.25
By: Darren Carroll, Director, Cyber Security Advisory Services

Any Chief Information Security Officer worth their salt has three primary goals:

  1. Brand and Reputation Protection: keep the organization out of news headlines. Keep all employees, executives, and stakeholders safe from reputational damage.
  2. Data Protection: Keep important data where it belongs. Keep the data available to those who are supposed to see it, delete, modify it. etc.
  3. IT Dollar Spend Optimization: Identify a required feature or function, acquire it, implement it, and do not spend the following year’s budget acquiring a new tool that performs the same tasks, but rather, enable new features on the existing technology.

There’s always the latest Swiss army knife of cybersecurity technology that will solve all of an organization’s problems, replace the old broken stuff in its environment, and make your organization feel secure, allowing you to sleep peacefully at night.

It’s not just cybersecurity technology. There are typically three distinct stages of tech evolution:

  • Stage 1 is usually big and clunky with parts cobbled together and sort of functional.
  • Stage 2 shows some demonstrable integration for purpose-built functionality.
  • Stage 3 will show remarkable rightsizing, increased functionality, and remarkable simplification.

Sort of Moore’s law, but sort of not. Think of the original remotes for Amazon’s Fire TV – there used to be lots of buttons, now it’s approximately 8, Microsoft Zune – yes, it’s a thing, and worth a google if you’re not familiar, versus Apple’s iPod. Power and functionality are always increasing, but the trick is to actually adopt the technology in meaningful fashion.

When “commercial-off-the-shelf” turns into “stays-on-the-shelf”, we have all missed the boat. But there’s always the next shiny new thing in the cybersecurity world.

Removing all the fluff and nonsense, there are a handful of simple steps that can improve your overall posture dramatically:

MFA Everywhere

Multi-Factor Authentication (MFA). The single biggest point of risk to any computer environment is where a human being touches the keyboard. Ensuring that the human being in question is who they say they are increases trust and allows for improved accountability. MFA (two factor authentication (2FA), one time password (OTP), and so on, generate a specific time-bounded authentication step helping to ensure that the human is who they say they are, and is doing what they’re supposed to be doing. Ensuring the identity of the user (or entity – think service accounts) may be the single more important control point we have.

MDR Everywhere

Managed Detection and Response. Emphasis on Managed. Having persistent eyes-on information generation, such as where data is created, manipulated, etc., an Endpoint Detection and Response (EDR) platform increases the value exponentially. Visibility into endpoint activities and potential threats may be the single most important control point we have.

MDM Everywhere

Mobile Device Management. As mentioned earlier, if the “edge” is truly shrinking (, the spread of mobile computing is prolific. When a computer device sits behind corporate technical security controls, it’s easier – not easy, but easier – to manage access to, manipulation of, and movement of potentially sensitive information. Mobile devices – primarily iOS and Android, but this can and should extend to laptops as well – make controlling and monitoring the access to and flow of data much more challenging. A well-implemented MDM solution should allow for visibility and control of company-owned information assets. Controlling information flow on mobile devices may be the single most important control point we have.

Vulnerability Management

Vulnerability management can be simplified into vulnerability scanning and patch management. Pick a tool that can scan the entirety of the computer environment (on-premises, cloud, remote, etc.) and identify where vulnerabilities may lie. Correlate that data, prioritize it based on the potential impact of someone exploiting it, and apply the appropriate patches. Knowing what’s vulnerable and working to reduce or remove those vulnerabilities may be the single most important control point we have.

SIEM (Monitoring, Logging, Notification) on Everything

Security Information and Event Management (SIEM). Collecting logs from devices for use in forensic investigation is fun, valuable, and a bit of closing the barn doors after the horse runs out. SIEM does that, but properly tuned, it also can give real-time information on potential bad things, disruptive things, or just interesting things that you may want to look into to prevent actual badness from happening. Collecting logs, correlating that data enterprise-wide, and acting on that information may be the single most important control point we have.

Encryption

Encryption in motion and Encryption at rest. Historically, the single largest offender for HIPAA (Health Insurance Portability and Accountability Act) data breaches was lost or stolen laptops. This data should be encrypted. Make it difficult if not impossible to log on to that device and make it impossible to gain access to that data via full-disk encryption.

Aside: I’m not sure why anyone would be walking around with millions of healthcare records on their laptop, but there you have it.

No Internet-Based Open RDP

Remote Desktop Protocol (RDP) over the internet. Don’t. Just don’t. There are a lot of ways to accomplish the end goal, and they should be wrapped up in the things already mentioned. Not allowing Internet-based RDP may be the single most important control point we have.

Build a Program

Have a measurable, monitorable, repeatable set of policies and procedures that define how and why you’re doing something in the information security space. There are a lot of options to choose from, and even more that may be mandatory based on your specific line of business (HIPAA, PCI (Payment Card Industry), etc.), but pick one. Maybe two. And stick to it. Define and test that cybersecurity incident response Plan. A well defined and cared-for program may be the single most important control point we have.

Obviously, it’s not that simple. There is a lot of work to be done in each of these categories. There is a significant amount of overlap and integration in these categories. Understanding that this is by no means a comprehensive list, but getting back to the basics.

The old adage about “How do you eat an elephant? One bite at a time.” is meant to simplify tackling any large and complex process. Cybersecurity is never a static point-in-time solution. Cybersecurity is ever evolving based on new threats, new applications, new this and new that. Every journey begins with a single step, so point your feet in a direction and start the march by focusing on the basics. Think about that poor elephant wishing people would just get it over with and stop with that tedious one-bite-at-a-time silliness.

You may also have noticed that each item is “the single most important control point we have”.

Get it? Stay tuned for Chapter Two tentatively titled “Wait… you clicked on what?!?”