One of the things I love about my job is the time I get to spend with security professionals, learning firsthand about the challenges of managing security strategy and implementation day to day. There are certain themes that come up over and over in these conversations. My colleague Ken Malcolmson and I discussed a few of them on the inaugural episode of the Microsoft CISO Spotlight Series: CISO Lessons Learned. Specifically, we talked about the challenges CISOs face migrating to the cloud and protecting your organization’s data. In this blog, I dig into one of the core concepts we talked about: practicing cybersecurity hygiene.
Hygiene means conditions or practices conducive to maintaining health. Cybersecurity hygiene is about maintaining cyberhealth by developing and implementing a set of tools, policies, and practices to increase your organization’s resiliency in the face of attacks and exploits. Healthy habits like drinking lots of water, walking every day, and eating a rainbow of vegetables build up the immune system, so our bodies can fight off viruses with minimal downtime. Most of the time we don’t even realize how powerful the protection of these behaviors are until that day deep in January when you look around your office and realize you are one of the only people who isn’t sick. That’s what cybersecurity hygiene does; it strengthens your organizational immune system. It’s a simple concept until you start thinking about the last time you resolved to start practicing healthy habits but were skipping the salad by day three because big salads make your stomach bloat and you’d rather have a candy bar anyway.
Success starts with strategy
No matter where in the world I am, CSOs and CISOs tell me their days are filled with fire drills and crises that consume attention and resources but don’t help advance a strategic agenda. A little like that candy bar—drawing focus in the present but diverting energy from long-term goals. In the precious moments of downtime, when cyber executives can turn attention to long-term strategy and proactive security measures, it’s not uncommon to have those goals diverted in a different way—chasing the latest trend that the board is excited about or having to react to failure or a finding from a recent security assessment.
Consistent change changes systems
Our bodies are systems—when we eat more vegetables our microbiome changes, it becomes easier to digest those veggies and can actually begin craving them. But if you stock the pantry with candy instead of leafy greens, it’s hard to make a consistent change. For cyberhealth, you need a strategy that works with the strengths of your organization and mitigates its weakness. It’s a little like planning to be healthy. If you are social, it can help to enlist a friend in your exercise routine. If you work late, you can buy prepared, healthy food, so you aren’t as tempted to grab that candy bar after a long day.
To implement good security practices, take some time to understand your budget, your priorities, and your greatest vulnerabilities and allocate your money appropriately. Create strategic cybersecurity targets and goals for the next one, three, and five years and engage the C-Suite and board in the approvals. You will feel more empowered in conversations with the C-Suite when you have a good rationale and a solid plan and when cybersecurity hygiene becomes a systemic part of the organization, the healthy system will start to crave it.
Practice good cybersecurity hygiene
Once you have a strategy, you are ready to institute some best practices. We recommend getting started with the following to all our clients, big and small:
- Back up data: Make sure you have a regular process to back up your data to a location separate from your production data and encrypt it in transit and at rest.
- Implement identities: A good identity and access management solution allows you to enable a single common identity across on-premises and cloud resources with added safeguards to protect your most privileged accounts.
- Deploy conditional access: Use conditional access to control access based on location, device, or other risk factors.
- Use Multi-Factor Authentication: Multi-Factor Authentication works on its own or in conjunction with conditional access to verify that users trying to access your resources are who they say they are.
- Patching: A strategy to ensure all of your software and hardware is regularly patched and updated is important to reduce the number of security vulnerabilities that a hacker can exploit.
Develop cybersecurity hygiene with industry security frameworks
Excited to build healthy cyber habits but not sure where to start? The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a great place to start. You can also download blueprints that will help you implement Microsoft Azure according to NIST standards.
The Center for Information Security (CIS) is a non-profit organization that helps organizations protect themselves from cybercrime. Review the CIS Microsoft Azure Foundations benchmark, which provides recommended steps to securely implement Azure.
Stay healthy, eat your cyber vegetables, and stay up to date by watching our Microsoft CISO Spotlight Series: CISO Lessons Learned, and your organization can build the resiliency to take on any threat. Also, learn more at our CISO series page.