The Biggest Key to Cybersecurity Success - Consistency

Theoretically, the most secure system in the world is the "closed" system, a system that takes no external inputs and provides no external outputs. In reality there's no such system. Some come close, but even those take input via a human interface or through some other means. So by definition every cybersecurity program is imperfect.

That's a tough pill to swallow for many of us. But once we're over that particular issue we can move on to making the most of our cybersecurity programs. While there are a great number of factors that lead to a good, effective cybersecurity program it has been my experience that one key factor is common across all high functioning cybersecurity programs, and that is consistency.

Consistency - Doing It Right the First Time, Every Time

Good cybersecurity is in the details. How many breaches have been traced back to the basics:

• Using default credentials
• Misconfiguration of a cloud data storage environment
• Failure to patch a known, old, vulnerability
• and the list goes on and on

The consistency of doing it right the first time, every time means security needs to be a priority in PoCs, dev environments, and all the other "low priority" areas within the organization. Why? Every developer, dev-ops, and production engineering resource has seen this play out: shortcuts are taken in the initial environment and development and testing begin there. The approved software and configuration then gets sent to production and the security team brings up security controls that need to be met. Unfortunately the software and environment doesn't work properly once those security controls are implemented, and leadership decides that meeting the rollout deadline is more important than retrofitting for the security controls, so insecure applications are launched.

That's not the only scenario that happens. How many technology PoCs have turned immediately in to production systems without being rebuilt following security requirements? What "pet projects" have started without any security considerations that ended up being a cornerstone of a company's operations? Having a culture of consistency helps prevent these sorts of events.

Consistency - Applying Policy the Same Way Every Time

Policy is fundamental to any organization, and doubly important for both compliance and cybersecurity. Good policy is accompanied by an exception process, and great policy is accompanied by an exception register. Excellent policy has very few exceptions - registered or otherwise - while actually providing an appropriate foundation for the security controls and capabilities that protect an organization.

Excellent policy is a difficult thing to achieve. Many cybersecurity policies fail to be consistently applied across an organization, usually for one of two reasons.

Policy Is Inconsistent With the Organization

One of the most common policy consistency mistakes is that policy was written (let's be honest, downloaded) in a vacuum by someone whose instructions were to find a policy that is compliant with whatever regulatory requirements the company faces. Such policy is then adopted as being the organization's official policy, however any credible auditor can quickly ferret out such policy by observing the environment around them. Even worse, most compliance regulators take a dim view of such phony policy.

While there's no shame in starting with a policy template - we all have to start somewhere - make sure that your policy is reasonable and responsive to the business you're charged with protecting. It needs to be consistent with the organizations goals and operating rhythms.

Policy Does Not Have Consistent Support From Leadership

We've all seen this one: some CxO believes that policy doesn't apply to them or their part of the business. After all, security policy is nothing but an impediment to getting business done, right? Having the consistency of leadership supporting security policy is crucial to limiting the number of exceptions - documented or otherwise - in your environment. This may mean having to relax some policy considerations, after all cybersecurity must support the business or the business won't survive.

Policy must, sometimes, change an organization's behavior. This sort of policy is the hardest to implement properly, and requires the most sponsorship in order to be viable.

Once good, great, or excellent policy has been developed and adopted, it must be applied with consistency. Exceptions must be infrequent or the policy isn't really a policy.

Consistency - Striving for Continuous Improvement Every Day

Cybersecurity doesn't improve by leaps and bounds, even though sometimes it seems that way. Deploying a new technical control may seem like a big immediate step forward, but that's almost the same as the "overnight success" of most musicians, actors, and artists - it's really the result of lots of hard work over an extended timeframe.

Cybersecurity is also governed by the sentiment that if you aren't improving you're falling behind. Malicious actors continually improve their tactics and capabilities: the cybersecurity equivalent of graduating from throwing rocks to shooting arrows to dropping smart bombs. A cybersecurity program must keep pace at a minimum.

Focus on making improvements every day. They can be small, even changing the default credentials on a security appliance is a help. But keep moving forward. Keep improving the environment. Keep adding to your capabilities. Keep learning.

A consistent cybersecurity program may not be the most glamorous program. It may never win you major recognition or notoriety. (Then again in our industry notoriety often comes as the outcome of a breach) But a consistent program will aid you in making sure the environment you're protecting is getting the care and attention it needs to remain as secure as you can make it. Isn't that the goal?