Meet fundamental cybersecurity needs before aiming for more

In this interview for Help Net Security, Mike Lefebvre, Director of Cybersecurity at SEI Sphere, talks about the hierarchy of cybersecurity needs and what should be done to meet them properly.

We have all heard about the hierarchy of human needs, but what about the hierarchy of cybersecurity needs? What does it consist of?

A hierarchy of cybersecurity needs is inspired by a similar concept of the hierarchy of human needs, coined by the psychologist Abraham Maslow. Maslow’s work has since been depicted as a pyramid where the foundational elements at the base of the pyramid must be consistently met before upper levels of the pyramid can be addressed.

Relatedly, organizations must get the foundational elements of cybersecurity consistently right to effectively protect itself from cyber risks. Just as humans need to fulfill their basic needs, organizations have to regularly address basic cyber hygiene to ensure they have a strong foundation. The base of the cyber hierarchy consists of asset management and log management. These two basic needs must be addressed before any advanced capabilities can be achieved.

Do you think basic cybersecurity needs are being met properly? If not, why?

Partially, but overall it’s mostly a failing grade. Most clients appear to try meeting these foundational needs, but it’s either incomplete, ad hoc, or not regularly performed. Just as the hierarchy of human needs posits that we need to consistently have food, shelter, and water to achieve higher order actualization (e.g., belonging, religion, self-esteem), so too do we need to regularly meet foundational cyber needs. Imagine if you had housing only 5 nights of the week – you’d spend the remaining time worrying about the remaining 2 nights.

Relatedly, given the regularity of breach headlines, it’s clearly indicative that something is not working right. To “solve” cybersecurity, many organizations focus their resources on chasing “next-gen” cyber tools thinking it will be a quick fix without adequately meeting the foundational elements of the cybersecurity hierarchy. Without basic needs being met, the data needed to power these higher-level tools may be incomplete, misconfigured, or unusable. As an industry, it seems like we’re trying to start at the top of the pyramid instead of building our way up from the bottom.

What do organizations need to do to meet these needs?

To meet these needs, business leadership should consider taking an internal deep dive to evaluate if they are comprehensively and regularly fulfilling the basic cyber needs. To highlight the importance of asset management and log management, it is worth briefly discussing each:

• Asset management: For an organization to protect their digital environment, they need to know what assets they have. To put it plainly, if it has an IP address and/or your data, business leadership needs to know what it is. Examples of this include servers, endpoints, clouds, printers, applications, third-party vendors, IoT devices, identities and anything-as-a-service. These assets must be comprehensively identified and tracked in real-time, as they are fleeting, diverse, and unevenly secure.
• Log management: For an organization to protect their digital environment, they need to know what is happening on the digital assets they have. Logs give this visibility into what’s happening in the digital world. Organizations should make sure they are capturing logs, identify what logs are missing, and review how detailed they should be. These logs then need to be uniformly captured and retained to enable insight into events in the digital world.

What do asset management and log management have to do with meeting cybersecurity needs and why are they essential?

Asset management and log management come down to one word: fundamentals. Without getting the fundamentals right, we cannot achieve advanced capabilities. It’s kind of like learning math – you need to progress from algebra through trigonometry before calculus. Unfortunately, sometimes organizations are sold a bill of goods on complex calculus without being able to provide the variables needed to properly solve the equation.

To put it bluntly, asset management and log management strictly provide the foundation needed to power a cyber defense program. If these needs are not being met, the higher levels built upon them (think: governance, policies, compliance, and regulatory requirements) are built on an insecure foundation.

What could be the impediments of meeting cybersecurity needs now and in the future?

Some impediments to the foundation of the hierarchy are arguably no different than any other business need: budget constraints, human capital gaps, business strategy, and external forces can hinder meeting these basic needs. However, the impact of the business risks introduced by failing at cyber can be serious. It is understandable that organizations may get solace from regulation, cyber insurance, and tools, but there are some obstacles that may result from an overreliance on these defense mechanisms and processes:

• Overreliance on regulations: While penalties for non-compliance can be steep, simply doing the bare minimum to meet regulations will not prevent a breach. A comprehensive holistic cybersecurity strategy is required to effectively protect the business from the monetary and reputational risks associated with cyber attacks.
• Overreliance on cyber insurance: As cyber threats rise, many firms think first (and perhaps only) of their cyber insurance as a means of protection. While this is important, it’s only one piece of the puzzle. Cyber insurance allows firms to get back on their feet, but it does nothing to improve cyber posture.