As an independent security consultant and CISSP, Kevin Beaver knows a cybersecurity gap when he sees one. The most common oversights include missing and exploitable patches, weak passwords, unresolved web flaws and incomplete incident response procedures. These preventable mistakes can lead to severe consequences, such as a data breach or other costly security incidents.
In this webinar, Beaver outlines how an overreliance on policies, third-party challenges and executive apathy all contribute to reoccurring, common cybersecurity gaps.
Beaver describes the ideal approach to mitigate these gaps as "relentless incrementalism." This approach requires continuous daily attention to areas of the infosec program that need upgrading. It also involves acknowledging that the security program itself may be complicit in exacerbating operational or technical issues that deteriorate the organization's security hygiene.
An organization's tolerance to risk, management style and the regulatory requirements of the industry each inform its security program's strategy. But regardless of size or industry, all organizations can use the same approach to identify cybersecurity gaps in the same way, Beaver explains. This starts with adopting the "beginner's mind" perspective. By relinquishing previous opinions, biases and even knowledge about security, organizations may notice gaps and opportunities that they may not have otherwise.
"This is a concept I learned while studying meditation. It's also an exercise that management consultants use to turn around failing businesses," Beaver says. "You cannot secure the things that you do not acknowledge."
The blinders-off approach can give security practitioners permission to imagine the ideal security program. One person may imagine a larger security budget, and another may imagine a set of tools or services to simplify operations.
Here, Beaver explains an exercise to help organizations create a security "bucket list." In this video, learn how a fresh, measured perspective can pinpoint common oversights, and how to use those findings to create actionable mitigation steps.
"Unless, and until, you're able to dig down and find the security issues that actually matter -- the ones that are creating tangible business risks -- your security program is not going to be where it needs to be," Beaver says.