As an independent security consultant and CISSP, Kevin Beaver knows cybersecurity problems when he sees them. The most common oversights include missing and exploitable patches, weak passwords, unresolved web flaws and incomplete incident response procedures. These preventable mistakes can lead to severe consequences, such as a data breach or other costly security incidents.
In this webinar, Beaver outlines how an overreliance on policies, third-party challenges and executive apathy all contribute to reoccurring, common cybersecurity gaps.
Beaver describes the ideal approach to mitigate these problems as "relentless incrementalism," which requires continuous daily attention to areas of the infosec program that need upgrading. It also involves acknowledging that the security program itself may be complicit in exacerbating operational or technical issues that deteriorate the organization's security hygiene.
An organization's tolerance to risk, management style and the regulatory requirements of the industry each inform its security program's strategy. But, regardless of size or industry, all organizations can use the same approach to identify cybersecurity issues in the same way, Beaver explains. This starts with adopting the "beginner's mind" perspective. By relinquishing previous opinions, biases and even knowledge about security, organizations may notice gaps and opportunities that they may not have otherwise.
"This is a concept I learned while studying meditation. It's also an exercise that management consultants use to turn around failing businesses," Beaver says. "You cannot secure the things that you do not acknowledge."
This blinders-off approach can give security practitioners permission to imagine the ideal security program. One person may imagine a larger security budget, and another may imagine a set of tools or services to simplify operations.
Beaver explains an exercise to help organizations create a security bucket list. In this video, learn how a fresh, measured perspective can pinpoint common oversights and how to use those findings to create actionable mitigation steps.
"Unless and until you're able to dig down and find the security issues that actually matter -- the ones that are creating tangible business risks -- your security program is not going to be where it needs to be," Beaver says.