Improvements for 2023

As we’re now solidly into Q2 of 2023 and I examine the posture of organizations and their computing enterprises across the board, things that still need improving in 2023 include (my point of view prioritizations and generalizations of course. I'd love to hear your focal points):

• Encryption at-rest and in-transit needs to be deployed to 100% of enterprises (this will protect the data for now, but without some pretty significant improvements very soon I’d love to discuss in a future article the impact quantum computing will have on corporate and nation-state espionage in the coming years as data that is being sucked up right now will be cracked and replayed likely in under 10 years).

• Multi-Factor Authentication (MFA) needs to become the norm, not the exception, both for corporate and personal logins, remote/local and privileged/non-privileged access. 

• Backups. No organization should be subject to the embarrassing, time consuming and (mostly) avoidable effects of ransomware. Build architectures that provide for offline out-of-band backups that are consistently validated to allow for near real time recovery. I was recently engaged in a conversation with a CEO who asked if I had ever had an organization I was responsible for in a senior security role that had undergone a ransomware attack. I said that I hadn’t and explained not only what I had done to prevent it in multiple organizations, but also what I had done with backups to minimize any potential impact should an event have occurred. She almost seemed disappointed, but while I have been involved in some pretty major real-world post-incident response events (Overseeing the team doing the 2014 cleanup at Sony Pictures for one) I’m actually proud to highlight my lack of experience in this area. That may seem counterintuitive to some but I’ll continue to invest my time in building architectures and processes that strongly attempt to avoid a scenario to begin with rather than touting any credentials of taking an organization I’m responsible for protecting through such an event (this is not to say that I don’t also conduct large-scale enterprise-wide ransomware exercises, because I absolutely do, as I recognize my number will be picked someday. It’s almost inevitable).

• Identification of where the organization's most critical data is, tag it, mark it, put policies around it then deploy Data Loss Prevention (DLP), Host/Network Intrusion Prevention and related tools to increase the security and privacy around the access to and use of the data. 

• Network Access Control (NAC). Not all attacks will occur remotely... Not all attacks are conducted by strangers... Vendors with access to your building, or trusted users who think they are entitled to add this one little raspberry pi to the network are also significant threats to be concerned about (Remember back in 2019 when NASA’s Jet Propulsion Lab (JPL) had this happen?) NAC is one of those capabilities whose benefits far outweigh the cost and time to implement.

• Additional synchronized defense-in-depth security strategy that provides layers from the perimeter to the network, the endpoints and the servers (to include on-prem and the cloud portions of the architecture as well where applicable). It's better to have a strategy that is cohesive and that closes the gaps even if each component isn't the best of its product line than to have a best of breed suite of tools that don't function well together.... Perfection is the enemy of good... 

The threat landscape isn’t going to get easier anytime soon, if ever. Identify what is it you are protecting, figure out the gaps, prioritize the responses and align your strategy with business goals (Because, on the flip side, I also always say that you can’t spend $5 to protect $1 worth of data). For those items that are free or within budget there's no time like the present to "get 'er done". For those that require unallocated funds always have a list in your back pocket along with solid justifications then if a moment arises where funds become available be the first to jump on the opportunity.