Inspired by Timothy Ferriss’ book Tribe of Mentors, Marcus compiled a list of the fourteen most common questions he gets asked about cybersecurity. These questions were then posed to seventy notable InfoSec practitioners, with their responses recorded across more than four hundred pages in Tribe of Hackers.
Question number two caught my eye:
“What is one of the biggest bang-for-the-buck actions that an organization can take to improve their cybersecurity posture?“
Assuming the 70 has seen some stuff over the years, I thought this would be good advice to follow for most companies. I was also interested to see if there would be any commonalities between the answers, so I read through the seventy responses and compiled a Top 7 list of common responses.
Again, go get the book, the proceeds are going to charity after all.
So, here we go:
The Top 7 Bang-For-Your-Buck Actions To Improve Your Security Posture.
For each of the Top 7 Bang-For-Your-Buck responses, I’ve quoted some comments from the answers. However, read the book for the full responses and more in-depth reasoning.
Number 7_ Conduct Risk and Threat Assessments (4 mentions)
“Once an organization identifies and quantifies risks and the assets associated with their key function(s), it becomes inherently easier to identify potential causes of a critically impactful incident.” – Lesley Carhart
Number 6_ Hire Good People (6 mentions)
“Hire good people. You will never spend money on something more effective within this domain than talented people.” – Ben Donnelly
Number 5_ Asset Management (7 mentions)
“You can’t protect it if you can’t find it” – Cheryl Biswas
Number 4_ Least Privilege | Limit Administrative Access (8 mentions)
“Get users out of the local administrators group” – Jake Williams
Number 3_ Do The Basics (9 mentions)
“There’s a lot of talk about the basics. If the basics were easy, everybody would be doing them. But I think they’re still worth calling out, even though they are difficult.” – Wendy Nather
Number 2_ Security Culture (11 mentions)
“Culture change impacts behavior, incentive models, accountability, and transparency — and myriad other critical enablers that help to mature and improve cybersecurity programs. Until organizational culture — comprised of values and behaviors—is substantially reformed, cybersecurity
failures will continue to abound.” – Ben Tomhave
Number 1_ Security Awareness Training (14 mentions)
“I have gotten the best return on investment from security awareness training.” – Brad Schaufenbuel
“Invest in educating employees. Awareness goes a long way in a world where lying and “social engineering” are the key to most doors.” – Edward Prevost
And now you know.