Cybersecurity, the broad term that describes all digital security activities, and information security, a division of cybersecurity that focuses on the protection of sensitive enterprise data, aren’t activities solely of security professionals.
Organizations as a whole — leadership, employees, partners, customers and stakeholders alike — need to follow up-to-date infosec best practices. The most secure companies place the responsibility on the entire organization, said Joseph MacMillan, author of Infosec Strategies and Best Practices and cybersecurity global black belt at Microsoft. Implementing strong infosec practices costs money, time and effort, but they can save an organization from ruin.
Here, MacMillan discusses his top infosec best practices, along with the importance of cybersecurity controls, risk management and continuous improvement. He also speaks to how the infosec industry has shifted over the last few years.
Editor’s note: This transcript has been edited for length and clarity.
What are your most important infosec best practices?
Joseph MacMillan: First of all, organizations need to understand the risks associated with an asset. Are there multiple risks? What’s the risk level? What does the risk level mean for your organization?
Second, you’ll need to reduce the level of risk. Add defense in depth, which is a layered approach of applying controls. If one control fails, other controls will help mitigate the risk. In the book, I bring up defensive depth and risk over and over again.
Finally, complexity is the enemy of security. It’s important to keep it simple. If you have a simple solution — which is effective — that’s going to be helpful in reducing risk.
Which best practices are the most challenging for infosec pros?
MacMillan: Infosec can be a stressful field — its potential for loss is extraordinary. In some situations, you may be facing the potential ending or dissolution of a company.
In some companies, the responsibility and pressure of cybersecurity may lie on the shoulders of one person. In great companies, everyone takes responsibility for protecting the organization. If you don’t get it right, there’s a lot to lose.
All in all, infosec pros shouldn’t be too hard on themselves if they make a mistake, but it’s important to try and get it right. Research, practice, learn and educate yourself. Make mistakes in test environments rather than live ones, and remember to keep things simple.
How have cybersecurity and information security evolved over time?
MacMillan: Cyber threats have gone from a guy in a basement wearing a hoodie and hacking a company for fun to a serious business. We’ve seen more sophisticated attacks and groups — all the way to the state-sponsored level. International hacking groups have also targeted certain industries, such as oil and gas.
At the same time, cybersecurity technology is getting better. Infosec professionals and hackers alike are getting smarter — it’s become an arms race between both sides.
In Chapter 2, the intro to security controls, you wrote: ‘This section is all about implementing the appropriate information security controls for assets. I’ve been thinking about this section for a while, trying to understand how to tackle it best for you.’ Is controls a difficult aspect of infosec?
MacMillan: There are so many ways to apply controls based on your assets. When you start to account for the different variables inside information security represented by the confidentially, integrity and availability triad, it makes choosing the right control complex. In the book, I help people understand that choosing a control should give you peace of mind. If you follow a risk-based approach, it should reduce the level of risk for the specific thing you want to mitigate.
How can the process of choosing and implementing controls be simplified?
MacMillan: Following a risk-based approach will help. It’s why the book’s first chapter is about risk. Successful infosec professionals can identify the combined impact and likelihood of a threat exploiting a vulnerability in an asset. Infosec pros must combine those two concepts, create a score based on the level of risk and then figure out how to reduce the score. They need to take a more quantitative rather than qualitative approach.
Why is risk management becoming more prominent today?
MacMillan: Risk management has been a part of businesses for a long time, but now, cybersecurity and IT have become ubiquitous. IT has formed the backbone of digital communication, payment systems, the way our traffic moves around a city and the way water or electricity is distributed throughout a country. All these resources rely on IT. So, applying the appropriate risk management principles — as already seen in high-impact industries — makes a lot of sense.
In Chapter 2, you also mention ‘continuous improvement.’ What are some tips to help infosec pros achieve this mindset?
MacMillan: It’s a matter of measuring yourself and your organization on a continuous basis. The principles of continuous improvement stem from requirements, regulations and frameworks. ISO 27001, for example, is a certification that proves a company’s information security management system fits the purpose of their organization. To maintain certification, companies must commit to continual improvement.
ISO 27001 auditors might ask to see evidence of continual improvement. They’ll ask to see audits from previous years and check if problem areas were improved. It’s not something that should be looked at a few days before an audit but rather on a continual, scheduled basis.
In reality, a lot of organizations will fudge the numbers, or they handle it like a box-ticking exercise. I think that will disappear over time as auditors become savvier and threats become more sophisticated.
I hope infosec professionals — all the way up to the C-level — start to recognize that continuous improvement is important. I’m not sure it’s at the heart of information security just yet. Fifteen years ago, there were huge organizations without security employees. Cybersecurity controls are becoming more important as the battlefield increases.
About the author
Joseph MacMillan is a global black belt for cybersecurity at Microsoft. Most of his work revolves around helping businesses achieve their goals in a secure manner by removing any ambiguity surrounding risk. MacMillan holds various certifications, including CISSP, Certified Cloud Security Professional, Certified Information Systems Auditor, Certified Secure Software Lifecycle Professional, AlienVault Certified Security Engineer and ISO 27001 Certified Information Security Management System Lead Auditor.