Archive 6 min read

Keep Decisions Up To Date

Decisions are hard enough that you don't want to have to revisit them constantly. But that's exactly what is required in the realm of cybersecurity. Do you have a system in place to review decisions? Are you recording the right information to update those decisions when the time come

Keep Decisions Up To Date

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning everybody. How are you doing today? So for as long as I can remember, I have loved playing the game of basketball. It's been a sport that's been a constant part of my life for decades. Um And I still play in a regular, um, casual league, but as I have gotten older, much, much older and the league has stayed young, young, young.

Uh I've seen things change and I've seen how I've had to adapt in order to stay competitive or at least that last little squeak grain of competitiveness to try to keep up. And I thought that was a really interesting parallel as I sit here extremely sore from playing in the league last night.

Um, because I see this with security teams all the time. No, not that they're out playing basketball though. That would be great. Physical fitness is really important, especially for jobs that are high stress like cybersecurity. Um But what I see the parallel is, um is that people make decisions and way of approaching a problem and they don't necessarily revisit that as the landscape changes around them.

So, back to my personal example, the way I played the game when I was at the age of, most of the league is completely different from how I have to play the game. Now that I'm older, slower fatter out of shape. Um, and just generally, you know, the old guy on the court, the game has to change for me.

Otherwise I just would not be able to keep up even remotely. And that's very true. In cybersecurity. We see that all the time where people will make a decision and they kind of consider it done. But the landscape of technology, the landscape of cybersecurity of the threats we face and the vulnerabilities we're trying to address that's changing.

Absolutely constantly did a calculation a few months ago for a talk and uh I think it ended up being, we see a new piece of malware every 0.3 seconds. That is an insanely rapid rate of change as a security professional, the worst thing you can do.

And this is unfortunately something that I see absolutely all the time as security teams is essentially consider a decision made and done and then not revisit it constantly. Now, I'm not saying you should question yourself nonstop. But when you set down a policy or when you set down a way of doing something within a team, you say, OK, this is how we have to harden our images.

Um you know, especially moving into the cloud. This is what we're gonna do. This is how we're going to lock down the operating system, but then new features come out in your cloud provider and go well, wait a minute. Does that change the risk assessment?

Does that change how we can meet our security goals? What even were our security goals? And that's really the biggest challenge is that when people make a decision, they very rarely record why they made that decision and the constraints under which they made that decision, right?

So you're working on the information you have at hand, you're trying to make the best decision you can based on ABC D and all the things that you know about, but you don't record that information, you just record that final decision and I get it, it's easier to do.

You just say, ok, this is what we feel, you know, everybody's password must be eight characters or longer with, you know, mixed case blah, blah, blah, all the old password guidance, but nobody knew why nobody actually had recorded. Why you're doing that? Why was our password guidance for years that way?

Even though when you look at it, you know, and we know now with the updating this guidelines that that was incorrect guidance. But if we had recorded the reasons why you had made that decision as a security team, you revisit it and said, well, wait a minute, we're making that decision because um people can't remember passwords longer than that.

Well, the advent and easy availability of a password manager changes that constraint or if you say, well, we do that because active directory or open LDA or whatever you're using to authenticate people didn't support passwords that were of a certain length or a certain complexity while a new version comes out.

And they do, if you don't know why you made that decision, you can't make an adjustment to ensure that you're still meeting your security outcomes. And that's where most people and most security teams sort of fall down is that they are not adjusting to adapt to the current landscape because they don't understand why they had made decisions in the first place at the point of decision.

They understand why, but they lose that record over time. So it's not quite, oh, that's the way we've always done it. It's just simply a sort of a mental assumption that something is done. It's a fit a compli you don't have to worry about it anymore and nothing could be further than the truth.

Cybersecurity is a rapidly changing dynamic domain. And in order to keep up, you need to constantly be updating your decisions, your policies, your approach to different things. So here's my, here's my concrete recommendation. I don't do that often, I think maybe often enough on mornings with Mark.

So I'm going to give you a concrete recommendation if you're on a cybersecurity team or even if you're in a development team, if you're in anything in it, what's a really good practice is when you make a decision, jot down the notes on your own, you know, in a wiki internally or in a note, shared note folder somewhere, but jot down the constraints and the environment and the reasoning and the goal behind that decision.

So if we go back to our crossword example, and we say, you know, let's put yourself back 10 years and we go, we're going to provide this type of uh password guidance. We're gonna say at least eight characters, mixed case and change it every 90 days because based on current computing rates, that password will take, you know, at least two weeks to crack because our current LDAP provider will only allow us to go up to 16 characters.

Because based on the latest, you know, systems layout, our users need to remember 18 different path words. Then you put a timer on that every three months, go back and revisit it will take you two minutes. Have these constraints changed? Well, no, we still have that version of LDA.

No, we uh you know, computing power hasn't significantly changed. No password managers are still not a thing. Ok. Come back in three months. Hey, wait a minute, passwords came, password managers are easily available. We have a site license. Well, now we can start to get a little more complex.

Right? Great. But we still have these other two constraints. LDA still doesn't support it, blah, blah, blah. That's how you keep those decisions fresh. That's how you keep re evaluating because you need to record those constraints, the reasoning why and the goal that you're trying to achieve when you make that decision, if you can do that, you're gonna be way further ahead in the game as opposed to turning around and just going, you know, four years later going.

Well, I don't know, that's why we always told them. Um, I'm sure there was something lost to the sands of time. Um But, you know, that's not effective, what's effective is recording those constraints, um recording the a desired outcome. Um And saying, you know, this is the best decision we had based on the existing constraints to reach our desired outcome.

If something changes, you know, you should update that guidance. Simple, absolutely simple. Um Just takes, you know, some calendar reminders, a place to record notes around decisions and you will be so, so much further ahead. Um You might even keep up with some of the younger folks have a great day.

Um Hit me up online at Mark NC A uh in the comments down below and as always for the podcast listeners and everybody else by email me at Mark N dot C A. How do you keep decisions up to date? How do you remember what your goals were your constraints around the time you made that decision?

Do you, you think this is along the right track? Do you like that? Solution. Very simply, just, you know, recording that all down and putting a timer on it. And do you have something better, uh, share with the group, uh, we can all get better through this because we're putting the effort in to make these decisions in the first place.

It's, uh on us to make sure that they're always current and up to date. Have a good one.

Read next