Today saw an infographic fly across my LinkedIn news feed: 10 Steps To Cyber Security. Only 10? To achieve Cyber Security, not just the top steps? Sweet! To be fair, these are less steps as they are entire spheres to address with multiple controls and initiatives in each one. But, is anything missing? Just having 10 steps still seems awfully light.
Backups. No mention of backups, and I think every security strategy should have backups as step 0.
Data. None of the 10 steps given have anything to do with data. I imagine someone could say evaluating your data is part of the central risk strategies, but I don’t buy that. Know and secure the data that is important to your business. That should be a standalone strategy bubble.
Segmentation. I don’t really see anything that would pull in secure configuration of networks, namely segmentation. Sure, it’s more of a control, but I think it’s important enough to be up with these other 10 items. (Network Security may cover this, but I think it’s too easy to just read this item as perimeter only.)
Software. I was hoping to see Secure Configuration include software on systems, but really it’s not there, and no other items really gets into this.
Software Development. This is really close to software, but it has less to do with software installed on systems and more to do with software developed in house. While the items could read similarly, the approaches are done by entirely different teams with different projects.
Is there a list that includes these items and the ones in the above link? Actually yes, but it’s 20 controls, not 10 steps: The CIS Top 20 Security Controls list. Wow, that sounds like a marketing pitch…