When it comes to evaluating security choices, analysis paralysis can be a real thing. Especially when the need for a new capability or solution must “confront” the rationale around the need to secure it.
If you run a business and you are not sure why you should secure (and maintain the security of) your new business application / identity system / service / network etc. then getting answers from your IT partner as to how you should do this may help you feel in control. It can also be a reason to forfeit the project altogether.
Instead of focusing on the “process”, what you need is a strategy that provides a simple answer to a simple question:
Question: “What are we doing?”
Answer: “We are protecting ourselves from the bad guys.”
Evaluating security choices
When it comes to evaluating security choices, there are tonnes of options available. You can protect and secure your systems using automation, or a set of processes or policies which serve a compliance or framework requirement.
You can choose Zero Trust or Targeted Trust or adopt tools that eliminate blind-spots and improve detection. Real-time monitoring and up to date reporting (aka. Microsoft’s business intelligence platform Power BI) can help, or you can employ a “hawk-eye” team of SecOps who work on playbooks and ensure your posture is in line 24/7.
Whichever way this is accomplished does not matter anywhere near as much as the cost of an attack.
Your cyber security should make a cyber attacker’s job painful
Our job in cyber security all comes down to understanding cyber attackers and their tools well enough that we know how make their job incredibly difficult.
It is about getting them in a position where they need to invest time, money, and grey matter to achieve the same results they would be otherwise able to achieve easily in seconds and without cost if adequate security controls were not in place. It is about making the cost of attacking higher than the potential pay-off, so that they simply do not bother targeting your business at all.
Limiting the Threat Actor audience targeting you is one of the many pieces of the puzzle that needs to be taken care of. If it costs a lot of effort, an attacker will just go for the next victim.
With so many organisations out there still not having implemented MFA* (97% according to CoreView) Or not implementing Conditional Access in line with best practice (which honestly should not be used as a buzz word by consultants out there) your secured business systems are simply not worth the trouble to an attacker.
Overcoming analysis paralysis when evaluating security choices
848 has a team of experts in cyber security and a mature modern workplace and security practice to support you. We can help you with evaluating security choices and choosing the right option for your business systems.
Kay is senior solutions architect specialising in cybersecurity, information protection and governance, identity and access management and zero-trust architecture. He has a long list of accreditations and over 15 years of experience in designing, securing, and scaling cloud-first solutions. In his free time, he uses his knowledge to share information that supports stronger security practices.