I was recently invited to present to security and IT leaders at a vendor’s gathering of small early-stage biotechs. I packaged up a deck with the anatomy of an attack, the NIST CSF process for defense, and our operating model for running a security program, including measures I saw as basic table stakes (anti-malware, email protection, MFA, laptop encryption, patched laptops, and social engineering training).

To wrap up, I thought I’d summarize the Ten Commandments for Running Security Programs, which you may find useful or entertaining.

1. Thou shalt guide thine actions by the light of diligent risk assessments.

Your security program must be designed to manage your organization’s risks down to the risk appetite of management. If you don’t understand your risks, how can you make choices in your practices and technologies without wasting money?

2. Deceive yourself not in the false grandeur of a qualitative heat map, for the truth be found in the numbers.

My routine incident may be your disaster. Who defines what “high” means? Qualitative methods suffer from calibration and quantization problems. Studying quantitative methods like FAIR is more work, but it brings management assessments they understand and have confidence in.

3. Thou shalt implement the table stakes. Failure to do so will anger the gods!

See above for the table stakes. These are practices that virtually every security program needs. Omitting any of these in your program leaves open some well-known attack vector.

4. Be not so naïve to believe the pestilence of penetration shall pass over thee.

There are two kinds of companies – those that have been penetrated and those that don’t know it. It’s a cliché for a good reason.

5. Thou shalt prepare for pestilence response diligently, lest ye be tested severely in the dark of night.

The worst time to shop for a fire extinguisher is when the house starts burning. You must have an incident response plan that covers both technical response and management response, and you must have tested it – at least with a tabletop exercise. You don’t want to invent this process Saturday at midnight. (Hackers don’t work 9-5.)

6. Thou shalt not covet thy vendor’s technology.

Technology can be dazzling, achieving what no human can in securing your assets. But acquiring technology just because a colleague uses it or because a demo was persuasive will leave you with a cool power saw, a slick nail gun, and a laser level, with no idea how to build a house. And it’s expensive.

7. Thou shalt honor the good process and clothe your technology in it.

Know how to detect anomalous events, analyze them to detect an incident, contain and eradicate attacks, restore services, and have a repeatable process in mind, if not written down. Know all this, even if you can’t do it manually at volume. Then, you’ll know how to use the technology effectively. See my blog on process, technology, and playing with shiny objects.

8. Thou shalt educate your flock, for the ignorant shall fall, and the knowing shall be your strength.

More than half of cyber attacks start with a social engineering exploit – phishing, vishing (voice phishing/pretexting), smishing (SMS phishing), QR code phishing, and similar exploits. While it’s something of a cliché, strengthen your human firewalls and measure their resistance to social engineering.

And speaking of “the knowing,” keep training your security analysts on the latest exploits and methods, and train your developers on secure development practices.

9. Thou shalt be a pillar for the business.

Information security should enable business, not obstruct it. Find ways to enable business with your company’s customers. Look for ways to avoid saying “no.” Help your vendors reduce risks – don’t just raise obstacles.

10. Speak simply of risks to thine executives, or they shall ignore thee.

Executives like simple and clear messages and the language they understand is risk (and see commandment #2). Slides laden with technobabble and meaningless metrics will only make their eyes glaze over. And while you’re presenting program status and risks, don’t forget to ask for something – funding for risk reduction efforts or even a decision.

If you have any questions about any of this, please contact Newbridge Cyber & Rick.