By Elliot Dellys
From military strategy to the law of parsimony, history has shown us that an approach that makes the fewest assumptions is often an effective one. This philosophy was at the core of ASD’s Top 4 Strategies to Mitigate Targeted Cyber Intrusions, which were collectively assessed as capable of mitigating 85% of identified intrusion techniques. So, why is it that so many organisations find implementing its successor, the Essential Eight , challenging today?
Frederick the Great once told his generals that “He who defends everything defends nothing”. While military history has always been a fertile breeding ground for information security clichés, it is not without reason. Even some foundational concepts, such as defence-in-depth, have their roots in the military formations of the Red Army, Wehrmacht, or Roman legions. Yet our inability to pick our information security battles can be as lamentable as our fixation with war and conflict. Organisations lacking information classification or asset inventories spend millions on Data Loss Prevention solutions without knowing what they need to protect or where they need to deploy it. Others conduct penetration tests against infrastructure that is known to have not been patched for months or even years. In some cases, working groups are created to discuss low severity vulnerabilities, while administrator accounts with weak passwords are littered throughout the environment. Much like a Prussian king, security resources are in short supply, yet there are a multitude of plausible threats to defend against; so how do you prioritise?…Click here to read full article.
