Frankly Speaking 8/16/22 -- Access is the biggest threat

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

I read an interesting article on being tired from the front page of Hacker News. It resonated with me as life starts to converge on a new normal, and we adjust accordingly. What helped me during my PhD was taking breaks, but it’s not just about the total number of days off. It’s important to take high-quality breaks, i.e. taking a week off is different than taking 5 individual days off. However, different techniques work for different people, so find what works best for you!

LET’S BE FRANK

Whenever people approach me for cybersecurity advice, they always ask how to start thinking about security. Should they buy a bunch of tools? Should they hire an MSSP? What are the first things to worry about? I try my best to understand their situation and guide them in the right direction because there isn’t a “universal” answer. Unfortunately, security is a complicated profession in this way. You could do all the right things and have an incident, but you could have no security and never have an incident. That’s the reality.

At the end of the day, security is like any other part of a product. It involves business risk. The job of the security team is to ensure they identify and mitigate risks, but it’s up to the executive team to decide how much risk they are willing to take on. So, what is the right amount of risk? That’s a hard question, and it’s hard to quantify and is business-dependent. I don’t want to delve too deep into this because it can be its own post.

With that said, what I tell almost everyone is that access control is the biggest threat surface. It’s important to get it right early and regularly monitor it. In this newsletter, I’m going to discuss the following:

• why access control is so important

• some tools and techniques to improve access control

I’m specifically going to talk about employee access, but many of the same lessons apply to access for customers and end users.

Why access control is important?