When you enter the Information Security world, the first thing that hits you are the overwhelming number of rules, guides, regulations, prescriptions, best practice, evangelists . At the end of the day, you start thinking based on what others are saying, prescribing or doing.
Then you ask yourself: "Do I need to think anymore? Do I need to build any new thing? Don't I just need to follow all the guidance, regulation, prescription, checklist that is out there without thinking?"
Of course the answer is NO. But frankly, we have all found ourselves answering YES to these questions because of factors we cannot sometimes control! I am talking of factors like:
- time allotted to complete a project
- management pressure on some issue they read in papers or watched in the news that generate the questions: "What are we doing about this? Are we exposed? ..."
- strict regulation (that does not make sense in your context)
That is when we need to take a break and return to Common Sense!
We need to try as much as possible to answer NO and apply the rules of common sense to see how best to address a situation. Yes, we do have lots of guidance and Yes our leaders want us to respect all of them to the point. But, at the end of the day we appear sometimes stupid and we ask ourselves how did we get to this solution? Unfortunately, time and money has already been consumed and you have to report to management with tangible facts!
Common sense should be our first source for any solution. We need to look at any situation with our "simple eyes" and start applying any prescription or regulation when we are sure common sense has spoken! Of course, you may have lots of convincing to do in some cases but the end result would be positive and would confirm the necessity to use common sense FIRST! By "simple eyes", I mean:
- clearly define the context and scope
- take out any complexity
- take out any part you cannot control
- partition the situation into small manageable portions
- be realistic on the communicated ETA
Let's look at this simple case to illustrate the context point.
Generally, our task would start with an assessment of the situation (current state) and we usually have the tendency to critic the situation mostly when we were not the one that built the system. We would start saying things like: "how did they build such a poor system? I would never do it this way!". This is the point were we need to access common sense for some real guidance before starting to run through our check list. This is what common sense would tell us: "look at the context and the defined scope when this system was built before criticizing anyone & giving the worng impression!". When you dig out the context, you would find out most of the time that they were very good reasons the system was built that way! Remember, defining the context is the first step to any root cause analysis. Now your duty is to rebuild it with the current context (tools available, new regulations, new processes ...) and of course applying common sense when using these tools.
So, before you start looking at the "checklist" and applying well defined processes, knock at the door of common sense first. You would be amazed how everything appears more simple to implement after that! Common sense always gives you a clear picture with practical solutions!
Terrific article. Transitioning my career from book knowledge to actual practical application came when I learned to identify the distinction between acceptable risk and unacceptable risk.
The challenge here is the definition of common sense. Your common sense probably doesn't equal my common sense, or the common sense of a person in the marketing department running their own little data center on unsecured PCs they bought themselves.
You know what they say about assuming (about another's "common sense") 🙂
If you want common sense, stay away from organizations subject to the strict regulation of the US government's risk management framework. A bit closer to common sense is the Center for Internet Security controls (formerly SANS 20 Criticial Security Controls). This way you can establish an appropriate level of risk management (round peg) without having to pound it into USG-think (round hole) without having to respond to a lot of controls that have nothing to do with your mission.
Check out the NIST Cybersecurity Framework first released in 2014. It incorporates the CSC Top 20. NIST released a Baldridge cybersecurity excellence framework in 2017 that is advertised to be even simpler.