cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tmekelburg1
Community Champion

Upstream Thinking

"Imagine you and a friend are enjoying a picnic when suddenly you hear a scream. A child is drowning. The two of you dive into the river and save the child. No sooner do you swim ashore than the sounds of another drowning child summon you both back. After rescuing that child, you hear the screams of another child and another, all being swept downstream by the river. You are surprised to see your friend leave. “Where are you going?” you ask. He answers, “I’m going upstream to tackle the guy who’s throwing all these kids in the water.”

         -Parable from Dan Heath's book 'Upstream: The Quest to Solve Problems Before They Happen'

 

What upstream Cybersecurity issues would you change to make your job easier if you had a magic wand? Upstream in this context would be issues your Organization can't fix internally because the problem is industry wide. 

2 Replies
denbesten
Community Champion

Re: Upstream Thinking

Buggy/Incompatible patches that have resulted in a culture of patch-hesitancy.

 

Charging for "security" updates, either by requiring a maintenance contract or by not patching older versions so as to force one to purchase a software upgrade.

 

Out-of-box configurations that don't pass the vendor's own "security audit recommendations".

tmekelburg1
Community Champion

Re: Upstream Thinking


@denbesten wrote:

Buggy/Incompatible patches that have resulted in a culture of patch-hesitancy.


Definitely agree with this one and we could take this a step back further as well when software companies develop the original product by shifting security to the left more in the SDLC. More accountability within the software company itself or by regulations would be key here. 

 


Charging for "security" updates, either by requiring a maintenance contract or by not patching older versions so as to force one to purchase a software upgrade.


I'm torn on patching older versions though because I've experienced some orgs. that wait way too long before they upgrade their infrastructure or devices. Yeah the saying goes if it's not broke don't fix it but at the same time there could a newer technology that may end up saving time and money in the long run. I think if they have a planned road map for EOL, it's acceptable to say we won't support that product anymore. 

 


Out-of-box configurations that don't pass the vendor's own "security audit recommendations".


I feel like there's a back story here? You start to get a lot of blank stares from Sales staff when inquiring about the efficacy of the product or service. This is where I think the 3rd party product testing conducted by MITRE would be beneficial for us all.

 

ATT&CK® EVALUATIONS (mitre-engenuity.org)