By: Eric Goldstein, Executive Assistant Director, Cybersecurity and Infrastructure Security Agency
Cybersecurity professionals, including our expert team at CISA, often focus on promoting best practices: the necessary steps that organizations must take to secure their enterprises. It is equally important for organizations to focus on stopping bad practices:
risky, dangerous technology practices that are too often accepted because of competing priorities, lack of incentives, or resource limitations that preclude sound risk management decisions but result in untenable risks to our national security, economy, critical infrastructure, and public safety. Leaders at all organizations, and particularly those that support National Critical Functions, should engage in urgent conversations to address technology bad practices.
There is certainly no lack of standards, practices, control catalogs, and guidelines available to improve an organization’s cybersecurity. While this body of guidance is invaluable, the sheer breadth of recommendations can often be daunting for leaders and risk managers. Given the risk facing our nation’s critical infrastructure, as reflected by recent incidents, additional perspective is needed. Putting an end to the most egregious risks requires organizations to make a concerted effort to stop bad practices.
The principle of “focus on the critical few” is a fundamental element of risk management. Based on the understanding that organizations have limited resources to identify and mitigate all risks it should also be an essential element of every organization's strategic approach to security. Addressing bad practices is not a substitute for implementing best practices, but it provides a rubric for prioritization and a helpful answer to the question of “what to do first.”
Check out CISA’s current catalog of Bad Practices, which will be updated over time based on feedback from risk managers and cybersecurity professionals.