Archives for February 4, 2021

Your Cybersecurity Framework Is Overcomplicated – Here’s Why

cybersecurity framework - christian espinosaRarely in life is complicated better than simple. However, in advanced disciplines, there’s the misconception that complexity signals thoroughness or expertise. That’s where the world of cybersecurity lives. In most organizations, they thrive on complication. They believe it demonstrates sophistication.

Let’s be frank and honest — your cybersecurity framework is overcomplicated. Many use long “checklists” to prove they are experts when, in reality, few of those things matter.

Instead, organizations should focus on the top five CIS (Center for Internet Security) Controls®. In my book, The Smartest Person in the Room, I discuss why you need to toss out the lists and master these five controls. Most importantly because they stop 85 percent of all cyber-attacks. Knowing this, doesn’t it make sense they should be the priority? Until you have these five controls in place, nothing much else matters.

Why Overcomplication of the Cybersecurity Framework Is Rampant

If you put credence into the CIS and its expertise, why would so many cybersecurity professionals go off-script? Well, it has a lot to do with the challenges covered in my book about the degradation of the industry. The truth is that cybersecurity professionals are the reason cybersecurity methods are failing. Their actions lead to unnecessary complexity and ignorance of the basic principles.

The people problem and why they cling to their massive lists comes down to a few key areas. It starts with the paper tigers, who are professionals with lots of certifications or degrees that look good on paper. However, these paper tigers don’t have the skillset to perform effectively to protect your data and networks.

These paper tigers or others that have experience but don’t continue to learn and be open often bring in these traits to your team.

  • Insecurity: They never want to be wrong. They live to be right. It’s important for them to look like the superior one on the topic, so they manipulate the cybersecurity framework to prove their worth, often at the detriment of the business.
  • Fear: These individuals are afraid to look like they don’t have all the answers. They never ask questions or invite discussion. They live in constant fear that others will discover their ineptitude.
  • Defensiveness: Fearful people are also defensive. Their listening skills devolve into what they can agree or disagree with, meaning they don’t hear much at all. They care too much about being the smartest one; they’ll react negatively to anyone questioning that.
  • Posturing: People who are insecure, afraid, and defensive use posturing like it’s their job. Their posture is to develop a complex cybersecurity framework, and then they hide behind it.
  • Poor communication: Technical folks live with the stereotype they are bad communicators. This isn’t always true, but in the scope of this discussion, paper tigers with the above traits do not excel at communication. They love jargon and buzzwords that make them sound smart.

How Did the Industry Get Here?

As noted earlier, over-certification has been a big driver. Paper tigers also continue to water down a cybersecurity team by hiring those that don’t intimate them. Entire teams or firms could be paper tigers, and they’ll hold dear to their long, complex lists. It’s their safeguard for them. And it’s junk.

What they should care about are the basics:

  • What does the company do?
  • What do they need to protect?
  • What’s important to the business?

The responses to these questions are the foundation for building a cybersecurity approach. Without this information, you can’t understand the risk or create a personalized strategy. Instead of keeping it simple, paper tigers just refer to their checklist.

Ditch the Checklist, Focus on the Five

If any organizational leader is reading this, I urge you to ditch your checklist immediately. It’s not providing value. It’s a front. Instead, it’s time to get back to the basics and truly execute consistently on the five CIS controls.

Control One: Inventory of Authorized and Unauthorized Devices

This control represents hardware inventory. You need to manage all hardware devices on your network actively. Management includes:

  • Inventorying
  • Tracking
  • Correcting

These activities are necessary to ensure that any unauthorized devices do not gain access to the network. This is an essential control because hackers are always scanning and waiting for an unprotected system to enter your network. They are eager to find devices that connect and disconnect from the network, most commonly BYOD (bring your own device).

If BYOD is prevalent on your network, your IT team may not have administration of that hardware. It could be lacking essential updates or patches, which a threat actor will exploit. BYOD is a challenge for large enterprises, but you need to get this under control.

The best approach is to use an active discovery tool to identify and update authorized devices. You also need an accurate inventory of assets, including those not connected to the network.

Control Two: Inventory of Authorized and Unauthorized Software

On the other side of the IT is software, and you need to manage it just as you do hardware. Your network needs to prevent any unauthorized software from downloading. Hackers love to get in through software failures. There are plenty of cybersecurity incidents that started with software exploitation. If unauthorized software makes it into your network, hackers can install backdoor programs easily. If you don’t know what software is on your network, how can you protect it?

Management of software requires software inventory tools for automation. Another best practice is whitelisting safe technology. This control point is also vital in planning for incident response, backup, and recovery.

Control Three: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

For all hardware and software, you need to manage the security configurations constantly. It involves a robust change control process. The default settings for most hardware and software are for ease of use, not protecting a network.

You can’t leave them at default! It’s crucial to develop a configuration strategy that reduces risk and allows people to do their job. It’s a balancing act. And that strategy can’t stay stagnant either. It requires frequent evaluation and adjusting. A Security Content Automation Protocol (SCAP) configuration is a good guide for monitoring and verifying.

Control Four: Continuous Vulnerability Assessment and Remediation

Cybersecurity is ever-changing, and hackers get smarter all the time. That’s why you must continuously assess vulnerabilities and remediate them quickly. New information is always streaming in, from software patches to security advisories. Your team needs to stay on top of this to identify vulnerabilities proactively.

Without constant scanning and assessments, your organization is in danger every day of an incident. To execute this well, use a SCAP-compliant scanner. You should also deploy automated software updates as soon as they are available.

Control Five: Controlled Use of Administrative Privileges

Who has access to your systems? Access is another component that attackers target to cause havoc. You’ll need a tool that allows you to track, control, and assign administrative privileges.

Uncontrolled administrative privileges are a hacker’s dream. They can get in with phishing tactics that get a user to click or download something that’s not safe. If that user has administrative privileges, the hacker can take over fast. They can also get in by cracking easy passwords for admin accounts. Things like this occur when lots of people have admin access with identical passwords.

The best way to protect against this is ensuring admin users have a dedicated account for these activities. It should not be used for anything other than admin functions. Additionally, set up a log entry and alerts for admin account closures or openings.

These controls are not easy to implement and manage. They are continuous activities that a team has to control. Until an organization has these in good order, everything else is meaningless. It doesn’t matter how many items are on the “list” or how professional they sound. They are just words, and when you go by such a list, there is rarely a full and competent execution. Getting back to the basics is what really matters.

Simplify Your Cybersecurity Framework

The first step to simplify your cybersecurity framework is making sure your employees grasp the five CIS Controls. Do they have this foundational knowledge? Or are they posturing paper tigers? To master these controls, you need to get your people “in shape.” I go over this in detail and more in my book, The Smartest Person in the Room. Order it today to get your cybersecurity framework back on track.

The Truth About Cybersecurity Certifications

cybersecurity certificationsAlmost every industry has certifications. Some carry more weight than others, but it’s clear there’s a trend of over-certification in cybersecurity. Most cybersecurity certifications aren’t hard to obtain and thus are not an illustration of someone’s expertise. The industry is creating many paper tigers — someone who claims to have knowledge but just passed a multiple-choice test to earn a certification.

The Certification Structure Is Failing Us

The explosion of paper tigers in the industry is setting businesses up for cybersecurity failure. The bar for earning certifications has become dangerously low. Equally concerning is that there are no specific regulations on training or hours for cybersecurity professionals. In contrast, skilled trades require a certain amount of training hours, apprenticeships, and more. That’s a problem because those that are in place to protect one of your company’s most valuable assets — your data — aren’t ready to be in that position.

Certifications Do Not Equal Quality Talent

For many years, the industry has been buzzing about the lack of talent; there weren’t enough cybersecurity professionals to feed the demand. With this alarming message, certifications in the field became like a golden ticket to employment. The industry needed an influx of talent. Unfortunately, certifications do not equal quality talent. IT leaders, however, believe that certifications bring value. They do at times, but it’s risky to put so much emphasis on a few letters.

They are merely Band-Aids placed on the problem of putting effectual people into roles. Hiring demand was high, and certifications suddenly became what every hiring manager was seeking.

The proliferation of certifications is a cause-and-effect situation. Technology innovation and advancements required more professionals in the industry. Then there was a talent gap or a lack of people in the field. In turn, organizations promoted certifications that would give anyone a prosperous career path — except most certifications don’t test for knowledge, rubber-stamping individuals to increase the number of certified professionals. More education, however, isn’t the answer either.

College Degrees Don’t Solve the Talent Gap Either

The next logical answer to the talent gap is college degrees. Because surely, those graduating from university are prepared for the world. We know that’s not the case, as many graduates walk out into the real world and find themselves lost.

If every company required a four-year college education to get a job, there would be fewer candidates. But those candidates aren’t always going to be qualified. That’s because the university model has its own shortcomings, especially in the technology realm.

Think about how fast cybersecurity is changing. Every day, there are new attacks, each one more complex than before. It’s hard to capture all this movement in a textbook. How could a professor keep pace with this, especially one that’s not in the trenches? Frankly, there are a minimal number of capable professors with real-world experience. So, it’s all theory, and that’s what they teach. Theory very seldom equals reality.

Even applied sciences universities, which aim to be more practice-oriented, don’t adequately prepare students for a real job in cybersecurity. I was a cybersecurity professor at a university and attempted to bring practicality into the lessons. I framed my classes as real scenarios, leaving the books behind. I was trying to lead with practical knowledge, except the students complained and said it was too hard.

This experience proved to me that cybersecurity students wanted an academic degree, not a practical one. They either lacked passion or had no cognition of what cybersecurity work really is. Maybe Hollywood movies about hacking influenced their field of study. And that portrayal of the industry is anything but realistic.

What I learned from this was that the university system, like the certification one, is broken. Higher learning is not preparing students for the day to day of cybersecurity careers.

Hiring Practices Need to Evolve, Too

The other part of the cybersecurity certification and degree problem is hiring practices. Certifications are given far too much gravity over having useful hard and soft skills. Industry experts are aware of the over-certification, giving little importance to those pieces of paper. However, mainstream corporate hiring managers still give credence to the fact that someone passed a test, for which they could have easily memorized the answers.

Applicants then quickly update their resume and soon land a job in cybersecurity. Cybersecurity teams then become overrun by paper tigers. These individuals don’t have the skillset or experience to face the many challenges of the cybersecurity war. They are up against a more sophisticated army of hackers with a much higher acumen than those on the front lines protecting your organization.

The cycle continues. These paper tigers then hire more unqualified people. A paper tiger isn’t going to bring on someone that knows more than they do because they need to be the smartest person in the room. So, yes, the bar’s that low.

A disruption to the cybersecurity certification system needs to occur. Companies can push back on the certification ecosystem by requiring that certifications be practical.

The Shift to Practical Cybersecurity Certifications

So, how do we turn things around and be real about certifications while also improving them? The first step is to emphasize practical certifications.

Even though I believe there is an over-certification issue in the field, and most are worthless, I’m not counting out all certifications. The industry of training and companies hiring cybersecurity professionals needs to shift to practical certifications.

Practicality is not acing a multiple-choice exam. It’s functional and puts students in real-world scenarios to respond. As someone that holds over 25 certifications, I have a good idea of which ones are actually proof of expertise, and those are few.

Some certification bodies are evolving and doing it right. I’d be remiss not to call out some of the companies helping to fix the cybersecurity talent problem.


CompTIA offers cybersecurity certifications that combine hands-on experience and performance-based and multiple-choice questions. Their curriculum stays up to date on what’s happening in the field, focusing on techniques to combat new and emerging threats.

Their PenTest+ certification includes the elements discussed above and the management skills necessary to scope and manage weaknesses, not just exploit them.


The International Council of Electronic Commerce Consultants (EC-Council) is the world’s largest cybersecurity technical certification body. They have developed several well-known and respected certifications:

  • Certified Ethical Hacker (CEH)
  • Computer Hacking Forensic Investigator (CHFI)
  • Certified Chief Information Security Officer (CCISO)
  • License Penetration Testing – Master  (LPT Master)

The National Security Agency (NSA) and the Committee on National Security Systems (CNSS) endorse their programs, and they have accreditation from the American National Standards Institute (ANSI).

The CEH program, which I think is one of the best, is an immersive class that includes 24 hacking challenges across four levels of complexity, covering 18 attack vectors. It’s a real hands-on practical learning experience. The practical part of the exam would be unpassable for paper tigers. You can’t memorize how to apply techniques to scenarios. It requires critical thinking and knowledge.

If you’re looking for a certification that translates into a cybersecurity job, the CEH should be at the top of the list.

Fixing the Hiring Practice Problem

The first thing any company should do regarding hiring is to let go of the fallacy that a certification is a mark of expertise. You need to have a broader view of what certification means. Simply put, was it a practical or a multiple-choice test?

Even if the person has a long list of certifications, this still isn’t a sign they have the skills you need. If you want to know whether the candidate has the knowledge you assume comes with these certifications, ask the right questions. If they can validate with their answers, you can feel more confident in the worth of those certifications.

The next part is to focus more on hard and soft skills. Hard skills align more with certifications and degrees. They are also testable. You can quickly discover if they have these. Soft skills are harder to gauge. You’ll learn that soft skills are often more valuable. They include being a good communicator and collaborator. Others are a willingness to change and evolve, staying curious and perceptive. In the end, they are people skills, and that may be the real skills gap in cybersecurity.

People Skills Are More Impressive than Certifications

Helping cybersecurity professionals enhance and grow their people skills could be the answer to winning the cyberwar. It’s not an easy proposition, but it’s possible to transform your employees (if they have the right mindset) and build their people skills. That’s the heart of my book, The Smartest Person in the Room. Read it today to learn more about cultivating your people.