Cyber Hygiene Matters, and So Do Definitions

A specific definition lets you move from a general awareness campaign to an unambiguous action plan.

istock 1184871451

In an earlier article, I wrote about the importance of cyber hygiene and offered up a specific definition of basic cyber hygiene based on CIS Controls Implementation Group 1. I’d like to expand a bit on why having a clear-cut definition is really important.

A specific definition lets you move from a general awareness campaign to an unambiguous action plan – one that can be communicated, adapted for different conditions, and followed.

There’s a big difference between “only you can prevent wildfires,“ and an explicit set of steps to safely extinguish your campfire.[1] Having such a plan allows you to focus the attention of the entire cyber ecosystem of users, adopters, suppliers (vendors), as well as authorities (governments, regulators, the legal system) around a common set of problems, and a common set of actions.

A concrete definition provides a technical basis to identify tools to implement the actions, measurements to track progress or maturity, and reporting that can be used to manage an enterprise improvement program.

A specific definition also gives you the opportunity to change the recommended behaviors when the underlying science or understanding changes. In public health, for example, hygiene recommendations are used to translate complex science about topics like disease control into specific personal or social behaviors. [2] [3]

Cybersecurity defenders are already flooded with information about attackers, vulnerabilities, and malware. But, as with public health, most don’t have the time, expertise, or interest to read the latest research – they just want a way to focus on positive, constructive action.

In today’s environment of shared technology, linked by complex business relationships and dependencies, we also need a specific way to negotiate “trust” and an “expectation” of security (Are you a safe partner to bring into my supply chain? Can I count on this merchant to safely hold my financial information?) – one that is better than paper surveys or inconsistent interpretation of abstract security requirements.

Finally, if you don’t have a specific definition then you can’t do the analysis needed to help you establish the specific value of cyber hygiene (or any cyber improvement program). This is what CIS has done through our Community Defense Model, and is a topic for another day.

Get started with Basic Cyber Hygiene with the CIS Controls Navigator

Tony Sager
Chief Evangelist


Copyright © 2020 IDG Communications, Inc.