Don't Rush the Endgame: Pragmatic Cyber Assessments for Early Maturity

I love games that focus on long-term, bigger picture thinking; real-time strategy, board games, base building, even The Sims. The ability to create, think, and design, whether it is beating your enemy or making a sprawling, efficient base, fascinates me. They all teach the same lesson: if you skip the basics, your starting resources, your long-term objective, and the terrain, you end up with a fragile empire that crumbles the moment trouble shows up.  Ironically enough, lessons learned in video games also translate to cybersecurity: those who ignore or do not correctly establish a solid foundation set themselves up for failure.

Many organizations embark on uplifting their cybersecurity posture with ambitious plans, only to find themselves overwhelmed and stalled within months. I’ve seen CISOs and Directors sprint to perform cyber assessments, only to stumble and lose credibility with their peers and other teams.

In the previous blog post “Your First Steps on the Journey to Improved Security: Selecting the Right Framework”, I spoke about different questions and evaluation criteria leaders should consider when approaching assessment framework and ended with a crawl, walk, and run approach to gradually uplift your security program and set your organization up for success. Today, let’s expand on “Crawl” and talk through the habits that keep momentum (and morale) high.

Practical Next Moves

Much like the player that immediately starts to build their end base even after they just started the game, too many teams correctly admit they’re still crawling, but then apply complex requirements, approaches, and scoring methods that set unrealistic expectations or require significant effort and time. Results? Burnout, unfinished progress, and a team that winces any time “cyber” pops onto the agenda. Let’s tackle these challenges head-on with useful approaches and reminders.

1. What are we really trying to solve here?

Sometimes controls can feel like legal code or a poorly translated instruction manual, with your eyes and brain turning to mush just trying to interpret what they’re saying. And the kicker is, you’re the cyber expert! If you can’t explain or interpret the control in plain English, neither can your stakeholders. Sometimes it’s best to pause, take a step back, and ask the question… what is the control actually trying to address? The following questions can help translate:  

• What are you trying to stop (i.e. Threat)?

• Where could the threat sneak in (i.e. Vector)?

• What part of our world does control touch (i.e. Scope)?

Even if your team is well-versed in control language and intent, others may not be. Try to reword the language in simple layman's terms (e.g. “We build strong defenses at this choke point because the enemy will attack our farms.”) Simple, memorable, effective.

2. Separate the “Must-Do’s” from the Guidance

Some frameworks include guidance as part of the control, which can be confusing. Am I on the hook for the entire statement or just part of it? Much like a player who builds a large base for a small population, you’ll end up in the same scenario of wasting valuable resources and time. For example, if you look at CIS Control 1.2, it states: 

“Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset.” 

While this seems like a two-part control, the first sentence is the “Must-Do” while the second sentence is guidance on how an organization may want to handle unauthorized assets. Ultimately, you need to make that distinction crystal clear so teams don’t feel on the hook for every comma and word. While this may seem like a tall ask, a robust and pragmatic risk and tolerance strategy can guide your decision-making and approach. 

3. Shrink Expectations into Bite-Size Requirements

Sometimes, a control can seem like an impossible scenario; build a base that sustains and protects your colonists against various enemies and environmental factors, then launch an attack against your enemy. One could feel overwhelmed with asking themselves, “How would I even succeed?” Sometimes it’s best to take a step back and work to break it down into smaller, more manageable sections or side-quests. Identify unique asks and expectations within control to create narrow, specific requirements. Ok, I need to make sure that I gather materials to build a shelter, assign colonists to grow food for everyone, set up manufacturing to produce armor, etc.  

Using our control example above, if we agree that the first sentence is the “Must-Do”, then what specific actions need to be done? Break it down into the following requirements:

1. The organization shall implement a method to detect unauthorized assets connected to enterprise networks (e.g., via network monitoring, DHCP logs, NAC, or asset discovery tools).

2. The organization shall establish a documented process for responding to unauthorized assets, including timelines and escalation procedures.

3. Assets that are not removed shall have a documented exception with a defined business justification and risk acceptance.

4. Unauthorized assets shall be remediated (removed, isolated, or approved) within a defined time frame, such as 5 business days.

Here we can tackle each requirement individually, and it can help distribute efforts and tasks to different teams or individuals. The team responsible for forging your sword and armor is most likely not the same one raising, training, and feeding your noble steed that you’ll take into battle! 

4. Keep Scoring and Expectations Simple

Unlike maturity scoring like NIST or CMMI, you should focus on simple, easy-to-measure methods of judging and tracking success. While a wooden wall might not be as sturdy, it’s much better than a stone wall that only covers one direction! Consider evaluating your current state on a simple, “Pass, Partial, Fail” scoring methodology to keep your goals and expectations aligned: 

• Pass - The control’s intent has been achieved, and the risk is reduced - the wall is finished and completely protects all required areas. 

• Partial - Portions of the control have been implemented, but there is still known exposure  - part of the wall is complete, but there are still areas to build.

• Fail - Nothing or almost nothing exists to show that the risk has been addressed - our base is wide open to any attacker.

At this stage, a more complex scoring method can actually do more harm than good. Remember, our goal is to establish a solid security foundation through finding gaps, not grades.  

Perfection is the Enemy of Progress

Beginning your cyber maturity journey is an exciting time. Much like starting a new game, keep these guidepoints in mind:

• Simplify the control to grasp intent

• Identify what is required vs what is guidance

• Smaller, easier to digest efforts lead to larger success

• Simpler scoring methods keep the focus on gaps, and not the score 

Whether you’ve just started building a base for your colonists or drafting your very first control catalog, victory starts with the same move: lay the first stone well and establish a solid foundation. 

So before scoping the next shiny toolset, ask: Have we finished the walls and stocked the granary? If the answer is “not yet,” maybe you need to keep your colonists there a little bit longer. You’ll find that future advancements become far more achievable. 

When you're ready to start building your base, we're always happy to jump in as a co-op player on your quest. Contact us here.