There is always a new shiny object to chase in cybersecurity: zero trust, AI, passwordless authentication, quantum computing. These are just some of the latest hot topics, and organizations are feeling pressure to adopt them to stay ahead of current threats.
While these new technologies are certainly relevant, they may not be as important as getting the “cyber basics” right. Buying new cutting-edge tools or planning a whole new architecture won’t replace excelling at those foundational, structural underpinnings that build a successful security program. One example of these fundamental considerations is the area of “exceptions.”
It is simply a given in any enterprise that there will be exceptions to cybersecurity policies and procedures. These range from patching exceptions to multifactor authentication (MFA) exceptions to access and firewall exceptions. How an organization processes and tracks exception requests, and evaluates risks associated with exceptions, can have a major impact on how easy or difficult it is for the organization to monitor, detect, and respond to cyberattacks.
Are Cybersecurity Exceptions Justified?
Attackers will leverage exceptions because they provide an easier path into an organization’s environment. For example, I supported a military contract and the command was rolling out application allowlisting. The aides to senior officers requested exceptions for those seniors because they were concerned that the technology might “interfere” with the senior officers’ work. However, the senior officers were the exact group needing additional security protection.
We were able to meet and explain to the aides how the tech would better protect these VIPs, and we would coordinate with their offices to quickly resolve any issues with the technology. Despite some misgivings, the VIPs ultimately were better protected and the exception requests were dropped. All it took was sitting down and discussing the users’ worries and patiently explaining how to ease those worries.
Exceptions ultimately indicate how good your security could be — if there were fewer exceptions (or none at all). Here are some things to keep in mind:
If you’re falling short on cybersecurity fundamentals, such as an exception process, you’re going to be facing security issues regardless of how much time and money you invest in new technologies. Automation and other solutions can help, but they don’t erase every problem, including those that require new human behaviors and processes. Just like Achilles from Greek mythology, it’s easy to forget a weak spot if you’ve lived with it for a long time. And just like Achilles, such forgetfulness can have severe consequences.