By Bob Michaud
I’m a runner and have participated in many 10K races, six marathons—the highlight being the 116th running of the Boston Marathon—as well as the first annual Market to Market run in Nebraska, an all-day running event. I have been running my whole life, but I needed a strategy to keep me in shape and to avoid injuries.
Recently, I have been plagued with injuries from running. My doctor tells me I don’t stretch enough, so I need to spend more time preparing for my runs and then stretching after I run. The problem is there is not enough time in the day to stretch before and after a run, so I take short cuts. For instance, I may only stretch for 10 minutes before a run and then depending on time, not at all after a run.
I don’t spend the time evaluating whether the stretching is really helping me avoid injuries and I tend to fall short on my doctor’s advice. My short cuts then lead to more injuries, which then lead to undesired outcomes. Consequently, my most enjoyable hobby is not meeting my own satisfaction.
I often think about security when I’m running. There’s a lot of correlation between running and security—short cuts come to mind.
If you take shorts cuts in your patching cadence, it can lead to undesired outcomes. My auditors and examiners tell me I don’t risk rate my vulnerabilities enough, so I need to spend more time preparing for my patching cadence and then reviewing the results after I have patched. The problem is there’s not enough time in the day to risk rate vulnerabilities before and after patching, so short cuts sometimes are taken.
I know I should risk rate my vulnerabilities. After all, I’m a highly experienced security analyst. However, I find I patch all critical and high vulnerabilities regardless of the asset type, and this short cut can lead to other vulnerabilities and possible undesired outcomes.
More than likely, this example doesn’t apply to your organization, but you may want to think about the lesson I’m trying to provide. Security and running can be fun and you can get lots of benefits from both if you prepare well. Short cuts can work for both endeavors when needed, but a more thorough approach—a strategy—will work much better. We all need one.
Join me in the month of October as Q2 and I bring cyber security into focus. Each week in October, I’ll explore what security means to your online and mobile banking experience. Feel free to send me your thoughts on the topics I discuss.
Thank you and Happy Cyber Security Month.