Eric Haupt
Return to Archive
Sunday Musing

Sunday Musings Dealing With Criticism

Happy Sunday Friend!

Welcome back to another musing! I’m glad you’re here. Here are your Sunday Musings, a quick dose of what I’m exploring and thinking about. If you find it useful, please feel free to forward this along to friends!

Quote I’m Musing

Why should we be afraid of criticism? “If that criticism is correct and we are in error then the person criticizing us has done us a favor by correcting it. If they are wrong, what do we care? More likely, if we are doing our job right, we should already be well aware of the issue that people are raising and already be fixing it. We should have no sense of ourselves as perfect or above critique. Nor should we be so fragile and vulnerable as to not be able to bear being disliked or disagreed with”

-Marcus Aurelius

I don’t think there’s much in the way of interpretation for this quote. Marcus said it all clearly.

I’ve long been a “people pleaser” and overly concerned with people I meet (even in passing) liking me. It’s something that I work on more and more as I continue to put my thoughts, beliefs, and opinions out into the masses.

Beyond not making excuses, it’s about learning to gladly take in a correcting criticism for the help it provides and not worrying over the intentions or feelings the person who delivered it has for you.

The more people who you talk to, the more people there are who will disagree or dislike you. It’s a numbers game. Besides, if everyone was the same; same beliefs, same thoughts, same likes and dislikes… the world would be a terribly boring place.

On the CIS Critical Security Controls V8!

I’ve had quite a bit of discussion and questions on implementing and integrating cyber security concepts with operations and business processes. So much so, that I’m embarking on a journey through the 18 (down from 20) controls.

My goal is to reinforce things I know, shed light on and correct the things I think I know but don’t, and increase my understanding by applying them technically and a begin a deeper journey of understanding on applying them business/operationally and how to discuss them with executives. I’ll add a control-by-control explanation each week for all 18 controls. Then (hopefully) put it all together as a single reference downloadable (free, of course) for all.

I’ll go loosely in order, but I’m going to organize them by which controls I think are the most important to get a security ecosystem up and running, then round it out. The last couple aren’t the least important, just after I get past the big 8 or so, the controls become bespoke and largely dependent on what your organization does, needs, and has.

We’ll start this week with an overview of the Center for Internet Security’s Critical Security Controls.

What are the CIS Security Controls?

These controls are a prioritized set of specific and actionable best practices to implement and form a defense-in-depth approach for mitigating the most common cyber-attacks.

I think of the controls as a tools catalog, or a grab bag of things where you can “if this, then that” your way through your organizational needs. CIS Security Controls, and NIST 800-53 rev. 5 are the lists of everything we might need in our cybersecurity program.

Do we need to use all of them? Most likely not. We select which controls we need based on the security program framework (ISO 27001, NIST CSF) we are building and the outcomes of our executive risk management framework (ISO 27005, NIST 800-39, or FAIR). Just like when building an engine, we need rotors and eccentric shafts for Wankel rotary engines and pistons and cam shafts for piston engines (or flux capacitors for DeLoreans).

Quick history lesson, the controls came about from a partnership between the Air Force and the National Security Agency around 2008. The Air Force put together the consensus audit guidelines to address the major issues they were facing. Then they brought it up to the NSA who has not only the Signals Intelligence responsibility, but also the Information Protection responsibility. The collaboration resulted in the consensus audit guidelines, then the 20 critical controls (hosted on SANS), then the CIS critical controls.

There are 3 implementation groups (categories) for us to choose from. The IGs are numbered 1-3, and we select them based on our organization’s own self-assessed risk profile and available resources.

IG 1 is our emerging minimum standard. Think of this as the onramp for essential cyber hygiene and the minimum standard for information security with CIS controls. IG 2 builds on IG 1 and IG 3 implements all 18 controls and 153 safeguards.

Since they are a prioritized list of 18 controls, if you’re starting out and don’t know where to begin, start with number 1.

Why Should We Care?

The art of Risk Frameworks to Program Frameworks to Control Frameworks requires that security must go from being just a cost sink, to a compliance requirement, and up to a place where the CISO is peers with C-level executives and is a business enabling function. The Security program is the enabler for new and current business and protects the organization from the myriad of threats like ransomware and breaches we see in the news because we have built our frameworks and controls effectively.

We are in the business of revenue protection and projection. Implementing the frameworks and controls that:

  1. Save the organization money by keeping our systems from breaches and having to pay fines.

  2. Enable possibilities for more business endeavors through compliance such as ISO 27000 and GDPR.

  3. Creates a culture of cyber vigilance, ensuring everyone who works at the organization can be a sensor for anomalies and potential threats.

Aligning security needs in these three categories helps us create an approachable way to tackle the challenges of both security and business operations. Communicating in that fashion helps us build effective communication practices and muscle memory between technology leaders and business leaders (dolphin speak to board speak).

Next week we’re jumping into controls 1&2 (I feel like they should be lumped together)!

Interesting and In the News

Mass exploitation of MOVEit flaw

More than 6.5 million Americans’ personal data exposed, several U.S. and other nations’ government agencies, and global organizations are targeted by the Russian ransomware group Clop.

| More

Oreo/Ritz maker Mondelez third-party law firm hit by data breach

More than 50,000 staff members from the snack maker have been warned that their personal data may have been stolen after Bryan Cave Leighton Paisner LLP, a law firm hired by Mondelez to provide legal advice, was breached.

This is why it’s important to have a security framework, even if you don’t think you’re a target (you are).

| More

GPT-4 Outperforms Humans in Pitch Deck Effectiveness

Venture funding is tight right now. A 2023 study by Clarify Capital shows that investors and business owners were 3 times more likely to invest from a GPT-4 pitch deck than a human one and found that the AI generated decks were twice as convincing.

| More

I would love your feedback!

Which musing is your favorite? What else do you want to see or what should I eliminate? Any other suggestions? Just send a tweet to @erichaupt on Twitter and put #SundayMusings at the end so I can find it. Or, eric@erichaupt.com for long form email.

Have a wonderful week, I’ll see you Sunday.
​-e

End of transmission.