6

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

you are viewing a single comment's thread
view the rest of the comments
[-] shellsharks@infosec.pub 1 points 7 months ago

CIS Critical Security Controls and/or NIST CSF as frameworks to help put you in the right mindset. But so much of what you should do first depends on some variables imo.

  • What is your budget?
  • What already exists security-wise at your company?
  • What level of executive support do you have? Can you enact real change?
  • What is most important to the company? i.e. "Crown Jewels"
  • What does the network/infrastructure/endpoint environment look like?

Once you answer these questions then you can get a better idea of where to spend the limited time/money you have. The CSC will likely tell you to tap into an inventory and do some form of Vulnerability Management. This is a decent idea as you need to know what you are trying to protect and also catch low-hanging fruit via vuln scanning. Instrumenting endpoints (EDR) or gaining visibility into your infra is also important but which do you pick first? Crowdstrike is awesome but expensive. No one solution is a silver bullet.

Have a plan, create a reasonable roadmap, figure out your companies risk threshold, ask for more resources depending on what level of risk they're willing to accept and how quickly they want things implemented.

this post was submitted on 08 Apr 2024
6 points (87.5% liked)

cybersecurity

3249 readers
9 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS