In his book “Advanced Persistent Threat, Eric Cole tells a story about his son’s basketball team. They lost every single game. The coach didn’t understand, 15 years ago when he coached these plays worked great.
Do you ever feel like that coach? You’re running an old playbook and you just don’t understand what is happening. A lot of security efforts are geared toward fighting the last war. The bad guys keep honing their tactics. While we’re running with an old playbook.
In Eric’s example, the coach studied up. He went to his competitors games to see what worked. We can do the same thing in security. There are two sets of security controls/strategies that greatly improve security where tried.
Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines provide measurable ways to improve security. There are a lot of good ideas in here to improve your security. That is until auditors FISMA them up.
Another one I like is the Australian Government’s Strategies to Mitigate Targeted Cyber Intrusion.
While there is no security silver bullet, these plans can put a focus to an Information Security program.