Cybersecurity in 2023: Principle 2 — Focus on Jobs to be Done

This blog post is a part of our 5 Principles Blog series. 

We've come up with a new way for organizations to make their security better in a complete and efficient manner. It's built on five main ideas that we've worked on for a long time. Our goal is to make managing cybersecurity much easier, to the point where it's almost really simple. We've created a system that not only boosts security but also makes handling cybersecurity much easier.

Free Ebook That Unpacks All This & More 

Get the 40+ page ebook and learn the 5 principles that will streamline and simplify your cybersecurity management

Alright, let’s go dive into the 2nd principle: Principle 2 — Focus on Jobs to be Done

The Problem

Achieving compliance is the ever-present backdrop for any cybersecurity management system, with anything that alters your security profile being a variable that will toggle you from compliance to non-compliance and back again.

So, checking the boxes of a security control framework is often seen as the primary goal of cybersecurity. And if you are following multiple frameworks, this can entail having to check a lot of boxes. For something as 'simple' as antivirus, this could mean confirming 5, 10, or 15 times that the appropriate AV controls are in place.

The traditional approach has been to control ‘crosswalks’ and matrices of controls that make a feeble attempt at coordinating multiple control frameworks. I won’t mention names, but you can even spend $5-10k on a control framework that maps to all frameworks. One framework to rule them all, if you will.

In practice, this line of thinking is backward. Adding another control framework to fix the problem of too many control frameworks is not logical. And in reality, it means that to cover all the bases, you will still have to generate three or four 'sub-reports' from different apps that must be collated to create a single master presentation to the Board.

The Solution

We started to ask ourselves: rather than always focusing on the individual wording of
each control framework, is there a way to help cybersecurity professionals focus more on their primary overarching outcome — making an organization safe and secure?

The solution to the problem of too many security control frameworks is not to add another framework or crosswalk multiple lists of controls. The solution is to ignore the control frameworks, at least temporarily, and focus on the security jobs that need doing.

Free Ebook That Unpacks All This & More

Get the 40+ page ebook and learn the 5 principles that will streamline and simplify your cybersecurity management

If somebody is responsible for antivirus, their job is to ensure agents are deployed and reporting regularly, signatures are kept up to date, and the right KPIs are met. The evidence of this job being done is a report from the antivirus management console demonstrating that these items are in place.

The person doing the job of antivirus doesn’t need to know they are complying with PCI DSS requirement 5, CIS Critical Security Control 10, and ACET Domain 3 Item 190. They need to know what is expected of them, how to produce the evidence, when to provide it, and where to put it.

Keep it simple and focus on the jobs to be done. An evidence list of about 120 items can comply with hundreds of individual controls across multiple frameworks. Mapping evidence to controls can be done once, on the backend, where nobody needs to worry about it. No framework to rule all frameworks necessary.

With the Rivial Platform, we link controls from various frameworks to a single set of evidence. Based on a flexible schedule, the platform notifies evidence owners when an item is about to expire. Once evidence is uploaded from all your different security functions, the software does all the hard work of running through the different checklists of all control frameworks and highlights any areas of non-compliance.

This means that regardless of the control framework. Each evidence is checked against requirements, and the system is automatically updated. This is done for both risk assessment and compliance controls. The latest tracking and cybersecurity reports can then be quickly generated for the management team. This means you can focus on what needs to be done — any unchecked boxes.

In conclusion, moving away from traditional, complex, and often fragmented approaches to cybersecurity compliance and adopting an integrated, evidence-based approach like the one offered by the Rivial Platform can significantly streamline the process. This system efficiently and effectively links various control frameworks to a single set of evidence, automates compliance checks, and provides actionable reports for management. This allows your focus to be where it should be—on ensuring the security and integrity of your organization's digital infrastructure—rather than being overwhelmed by complex compliance processes.

Free Ebook That Unpacks All This & More 

Get the 40+ page ebook and learn the 5 principles that will streamline and simplify your cybersecurity management