It’s Time To Deal With Cyber Security’s High Hanging Fruit

Starting or re-building a cyber security program by focusing on low hanging fruit makes a lot of sense. As the most popular metaphor for quick and easy work, low hanging security fruit is a key element of building confidence among executives when assuming a new cyber leadership role.

In the real world, low hanging fruit can be picked without any logistics — no planning, no ladders or scaffolding, and no special equipment. You likely can just walk up and pick the fruit. This means very little effort and far lower risk is expended picking the low hanging fruit as opposed to that which is higher in the tree.

Stretching this fruit metaphor into infosec, the lowest hanging fruit are the quickest wins usually related to either the most easily mitigated simple vulnerabilities or activities that quickly increase the level of positive cyber hygiene of an organization’s user base.

Other low hanging fruit might include any infosec work for which the organization has a strong appetite to complete. A senior cyber leader will likely have the prioritization and resources that they need to deal with these issues. Less effort, less risk.

But, as competent cyber practitioners, we know that there is a limit to the amount of metaphorical low hanging fruit both in terms of the universe of available quick wins and also that smaller subset that actually can be easily remediated. At some point, all the truly low hanging fruit will have been picked. So, what’s next?

The higher hanging fruit is what’s next.

Every organization has high hanging fruit. They usually require a significant discovery spike or removal of tech debt. If you’ve been around cyber security for any length of time, you know these types of projects well.

• Those constantly failing security metrics.
• Those untuned security tool rules that create thousands of alerts.
• Those mystery remote connection attempts that for years have been blocked at the firewall, but still continue to try to reach out in hope of a momentary misconfiguration or user error.
• Those overprivileged accounts and applications that no one wants to contain because they power core business functions.
• Those frequent account lockouts that no one really understands

Risk treatment of high hanging fruit involves more than just a hand wave. You’ll be wading through tech debt, laziness, messes created by departed employees, and embarrassing discoveries. All being the result of poor decisions and ungoverned actions. Cyber security is a people business after all.

That said, we seem to be wanting to downplay the importance of technical competency in some areas of information security. High hanging fruit will require you and your team to hone hard technical skills, become problem solvers learn about long lost interconnections, re-create how technical decisions were originally made, and be constantly challenged from a technical perspective as a team as well as individually.

These types of projects involve more than simply changing configuration settings. Discovery work and the subsequent analysis involves understanding systems within a complex dependency laden environment as well as the interactions and limitations among all of the elements.

Regardless of a team member’s technical level when they join the team, a team member will rightfully earn their technical chops after a few such successful projects.

Often, while unraveling high hanging fruit, the infosec team will have to help other teams to challenge their current planning, processes, and assumptions so that the same issues don’t reoccur.

To be successful at dealing with the less discussed high hanging fruit, you’ll need a plan. You’ll need strong executive support as well as a team with focus, and innate curiosity, and grit, and tenacity.

There is nothing sexy, cutting edge, or easy about treating the risks of high hanging fruit. I suspect that this is why infosec teams aren’t keen to tackle this kind of work and so infrequently finish it. It’s possible for risk treatment of high hanging fruit to exceed the average 26 month tenure of a CISO and the team members. You also may need to set expectations and perhaps even negotiate several quarters of work as you deal with these issues in way that doesn’t create more security friction for users.

High hanging fruit isn’t easy to pick. That said, the results can be far more meaningful than day-to-day cyber work. If only for this, infosec program must regularly challenge themselves to address their high hanging fruit problem.

These projects can be the path to making team members proud of their growth and contributions. Meaningful work often does that.

Want to make a real difference in your cyber program? Start dealing with the high hanging fruit.

Good hunting!

For more insights into how cyber leaders can best enable the business and build rock solid cyber programs, please follow me on Twitter at @opinionatedsec1