This is my Top 10 list based on what common mistakes I am seeing, which may be completely different from what others are observing. Please share your experiences to see where there is overlap or uniqueness.
1) No CISO Left Behind
Having a low performing CISO is in almost all cases a program killer. Not only is it bad for morale, it typically derails efforts to reduce risk and puts budget dollars on projects with very low ROI. One thing I have noticed is that C-levels and most BoDs are unable to adequately assess CISO performance. Its often only measured on personality and the pure luck of avoiding a public security breach. Conversely, many high performing CISOs get a raw deal when they experience a breach, yet have advanced the program further than any of their predecessors.
Recommend: Hold quarterly KPI reviews, including discussion of new KPIs at least annually. Maintain accountability of a CISO's time, specifically around time spent building their personal brand or with vendors, versus directly advancing the goals of the organization.
2) Chasing Corns
It is all too common for organizations to flat out ignore doing essentials like prioritizing assets by risk, getting their employees properly trained, or auditing service accounts. Instead people tend to chase unicorns like deception technology, cyber pathogens, cyber camouflage, artificial machine intelligence™, or becoming a producer of threat intelligence.
Recommend: Must have addressed or shown significant traction in the SANS Top 20 controls, before pursuing whatever hotness is being pedaled at RSAC.
Many of the Fortune 200s have never met a tool they didn't like. This seems to be very typical in organizations that have experienced a breach and bring in a new CISO that was failing, but came from big name company. They then proceed to spend all that money and still get hacked. Joe McCray was right.
Recommend: Do not allow CISOs to talk about tools by name, only capabilities and ensure that any solution purchase is fully operationalized before new projects can be initiated. Effectively force the CISO to strategize around people and process and don't let them use the tool crutch.
4) Wounded Knee
Guess what time it is? Its Monday morning and your management just read the latests news. Its time for the old knee jerk reaction and a bunch of stuff rolling downhill. This commences a colossal waste of resources, including a bunch of reply to all emails and meetings about meetings.
Recommend: Establish ground rules regarding this type of behavior. Limit the spinning up of massive conference calls or data calls, until an official severity or risk determination by a technical resource has been made. Also, I highly advise creation of a threat portal where such information can be proactively published to stakeholders.
5) Rockstar Recruiting
It's not news that if you throw big money at talent, some will take the bait. Where the chronic failure seems to be in actually retaining that talent. There is also a reason why most people feel the exit interview is a complete joke. How much more cost effective is it to ensure your existing people are happy versus continually have to rebuild your team? Also, ignoring people with passion but no experience is detrimental to your staffing. I don't see a lot of excuses for not always at least having one intern or noob that your are building up. And its important to take note of your staff who hoard knowledge and refuse to mentor.
Recommend: Document and escalate the underlying issues that are causing people to leave the organization early. I recommend reading this story for a classic case of HR failing to do their job. I also highly advise rewarding mentorship financially within your organization.
6) Failing to MFA All The Things
To me this is one of the best allocation of resources you can make with a very high ROI. Moving as many applications and servers behind two factor authentication as possible. This is the exact opposite of long term money pits like DLP or NAC. Also, hiding behind user convenience is no longer a defensible position.
Recommend: Start planing and executing today, not after a breach. Both Duo and Microsoft have affordable options.
7) Strategic Firewall
This isn't the firewall as you know it. If you are familiar with the Big4, there was a concept of keeping a firewall between the audit and advisory practice. Similarly for big banks, it was keeping the retail and investment banking business separate. This was there for a very critical reason. To avoid conflicts of interest and limit risky practices. Knowing this, you should not accept strategic advisory services from the company selling you solutions. They will only try to sell you products that give them the highest percentage of sale or allow them to wrap extra service dollars around. Unfortunately its never about advising on the best product because of repeatable tests and real world PoCs that haven been documented.
Recommend: Internal audit and the BoD compliance committee should be tasked with uncovering and addressing this serious conflict of interest.
8) Following the 20/80 Rule
Stop pursuing controls for niche security threats. Yes that threat may even be in the news (fake and real), but are you sure it applies to your organization or vertical? There seems to be an unhealthy obsession over zero days as well. I agree with others, you may not be important enough to get a zero used on you.
Recommend: Use templates for creating your organizational threat models to avoid security theater. This will properly align your strategy to the threats you are facing. And if a threat actor decides to burn a zero day on your org, kudos to you because your actually winning. Also, please capture it and responsibly disclose it to the vendor.
9) Premature Nuke From Orbit
This is definitely one of my pet peeves. A SOC manager has mentally checked out and is just firing off reimage requests and never determining root cause. That AV alert may have just been nation state, but you will never know now. If your ticket says alert X fired, computer rebuild completed and nothing else you should be excommunicado from InfoSec club.
Recommend: Quarterly review of all SOC ticket closures to determine where no RCA was determined. In addition, establish documented process for harvesting indicators and context from internal incidents.
10) Logging/Tapping All The Things
This isn't all that horrible, but its still counter productive and very common none the less. Logging everything, including events of no security or audit value makes little sense. Then people turn around and store that same data for 5 or more years. Someone best described this as useless pools of liability. The same goes for overloading your network sensors with encrypted traffic or traffic from your core. There is not much ROI here and it creates a tremendous amount of noise for you security analysts.
Recommend: Implement a tiered logging strategy for retention and filter out log events or log types with no practical use. This has the added benefit of potentially reducing your SIEM licensing costs. If you plan on tapping everything, do not feed it into your analyst console until you have proven they are staffed well enough to monitor all internet gateways and DMZs.