Autonomous IT

Jason Kikta (00:15)
Hey, hello and welcome to the CISO IT podcast from Automox. I'm your host, Jason Kikta. It's great to have you back with us here in April.

This month, we're going to be talking about spring cleaning. This is one of my favorite topics because I feel like, whether you literally do it in the spring or at another time of year, taking designated time to tidy up your network, procedures, and paperwork is always to your advantage.

When we get into spring cleaning, right—spring cleaning can be a designated day for your company to get caught up on patches. If you have to run a somewhat restrictive patch policy, where you're mostly focused on critical patches or have very limited windows, it's good to occasionally have a focused effort to get people caught up.

Obviously, we'd all prefer to do that regularly, but that's not always feasible. We as IT practitioners don’t always get that level of influence, sway, or priority across the business. So you do what you have to do—and spring cleaning can help.

Back in the day, it was always the shared drive. If you were on a Windows network (and most of us were 10–15 years ago), shared drives could become monstrosities. They needed regular cleanups—not just because they filled up, but because they became unnavigable.

You’d find staff backing up everything (not just critical files) to the shared drive. Bonus points if they did it with improper permissions so that anyone in the business could read sensitive documents. That was a continuous nightmare in the days of Active Directory-style shared drives.

Now, in the cloud era with OneDrive or Google Drive, the structure is a little different. It’s harder to overshare unless you have overly broad default permissions. But people still fill up their storage and keep stuff way past its retention lifespan.

Retention lifespans are extremely healthy. You should have a few knowledge repositories—like Confluence or SharePoint—for long-term storage, ideally with dedicated people maintaining them. Other things like shared drives, Slack messages, Teams messages, and emails should have retention time limits.

Too much data piles up and becomes a liability. First, it's just hard to find things. Second, you might be paying for excess storage. And third, there's the liability side—discovery in a lawsuit, sensitive data like keys accidentally dropped into messages, etc.

Having time limits helps. It’s not perfect, but it helps tidy things—especially old stuff that people forget about. Maybe it was here, now it's moved to a secure vault—but it's still sitting in 30 Slack messages from five years ago.

Another form of spring cleaning? Scanning your network. You never know what you’re going to find.

I always joke about my time in the military—how the DoD networks are massive, beyond what normal people can comprehend. Many parts of the DoD have two or three duplicate networks for classified air-gapped systems. DoD had DARPA net and early TCP/IP long before the rest of us, so they’ve had decades to build up cruft.

Where a large enterprise might lose track of machines over a year, the running gag was that the DoD would lose track of entire networks.

I once responded to an incident on a compromised network. It was confusing because nobody seemed to know who owned it. Depending on who you asked—network owner, upstream provider, national sensors—it either was or wasn’t a DoD network.

Turns out, the network owner had lost track of it—for 12 years. It was maintained by a contractor who knew it existed, but their security and IT teams didn’t. It wasn’t getting patches, it was outside their boundary defenses—it was a bad day.

Someday I’ll be able to share more details, but it was a comedy of errors that didn’t feel funny at the time.

So: scan your network. Enumerate everything—devices, operating systems, network shares, patch levels. Ideally, do this regularly. But maybe your spring cleaning is a good time to try a different tool, a new angle, or a secondary check. Calibrate.

If your existing tools are sufficient, great—but do the exercise, document what you find, and you’ll avoid reinventing the wheel next year. Maybe you’ll find something you didn’t think of before.

And finally: compliance.

For me, compliance is a great motivator. Leading up to our annual SOC 2 audit is a great time to go through documentation. Is it up to date? Does it make sense to an outsider? Are logs formatted properly? Can we walk the dog for the auditor and demonstrate what they need?

Tying cleanup to compliance makes success more likely—and easier to remember. SOC 2 happens at the same time every year, so you can back off a month to do one task, two months to do another, and build a rhythm into your calendar.

That way, it’s not one massive annual lift. If you space it out and do a little each month, even annual tasks become manageable. You don't need dedicated people, and you move toward that ideal of being ready for an audit at any time.

When you live in that place—where you’re close to always being ready—life gets easier. Cleanups and compliance events become fast and smooth, with predictable outcomes. So if something large or unusual comes up, you actually have the time to address it, because you're not buried under a million small tasks.

So maybe more than spring cleaning, think about pacing yourself and your timing.

And that’s what I’ll leave you with today.

Thanks for tuning in this month, and I’ll see you in May. Until then—stay safe out there. Thanks.