Board members and senior execs seem really concerned about
APTs and state actors.
The amount collectively spent on cyber security must mean
that only advanced actors and techniques can be used to get into networks.
After all, look at all the news of these big name organizations being hit by
successful attacks.
The danger and fear about cutting edge attacks outside of your control to stop.
But the security team briefings to board members and execs
often overlook equally important items. They miss the key levers of gaps thatare completely controlllable. The ones
that don’t provoke imagery of shadowy figures cloaked in black hoodies.
The frequency of security misconfigurations.
The efficiency of OS and third party patching.
The average days since password rotation on privileged service
accounts.
The percentage of security tool coverage.
The places where the security team has less visibility than
they’d like.
If the board and the execs knew the reality of these less discussed items,
would they calculate the effectiveness and focus of their spending differently?
Would they delve into the root causes of your concerns and how to remedy them? Would they invest more in the things that you need like automation, observability,
and training?
The investments that cover the gaps that it doesn’t take a
state actor or an APT to exploit.
Without these conversations, they’re likely making
calculations about their security spend based on the cool things. You are more
likely to get breached on the silly simple things. Both take resources to resolve. Communicate generously
to redirect them, teach them, focus them untl they challenge their own
assumption. Your organization will be better off as a result.
The state actors likely won't notice and you'll hopefully stave off a harder conversation about bitcoin.
The state actors likely won't notice and you'll hopefully stave off a harder conversation about bitcoin.
Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1
SEE ALSO
No comments:
Post a Comment