What are organizations lacking in their cybersecurity posture?

Security Strategy & RoadmapSecurity Frameworks (NIST, CIS, CSF)
771 viewscircle icon1 Upvotecircle icon3 Comments
Sort by:
SVP in Finance (non-banking)3 years ago

I refer to my approach as brilliance and basics, and the latter is what's lacking. There are hundreds of NIST and CIS recommendations out there. But the reality is, you only need 20 basic things. If everyone did those 20 basic things, they would be way ahead of where they are today. The general challenge that I find is that people get caught in the minutiae of all the other recommendations without realizing that they haven't even locked the doors or closed the windows.

1 Reply
no title3 years ago

Exactly. It’s simple hygiene, just like making sure you wash your hands after you use the restroom.

Founder/Chairman/CTO in Telecommunication3 years ago

I view cybersecurity as an 80/20 problem overall. 80% of it is hygiene and things that we've seen before — things that we can automate, in cases where automation is a viable and economic solution. It’s within the remaining 20% that the bad stuff happens. So how do you address both at the same time? It's always been interesting to have this conversation in the context of Bugcrowd, because people assume that I'm all about humans coming in to solve everything. But that's not true.

There's always going to be a gap that's created by the innovation of the adversary, which only has human creativity and human adoption of process as its solution. But you should automate wherever you can. The companies that we work for weren't started just to fight Russia or China, so this is not our main game.

Content you might like

What advanced identity analytics or continuous access controls is your organization using (or planning to implement)? Any lessons learned you can share regarding vendor selection or implementation?

Read More Comments

What topics would you like to learn more about / be most likely to attend a webinar on?

Ransomware / Malware / Phishing36%

Privacy27%

Cloud Security57%

Network Security36%

Zero Trust vs. VPN34%

Remote Workforce Security26%

Seamless User Experience15%

Legal and Regulatory Compliance7%

View Results

It's “National Clean Out Your Computer Day”  (Feb 13) — when was the last time you organized/backedup your laptop?

Today!11%

Last week37%

Last month22%

Last quarter12%

Last year7%

Never4%

I can't remember4%

View Results

Anyone have experiences or POVs on TruffleHog Open Source vs Commercial license?

What are the best practices for securing the MFA registration phase when moving from SMS to phishing-resistant methods like passkeys (FIDO2) or TOTP-based authenticator apps? Specifically, how can we mitigate risks in device enrollment and key provisioning without phone numbers? What innovations are your organizations implementing or have implemented to bolster this process? - I don't see this as a competitive advantage but all of us good guys against the bad.