LEGG: At the end of the day, really what organizations need to do is protect themselves. It’s as simple as that. Protecting yourself is not something that’s unknown … it’s very well known. We understand the cost and … I think we need to take those standards and frameworks and contextualize them. There’s an example in the CIS controls implementation group – everything is divided into implementation groups and these are a loose way of knowing which sandbox matters to you. At the end of the day, frameworks are going to need to align both on size, on risk, and on the particular industry or parameters of risk that an organization has. We’ve got to make the approach a little more tailor-fit to the organization. In my opinion… there is sort of a generic nature to a lot of [the standards] that doesn’t necessarily create a breadcrumb trail for security or risk practitioners to follow that will help them understand how to right-size a security program for an organization based on their size, the types of customers they have, the types of data or exposure that they have, and the risks that they have. I think that’s the missing piece that I’d like to see in the newest revision in NIST that may be potentially released this year.
Those types of changes are what I think are really important. We as practitioners need to stop looking for or talking about the “flavor of the month” and talk about how to be smarter, how to do smarter security, smarter risk management, how to tune in things that make the most difference and save budget on the things that are not going to move the needle. That’s where the rubber meets the road for a lot of folks, and that’s where a lot of folks are not thinking about or looking.
BAY: I do think especially for the smaller, mid-sized businesses it’s just like “I don’t know where to start so I’m not starting,”
LEGG: Or, “I’ll buy this antivirus or EDR product and nothing else because I don’t know what I need. Do I need vulnerability scanning? Do I need privileged access management? Do I need other identity controls or other technologies like zero trust access?” There’s so many buzzwords and alphabet soup out there in the security product space that I can understand why people get overwhelmed.
BAY: The combination with that and the feeling of “they’re all out to get us and it’s not if but when.” IT’s like, “oh my gosh what do I do now.” So I think it’s a combination of also just helping people understand the most important thing we do is recover rapidly and here’s how you do that by implementing these things.”
LEGG: I think that’s my one criticism of the security marketing and sales engine is that it’s important to highlight the risk but it’s important not to FUD out. You’re not going to compel anybody or inspire anybody to do the right thing if you’re telling them they’re fighting a hopeless fight or that they can never get fully ahead of it. That’s not an encouranging message and it’s not even true, frankly. It’s true that we can’t stop attacks from happening. We can’t stop criminals from trying to monetize vulnerabilities in code or whatever the particular circumstance. But we can certainly put the same critical controls in place in organizations that make those outcomes a lot more difficult for criminals and make it much less of an extinction event that are experiencing it.