What are organizations lacking in their cybersecurity posture?
Sort by:
Exactly. It’s simple hygiene, just like making sure you wash your hands after you use the restroom.
I view cybersecurity as an 80/20 problem overall. 80% of it is hygiene and things that we've seen before — things that we can automate, in cases where automation is a viable and economic solution. It’s within the remaining 20% that the bad stuff happens. So how do you address both at the same time? It's always been interesting to have this conversation in the context of Bugcrowd, because people assume that I'm all about humans coming in to solve everything. But that's not true.
There's always going to be a gap that's created by the innovation of the adversary, which only has human creativity and human adoption of process as its solution. But you should automate wherever you can. The companies that we work for weren't started just to fight Russia or China, so this is not our main game.
I refer to my approach as brilliance and basics, and the latter is what's lacking. There are hundreds of NIST and CIS recommendations out there. But the reality is, you only need 20 basic things. If everyone did those 20 basic things, they would be way ahead of where they are today. The general challenge that I find is that people get caught in the minutiae of all the other recommendations without realizing that they haven't even locked the doors or closed the windows.