What are organizations lacking in their cybersecurity posture?

Security Strategy & RoadmapSecurity Frameworks (NIST, CIS, CSF)
771 viewscircle icon1 Upvotecircle icon3 Comments
Sort by:
SVP in Finance (non-banking)3 years ago

I refer to my approach as brilliance and basics, and the latter is what's lacking. There are hundreds of NIST and CIS recommendations out there. But the reality is, you only need 20 basic things. If everyone did those 20 basic things, they would be way ahead of where they are today. The general challenge that I find is that people get caught in the minutiae of all the other recommendations without realizing that they haven't even locked the doors or closed the windows.

1 Reply
no title3 years ago

Exactly. It’s simple hygiene, just like making sure you wash your hands after you use the restroom.

Founder/Chairman/CTO in Telecommunication3 years ago

I view cybersecurity as an 80/20 problem overall. 80% of it is hygiene and things that we've seen before — things that we can automate, in cases where automation is a viable and economic solution. It’s within the remaining 20% that the bad stuff happens. So how do you address both at the same time? It's always been interesting to have this conversation in the context of Bugcrowd, because people assume that I'm all about humans coming in to solve everything. But that's not true.

There's always going to be a gap that's created by the innovation of the adversary, which only has human creativity and human adoption of process as its solution. But you should automate wherever you can. The companies that we work for weren't started just to fight Russia or China, so this is not our main game.

Content you might like

Have you found privileged access management more difficult than identity access management?

Much more difficult2%

Somewhat more difficult42%

Slightly more difficult22%

No difference17%

Slightly less difficult13%

Somewhat less difficult1%

Much less difficult

Unsure

View Results

As organizations deploy LLMs and other AI systems, how do you recommend security teams address risks such as data leakage, prompt injection and adversarial manipulation? What frameworks or practices should be prioritized to make AI security programs resilient from day one?

Looking to benchmark. If you are in-process of pursuing the ISO 42001 or have obtained it, how have you measured the business value?

With Gartner highlighting the urgency of post-quantum cryptography (PQC), I would like to know if there are other members of the group already involved in the discussion or in the planning to face the threat of attacks like 'harvest-now, decrypt-later'?

Organizations should invest in a data governance framework preemptively.

Strongly agree18%

Agree66%

Neutral11%

Disagree3%

Strongly disagree

View Results