"Threat awareness is paramount to delivering on the promise of data protection – here's why and where to start." - Will Gragido
Consumers of information security technology and services have been inundated with talk of the value of being cognizant of threats, vulnerabilities, and risks for more than two decades as they labor to ensure that their assets – tangible and intangible – are protected and secured in an increasingly threat-laden world.
Simple vulnerabilities led to Equifax’s latest breach and the loss of the crown jewels - Our Data. This is its second breach of 2017 and third in the last two years. Let that sink in. Equifax knew about security gaps, chose not to close them, and put the identities of 143 million Americans up for grabs.
Yesterday, Tim Cook and others at Apple took the stage at their yearly World Wide Developer Conference to announce powerful new devices and exciting new OS and software functionality available to developers and the public in the months ahead. One feature that they didn’t speak about, but I believe is needed, is this... read more
Freshman is a wicked smaaaht OG hacker, security researcher, threat Intelligencer and a damn fine all-around problem solver. He's got deep subject matter expertise designing and employing a hybrid security approaches 'round the world spanning Financial Services/Banking, Retail, Hardware, Software, Government, Higher Education verticals.
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.
Brilliance in the basics
Every human endeavor requiring skill, knowledge and experience begins with the basics. There's no other way to achieve competency, proficiency and mastery. The same is true of security. Despite vendor claims to the contrary, there is no easy button.
Our technology is really quite good. That's why the bad guys target people.
Technology and People Paradox
Technology companies including software, hardware, telecoms, network equipment providers all bear part of the responsibility. Bugs and vulnerabilities in their products have caused massive security issues for their enterprise customers and consumers because they weren't designed with security in mind. If they were, there would be far fewer issues to begin with. It's amazing that an entire industry was created largely as a result of their products. So, they must do their part too.
However, technology is merely a tool for the adversary to automate human tasks that humans have and still perform today: conducting reconnaissance, surveillance in order to expose and then exploit vulnerabilities, exfiltrate information, create havoc, etc. It's an enabler but it certainly isn't THE problem. People are. After all, people conceive of, plan and execute attacks. People open emails, click on links, fail to follow protocols, neglect to install updates or change passwords. Technology isn't autonomous, at least not yet. Because people are the problem AND the solution the approach needs to change.
When security is a must (requirement) for the system, technologists, users and owners can make it work."
Leadership must lead by example through their words, deeds and budgets. A personal commitment at the top critical to the establishment a security-conscious culture. Boards must be knowledgeable too.set expectations and standards of performance and hold themselves and their people accountable, they create of a security-minded environment and culture which values mastery of the fundamentals first, developing security into the DNA, so to speak. Many of the greatest security failures we see are a direct result of poor leadership in some form or fashion. Leaders must lead...
Here's a question that popped up on my LinkedIn newsfeed last night:
Cybersecurity would be the single most painful unresolved challenge in technology space over the next decade...what is your strategy to address this challenge/opportunity?
In response, here are a few thoughts off the top of my head: