The first step in fixing a problem is admitting you have one. The computer security industry has long been broken and needs some serious fixes. The world spends many billions of dollars fighting cybersecurity threats, more and more each year, and threats, risks and exploits are just getting worse. We have even accepted that computer security is so bad that we must adopt an “assume breach” mentality.
I’m here to say that an assume-breach mentality is for losers. I and others think that we all need to be better about “defeating breach” or minimizing breaches. No one is saying that any of us can ever defeat 100 percent of all hacker or malware tries, especially without making the defenses so onerous that no one wants to use them. We are saying that what the herd is doing is not working. We’re not just complaining. We have specific, actionable, recommended fixes.
I wrote about the problems and solutions defenses in my latest book, A Data-Driven Computer Security Defense, which was recently nominated for the 2019 Canon Cybersecurity Book Hall of Fame. The core problem is that most computer security defenders are not right-aligning their defenses against the biggest threats they face, which is exacerbated because defenders don’t focus enough on the root cause of successful exploits.
This means most organizations are not spending enough time and resources to fight social engineering exploits and on better patching for the most commonly exploited software. If more organizations did those two things, there would be a lot less successful hacking. I’m going to spend the remainder of my career focusing on these two issues, because everything else most organizations worry about doesn’t equate to 10 percent of the risk.
Here are two other books that offer fixes.