What is the Right Effort to Cybersecurity?

The keynote speaker of Troopers15 has an interesting presentation (on youtube now )   https://www.blackhat.com/eu-15/briefings.html
Some of the good quotes:
Doing something better must be better than doing nothing?
“Wrong. Paddling hard in the wrong direction doesn’t help just because you want it to”
“You must never confuse faith that you will prevail in the end—which you can never afford to lose— with the discipline to confront the most brutal facts
of your current reality, whatever they might be”
Admiral   James Stockdale
“I’m here to tell you that your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents”        Brian Snow – 2012
“You don’t have a malware problem You have an adversary problem”
has been trademarked  by Crowdstrike
The full talk pdf file:
venndiagrams-notvenndiagrams
I found the most interesting concept of Haroon Meer keynote the above images of an organizational depiction – not a venn diagram of “Complexity of software”, “Organizations and Markets”, as well as “People” of the companies.
Heroon did not like the venn diagram as it does not actually explain anything – the intersections do not mean anything.
But the best method of explaining the problem we have is that all 3 categories need to be separated and to not confuse the matter any further.
Each category has it’s own challenges and problems.
The other most interesting item Haroon talked about is that pen-testing is misunderstood by clients of pen-testers.
This is not surprising.
How much effort should be spent on Cybersecurity? It truly depends on your risk level.  What do you have to protect?
Think about this for a minute: how many hours do you think about cybersecurity?  The criminal thinks about it most of the time.  Until they can make some money or are caught – and we know a lot of criminals do not get caught easily.
So if you are thinking about it for a few minutes and protecting thousands of dollars of data, then you should do more. Hire a pentester, or a person that also thinks about Cybersecurity all the time.
Like us