I’m sure you will have had a marketing firm or some random sales person on Linkedin tell you that security should be simple and that their product will save you from all the ATPs and nation state hax0rs under the sun. However let’s get real, thats almost certainly not true and also security isnt simple or we’d all be out of jobs and everyon woulndn’t be getting owned all the time.
I think there’s a huge honestly part that needs to occur if you are going to actually improve a companies security posture.
Leading and acting in a manner which doesn’t contradict the message
Don’t be unrealistic – absolute security doesn’t exist, if someone is talking in those terms they are probably bullshitting and are highly unlikely to be an actual practitioner
Sort out the commmon vectors, phishing and exposed insecure configurations are clearly areas to focus on but also you should assume breach and harden the inside of your networks! (too many people don’t do this)
People like efficiencies, improvements when they don’t have to be the change, chaning behaviours is really hard.
Technology costs money, I hate to break it to people but if your approach to technology management is solely on the bottom line that is going to have a significant impact not only on your business operational capabilities but from a security point of view you are likely going to be in a weak posture. Don’t get me wrong you don’t need to buy ALL the things but expertise, logging, monitoring and management tools/technical tools cost money. Don’t shoot the messenger but don’t expect the moon on the stick either (it’s just not realistic).
Cyber Criminals operate in all time zones, your staff likely use company computing assets across a range of hours and probably sometimes in the evenings and weekends. Your security operations capability needs to be able to cover this (accepting the risk entirely is a bonkers idea, at least put people on call, oh and that means paying them too!)
The biggest improvement step to me is the cultural one, it’s the change from ignoring, assuming it ‘won’t happen to me’ and when people who are in leadership and management positions stop using bad practises. Being honest and recognising security is a challenge, it’s not a project, it’s a way or running and managing technology services.
By having a strong security posture you will need far deeper knowledge of your business, it’s assets and it’s customers. This sounds like a massive business advantage to me!