I believe that that the dissonance between what we see in the hacking field and enterprise security is the result of misplaced focus and bad assumptions. The security team is not working on the right topics. Their lead time is catastrophic. They don’t have the right approach and they blindly follow the many dangerous fallacies that plague this industry.
The goal of this presentation is to challenge some commonly held beliefs in the world of cybersecurity. These ideas are repeated, shared, sung, and tweeted by almost everyone. Yet when we look at them more closely, we realize that their foundation is not as solid as it seems. Worse than that, these ideas contribute to the failure of security in businesses.
I think everyone can visualize a security failure: unpatched vulnerabilities, projects that are not moving forward, a non-existent team, etc. There are a thousand and one ways to arrive at this outcome. But even a company that has the right conditions for success: a good team, a good budget, sponsorship, etc., can still mess up if it gets two things wrong:
The three preconceived ideas I am going to present in this talk contribute to falling into these two fatal traps.