As a cyber security consultant the biggest issues I run into that most people aren’t aware of — the almost complete lack of understanding of Risk MANAGEMENT (management emphasized) and the impact that personal motivation has in the likelihood that an effective solution will be created by merging technology, liability, workflow/processes, and most importantly clear objectives.
The hackers and perpetrators will almost always have a leg up on most businesses because their goals are clear. Even those in government institutions want to keep their jobs by having data to look at regardless of wether such analysis creates any real value. I find it ironic that credit card companies have the best security despite their getting hacked all the time. Why should they worry about security problems for which they are either not liable for or for which they can pass costs onto others.
Most folks will probably never really understand security because they don’t understand finance. The ones who really get it are insurance companies — they know security starts with liability. They have been most effective at improving cybersecurity behind the scenes. I just wish there were insurance companies for planet Earth.
I was a keynote speaker at a security conference at Apple. Diffie was in the front row, his long white hair flowing as he questioned me because he was confused by assertions of what made good and bad security. As soon as he realized we were taking about risk management, he shifted gears and you could see that in a flash he immediately understand what we were really taking about, and joined us in our fascination with the ways of the business world.