Cyber Security: The Lost Decade - 2020 Edition

Why large organizations still struggle with decade-old security problems — and how to fix them

I have been involved with information security matters for over 20 years and started writing regularly on the topic in 2015.

Talking to CISOs, CIOs, CEOs and their teams as part of my day-to-day field work as consultant, I was horrified by what I was seeing in too many large corporates in terms of security maturity levels and the actual problems some were still struggling with — something that goes way beyond anecdotal evidence and is at the heart of survey after survey every year.

After all, information security good practices have been well established for over 20 years and many industry bodies have been promoting them and evolving them throughout that period.

Why is it that large firms which have had fully functioning information security teams in place all that time, and have spent — collectively — hundreds of millions on the topic if not more on cyber security, are still struggling today with issues — such as patch management — which should have been on their radar for over 10 years?

There is truly a cyber security lost decade for many between the CodeRed, Slammer and Blaster outbreaks of 2001–2003 and the Wannacry and Not Petya attacks of 2017.

By failing to get the basics right in terms of…