I know this thought is wrong... but I'm having difficulty countering it. Help please. 1. Orgs spend billions on staff and tools 2. Breaches still happen 3. For the org that is hit, the effect of their spend was 0 I want this to be wrong, but I'm struggling. 1
44
5
7
56
There's a lot of factors you're not taking into account. 1. How much worse would the impact have been without that spend (not just lateral movement, but data gov, compliance impact, etc.) 2. How many other events have been prevented 3. How resilient was the org in recovery
6
1
64
Replying to @AlyssaM_InfoSec @bettersafetynet
Yes, you’re grappling with the “demonstrating a negative” problem. The spending did likely prevent multiple incidents that never rose to the level of visibility.

Sep 28, 2022 · 3:38 PM UTC

3
24
Replying to @hal_pomeranz @AlyssaM_InfoSec
I'm thinking that some research I did on this years ago may help... idk. This is hella uncomfortable, I **know** it's worth it. I'm having a devil of a time proving it.
2
1
more replies
Replying to @hal_pomeranz @AlyssaM_InfoSec @bettersafetynet
Exactly this IMHO. Not an expert by any means, but think locks-on-your-doors and CCTV, next door with no locks or CCTV may equally be left, but should someone look for an easy target, the CCTV you have helped. Like the bear analogy, you just have to run faster than your friend!
1
1
I'm not too keen on the bear analogy. Yes, there are lots of opportunistic attackers, but many are hyper focused on a single target or market vertical.
1
2
more replies
Replying to @hal_pomeranz @AlyssaM_InfoSec @bettersafetynet
To make an absurdly grounded example, think of a world with no consumer grade anti-virus, or a NOAA website with no password on a John Smith Ph.D. account that has trusted access to DOD Special Operations systems. "What sort of weather is optimal for this SEAL Team mission?"