A short one, but important.
We often talk about not doing the basics.
Organisations being breached due to failing to implement the basics.
We ask why have we still not get the basics sorted.
They are not basic.
The critical security things we need to always get right from patching to managing user rights should be considered the foundations of good security or the fundamental controls.
Without a strong foundation no security programme will deliver what is required.
While foundational, they should not be considered easy.
Take patching as an example. Ensuring a fully patched environment across 1000s or more servers, network devices, office devices, end points etc. without impacting availability and likely while liaising with many different teams. This is not as easy as it sounds when you just say ‘patch your environment’
So yes as an industry, and as organisations we must do better, but we must also recognise the size of the challenge and the focus required to achieve the goal. We must achieve foundational security across our organisations not just at a point in time, but consistently, efficiently and on an ongoing basis.
To achieve this we need to help our boards and leadership teams understand the scale of the issue, and the reasons why it is important. We must engage across our organisations to ensure secure processes are embedded across our teams.
Calling this basic doesn’t help people understand it is anything but.