Companies' cultures need to change. You need to become concerned about every new piece of software, every new connection and every new piece of data -- whether or not you're required by law to care. If some piece of software doesn't contribute to your core business, don't allow it. If some new Internet-connected service isn't part of your mission,

... See more

Mostly, they seek out vulnerabilities, detect attacks, and eliminate compromises. Of course, the size of the attack surface and the sheer volume of vulnerabilities, attacks, and compromises means organizations must make tough choices; not everything gets fixed, stopped, recovered, and so forth. There will need to be some form of acceptable

... See more

In our security world we are often seeking to change behaviors and so we need to pay particular attention to the prevailing culture so we can use that for amplification, or at least so that it does not inhibit any necessary changes we want to make. But in all cases what we need to do is create personal changes of behavior that are supported at the

... See more