“At the large enterprise we are seeing a lot more knowledge and understanding around how to create a security practice,” he said. “In the mid-sized and SMB segments, we see a ton of negligence. I’ve had a lot of C-level people tell me, “We don’t store social security numbers or credit cards in any of our da- tabases, so we must be fine. And that’s pretty scary because that’s only a small segment of the attack surface.” Ferguson says it’s a mistake to for Trusted Advisors to walk into their first meeting with a new prospect and ask them directly to identify their security vulnerabilities. “Nobody’s going to give those to you,” he said. “Plus, people don’t know what they don’t know. The important thing is to get a map of their network, their infrastructure, and their applications and then start looking to understand the Layer 1 through Layer 7 vulnerabilities. From the standpoint of the enterprise buyer, decision-makers should be willing to answer questions about how they respond to specific threats, and that’s going to open up the conversation to building and adjusting plans and identifying blind spots. In this modern era, enterprise IT The total cost of Enterprise decision-makers must also keep in Owner Security mind that protecting against the garden-variety of hacker is no longer • Purchase, installation, monthly charges, and sufficient. They must also be aware maintenance costs. that governments, and those who • The cost of remediating future breaches, (both represent governments, are also in- financial costs and “soft” expenses, such as dam- volved in efforts to steal data, prod- age to reputation.) uct roadmaps, design features, and • Cost of staffing or third-party management. similar items of value. “The widespread use of cybertools by nation-states is really changing the game,” said Leo Taddeo, the chief information security officer at Cyxtera, shortly before that company spun off its AppGate security line. “We have, of course, an increase in the sophistication of criminal groups, but what is really new in my view is the acceptance of cyber offensive tools by adversaries like China and Russia. It’s become normal for Russia and China to deploy these tools against our government networks and also our private sector. The risks have gotten worse and the threat has increased, so companies have been getting very sensitive to the potential for true harm to the enterprise.” Leveraging his experience running a cyberinvestigative unit for the FBI, Taddeo recommends a risk- based approach, which means understanding your business, understanding what’s important to your business, and understanding how to get the most security value for your spending. “Many times, the adversary teaches us what’s important,” he said. “They understand what truly has value and how it can be monetized.” Taddeo says company should adopt a layered defense, which includes a variety of measures aimed at extending the time it takes to penetrate while at the same time shortening the amount of time neces- sary for detection. Copyright © 2020 ACopyright © 2020 AVVANT CommunicANT Communicaations, Inc.tions, Inc. 164 Copyright © 2020 AVANT Communications, Inc. 7