Several years ago, I discussed the importance of security engineering for the future of security operations. Then, Rami McCarthy in his contributed article explained that security engineering is not the future, it is the present, but not equally distributed
"Most people outside of security don't care about security." - Very apt.
The Pragmatic Path Forward for Cybersecurity:
Instead of hoping for a utopia where everyone suddenly starts caring about online security, let’s accept reality and adapt. The key lies in designing systems where security is baked in, not bolted on:
Defaults and Automation: Think seamless. Updates that happen in the background, password managers that do the heavy lifting, and multi-factor authentication as standard—because asking people to remember 'complex123!' never ends well.
Minimizing Human Reliance: Humans are predictably unpredictable. Biometric authentication and zero-trust architectures cut out the middleman (or middle click). Less guessing, more securing.
Targeted Awareness: Focus training where it matters most. Spear phishing simulations for executives, not generic 'Don’t click shady links' posters for everyone else.
The future of security isn’t about nagging people into compliance; it’s about removing barriers and building tech that assumes humans will do what they do best—take shortcuts.
One of the things I'm grateful for is regular access to the kinds of problems enterprises are trying to solve. As IANS faculty, I regularly talk to small and midsize companies, but also talk to large multinational pharmas and financial firms. This window into the kinds of security problems companies are currently trying to solve is eye opening.
I regularly talk to companies just running their first ever vulnerability scan. Companies that have just enabled MFA for the first time, and are proud to have rolled it out to 60% of their workforce. Companies that have zero experience with containers and very little with cloud. Companies that are just considering rolling out their first VDP or bug bounty.
Over the past 4 years, I've worked with 235 unique enterprises through IANS, and I generally find that:
1. everyone is dealing with the same issues
2. those issues are VERY basic and fundamental
3. almost none of them have engineering (i.e. 'builder') talent on staff
The vast majority of practitioners out there need help doing the basics, and help ensuring they've done the basics correctly. That's my experience (admittedly, with an anecdotal and small sample size)
"Most people outside of security don't care about security." - Very apt.
The Pragmatic Path Forward for Cybersecurity:
Instead of hoping for a utopia where everyone suddenly starts caring about online security, let’s accept reality and adapt. The key lies in designing systems where security is baked in, not bolted on:
Defaults and Automation: Think seamless. Updates that happen in the background, password managers that do the heavy lifting, and multi-factor authentication as standard—because asking people to remember 'complex123!' never ends well.
Minimizing Human Reliance: Humans are predictably unpredictable. Biometric authentication and zero-trust architectures cut out the middleman (or middle click). Less guessing, more securing.
Targeted Awareness: Focus training where it matters most. Spear phishing simulations for executives, not generic 'Don’t click shady links' posters for everyone else.
The future of security isn’t about nagging people into compliance; it’s about removing barriers and building tech that assumes humans will do what they do best—take shortcuts.
One of the things I'm grateful for is regular access to the kinds of problems enterprises are trying to solve. As IANS faculty, I regularly talk to small and midsize companies, but also talk to large multinational pharmas and financial firms. This window into the kinds of security problems companies are currently trying to solve is eye opening.
I regularly talk to companies just running their first ever vulnerability scan. Companies that have just enabled MFA for the first time, and are proud to have rolled it out to 60% of their workforce. Companies that have zero experience with containers and very little with cloud. Companies that are just considering rolling out their first VDP or bug bounty.
Over the past 4 years, I've worked with 235 unique enterprises through IANS, and I generally find that:
1. everyone is dealing with the same issues
2. those issues are VERY basic and fundamental
3. almost none of them have engineering (i.e. 'builder') talent on staff
The vast majority of practitioners out there need help doing the basics, and help ensuring they've done the basics correctly. That's my experience (admittedly, with an anecdotal and small sample size)
This is indeed the state of the market - and it's why delivering security in a way that's accessible for the 95% is the way to go.