I guess I trust….

Most organizations I talk to say “I guess I trust IT.” I get the same answer If it’s inhouse and it’s an employee or outsourced to another company. People are astounded when the prospect of measuring this can be turned into a fact! Security is a paramount for some and preventing some from getting work done. Most often strategy needs to be leveraged or even implemented. Don’t get stuck in the technology. What this means, and why our approach is better, is that even though there is still risk there is a way to managed it and trust this new process.

Create a shared risk relationship in writing. Minimize IT risk within reason and prepare for what happens. If you have less than 200 employees and a few IT guys, they can do it.

Understand there is no magic silver bullet, 98% of incidents occur in the human aspect of technology. Collectively, it’s not just my perspective, it’s the perspective of all the other IT companies we work with around the world in our peer group. Is your IT an island of new information? How do they stay up to date? Are you unknowingly betting your risk profile on them?

You can’t keep hurricanes from happening. The hardest part is that the market sees these attacks as new as sophisticated. They think are low level relative to the capabilities that China and Russia nation states have. It is not like that! The attacks basic and most of the time directly related to people. The complex, horrible attacks aren’t even detected. Our job is to protect as much as possible, and when a customer is hit, get them back to work.

Most organization are compromised with fundamentals. Applications that aren’t patched. The Colonial Pipeline for example didn’t have two factor authentication on a VPN and it bit them. Don’t get caught up on the attack de jour or the morass of new technical things. Stick to the core fundamentals. Patch and update systems, use long strong pass phrases, use two factor authentications to reduce the attack surface available. Train your users. This is a grind for fundamentals that will provide a protection strategy.

Return on Luck – Great by Choice. Jim Colins – They study the good and back luck events over 10 years. When they look at the 10x’ers top 1%. They all had the same number of good and back luck events. The different was that the top companies were able to recognize both and were better prepared for bad luck events.  Sometimes it’s’ seeing a bad luck event and turning it into a turning point for your business or life.

If this was a baseball game, do you know what inning would we be in? Are you starting to sing the national anthem?