So let's continue our journey together.
Some might say that cyber defenses are nothing but a series of disconnected point solutions and that someone should tie it all together.
I have thought about this argument a lot.
If you have studied your CISSP, we can all easily visualize that every technological "thing", human or non-human .... (person, processor, memory, application, storage, network device, network service) is really an endpoint to some other "thing". Every "thing" in our tech world, "I/O's" to at least 1 other something else "thing". From the greatest perspective, every "thing" is essentially connected to every other "thing" and I am not talking about just IoT here. I believe vendors, service providers, and end users would probably agree with me.
I can't extract value from continuing arguments that cyber defense is a series of point solutions. I argued that we should remain loyal to our current course, at least until something better comes along. My great great grandfather rode a horse. I drive a car.
It remains the function of the highest-ranking enterprise security executive or smaller business lead security practitioner, to qualitatively or quantitatively understand their business's risks in cyberspace. This is been written about and discussed many times. Unfortunately living risk management has not been implemented or operationalized very many times.
The industry's current path of layering point solution on top of other point solutions, might be viewed as an unsustainable model.
The future will not be a linear extrapolation of the present.
My question for your future is,
Can you envision an organization that truly understands their cyber risks, and then makes cyber investment decisions continuously and only in proper proportion to the business risk they have agreed to tolerate in advance, during joint collaboration with their executive management?
