I am not. Name one competent security program certified and verified to stop total compromise by a $30M unrestricted red team exercise which is the ransom amount demanded by the attackers on Caesars just a few weeks prior.
Keep in mind that amounts to around 100 person-years of dedicated hacking labor. I get a team of 50 and 2 years to achieve total compromise. I get to burn 5-10 zero click RCE zero-days. The idea that any of the commercial cybersecurity companies or any commercial IT organization could design a system that could resist such an attack is laughable. This is not a question of resources, it is one of ability.
I agree, compliance is not an above-average security program. But an security program that is merely above-average is woefully underprepared for the modern threat landscape. You need a security program 100x better than “best practices” to stand a meaningful chance and you are not finding that amongst the charlatans in the big cybersecurity players.
Veserv|2 years ago
Keep in mind that amounts to around 100 person-years of dedicated hacking labor. I get a team of 50 and 2 years to achieve total compromise. I get to burn 5-10 zero click RCE zero-days. The idea that any of the commercial cybersecurity companies or any commercial IT organization could design a system that could resist such an attack is laughable. This is not a question of resources, it is one of ability.
I agree, compliance is not an above-average security program. But an security program that is merely above-average is woefully underprepared for the modern threat landscape. You need a security program 100x better than “best practices” to stand a meaningful chance and you are not finding that amongst the charlatans in the big cybersecurity players.