It may be possible to democratize security by making it more accessible to average companies through community resources. We have an idea or two, but we would appreciate your thoughts.

At the 2019 RSA security conference, Matt Chiodi, Chief Security Officer of Palo Alto Networks said “… small organizations are using on average between 15 and 20 tools, medium-sized businesses are using 50 to 60 and large organizations or enterprises are using over 130 tools on average.” It is a statement of the obvious when a SANS survey concludes that “Too many tools that are not integrated.” Is one of the top three problems faced by security organizations.

I’d like to refine these observations just a little. The pyramid below describes three levels of resource capability. The companies at the top are large and have extremely well-funded / mature security programs. They are able to afford the tools they believe are necessary, and they have internal development to either integrate tools or create tools as needed. The yellow band is the middle-class. They can afford a fair number of tools, but they can’t afford extensive integration or internal development needed for automation and customization. At the bottom is a large group of “have nots.” They can only afford a limited number of tools, few staff, integration capabilities only when they are supplied by vendors and no customization.

collaborate pyramid Open Invitation to Help Develop Infosec Community Resources

We believe that this structure is problematic. As long as a significant percentage of the business community is unable to deploy adequate security, a nursery will exist for the training of an increasing volume of advanced bad actors. We also feel that small cities, non-profits and small businesses deserve to conduct their businesses safe from bad actors.

We believe that an opportunity may exist to push the bar for (Read more...)