One of the things I really enjoy is taking part in the introductory meetings with our sales team. During these meetings I get a lot of firsthand knowledge about what firms are doing currently in securing, monitoring and remediating their infrastructure.
However, one of the most discouraging things to occur happened recently. I got to talk to a firm with over 2,500 employees/contractors spread across 10 offices in the US. This particular organization tells me they don’t have a security team per se, more like an ad-hoc group of IT personnel that also do security.
They outline that besides the ransomware that has occurred a few times in the past year, they believe they are totally secure because nothing else has happened to them, despite the fact that they have no standard policies and procedures, and their 8-year old SonicWalls have never been updated. They believe they’re secure especially since they passed their last visit by a QSA and their PCI Audit/Certification.
They see a need for a service like what Milton offers (Managed Detection and Response), but since they don’t look at their logs now anyway, and they haven’t needed to in the past, they do not think they will look at this until CY 2019 as they have a new office opening and have to do PC Upgrades and new office furniture.
Of course, if the reason they gave me was, “Oh we went with your competitor,” I would have walked away knowing that, phew, at least they understand this is needed, and they went to someone who will give them a level of MDR above what they have currently.
It certainly feels upside down when organizations prioritize Security and Risk Mitigation below new computers and new desks.