For example, I'll say: "Your No. 1 problem is unpatched software." They will say: "Yes, I agree." Then they will claim they have patching under control. Or they will say, "No problem, we're deploying smart cards next week." Or they're buying an advanced intrusion detection system. Hello?
Obviously, the problem is mine. For some naïve reason, I think I can stand up and talk and everyone will simply get it. But people learn by doing. Here are three simple measures to take that can improve the situation.
Step 1: Collect data on successful compromises
You have to see for yourself which threats are most successful. We all face the same ones: malware, SQL injection, cross-site scripting, social engineering, phishing, and so on. The key is to understand which threats have succeeded against your company -- those are the threats most likely to hit again in the future.
Start collecting metrics on how your company was compromised. The answer is not a malware name. It is the name of the exploitation vector that allowed that malware or hacker to get in to your environment in the first place. For instance, we all face malware threats that squeak by all our defenses (at least for a certain period of time until signatures are updated). But how do those threats make it through? Was it employees being tricked into running Trojan horse programs? If so, was it from a phishing email? Was it from employees visiting a "risky" website or one they trust and visit all the time? Until you know the answers to these questions you'll be fighting a losing battle.
Step 2: Develop appropriate defenses
Once you understand how your company has been successfully exploited, implement the defenses designed to address those weak spots. Don't let yourself be misled by priests. For example, I commonly hear companies implementing intrusion detection systems or advanced firewalls to combat their biggest threats. In such cases, I ask the group involved in making the buying decision to agree upon their most likely threat scenarios -- say, remote control malware being installed because of unpatched software, which then allows APT to execute a pass-the-hash attack to take over the whole environment. This is a very common threat scenario. Get everyone to agree upon one or more common threat scenarios.
Then ask the product priest to tell you how, specifically, his solution would solve the problem. Don't let him quack about "decreasing overall risk" or other threats that do not pertain to the threat scenario under discussion. Ask specific questions. Tell him to show you the exact rules that would catch that particular threat. Do a walkthrough of the threat as it unfolds and how the solution would detect or prevent it. Get into the details.