I agree with largely everything which has been said, but have fallen back on ‘whelp, having even a shitty standard is better than nothing at all, because at least then people have anitivius’. I also would prefer to see an org with whitelisting and ASR enforced office over AV (if they had to be mutually exclusive), but alas we as an industry tell people to waste their time with things that don’t matter all to pass some checkbox security test to at least obtain some baseline. Some of this is probably greed/scams in the case of self-appointed standards (CREST for instance) where others legitimately are at least trying to solve the problems.
How do we solve these issues without upskilling a bunch of people who don’t know/care about security? Is there even a solution, or are we just bound to hit some mr robot-esk post apocalyptic scenario before people get their shit together?
Hard to say. In some industries I think it is unnecessary and if they face a breach, sucks to be them, but not a whole lot is likely to be lost/damaged.
In industries where it is a necessity (e.g., government, payment processors, healthcare organizations, etc.), I think there are several things that could encourage adoption.
However, fear of distant future possible outcomes is probably one of the weakest human motivators.
If I could advocate for an approach, it would be through tax incentives, government underwritten insurance that requires adherence and practice of security controls, etc.
My thought is, we can very likely encourage Cybersecurity practices using the same tools we use to say, stimulate the economy (e.g., providing liquidity to housing markets, tax rebates for first time homebuyers, etc.) or adoption of lower emission energy technologies (e.g., tax rebates on purchases of electric vehicles).
Unfortunately, people and government have not seemed to want to make the investment necessary to implement methods I’ve suggested above. Which is bizarre, because some of what we have lost and continue to lose is priceless (e.g., OPM government employee records, IP related to military technologies, etc.).
How do we solve these issues without upskilling a bunch of people who don’t know/care about security? Is there even a solution, or are we just bound to hit some mr robot-esk post apocalyptic scenario before people get their shit together?