“If more organizations focused on doing the basics well, rather than focusing on fancy new technologies, we’d be better off.”

Twitter: @gdead • Website: cycleoverride.org

Bruce Potter is the CISO at Expel and founder of The Shmoo Group, and helps run ShmooCon. He has been doing cybersecurity for more than 20 years and can best be summed up as a “jack of all trades, master of none.” Bruce has dabbled in network security, wireless and mobile security, AppSec, product assessments, pentesting, and risk management—with many of his ramblings ending up as DEF CON talks over the years.

If there is one myth that you could debunk in cybersecurity, what would it be?

There are myths? I think there are a lot of bare truths out there that people choose to ignore. Like the fact that while antivirus isn’t perfect, it’s still necessary. Like the fact that we’ve known how to build secure systems for 40+ years, but the economics and business motivations aren’t there to do it. Like the fact that closing the workforce gap not only needs to focus on training and professionalization, but it also needs to address advances in technology as well. Maybe the myth is “We have myths.” The reality is we’re terrible at recognizing the truth.

What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?

Do the basics. Patch, limit ...