“Fail hard, and fail often. You’re going to mess up, and that’s okay. Just remember to learn from those failures so you don’t repeat them.”

Twitter: @SteveD3 • Website: about.me/SteveD3

Father. Hacker. Journalist, covering national security and information security.

If there is one myth that you could debunk in cybersecurity, what would it be?

I would like to see a few myths done away with. The first is that zero-day vulnerabilities are the ultimate risk and should be one of the top focal points when developing a security program. That’s just not true. In fact, most attacks will originate via phishing, exploiting weak or improper controls, or leveraging existing (old) vulnerabilities.

Another myth I’d like to see done away with is the concept that security should come second or that breaches are just “the cost of doing business” within an organization. Being willing to accept a data breach because you refuse to dump legacy code or apps, or have some desire to keep a few Windows NT boxes on the network, is just backward thinking.

What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?

Hands down it’s limiting access and controlling user permissions. Least privilege does more to strangle malware than any endpoint product could ever do. The problem is most organizations can’t or won’t do this because ...