“Users are not stupid. They’re just not trained or focused on security. Users were hired to do a specific job, which rarely involves security. Users can be educated if they believe security and IT actually matter.”

Twitter: @Ben0xA • Website: ben0xa.com

Ben has been working in technology and development for more than 20 years. He spent 13 years doing defense in the medical industry before moving over to offense. He uses his knowledge of defense to refine his offensive skills and then uses this knowledge to equip customers with a better understanding of defensive methodologies.

If there is one myth that you could debunk in cybersecurity, what would it be?

That a user is stupid. Users are not stupid. They’re just not trained or focused on security. Users were hired to do a specific job, which rarely involves security. Users can be educated if they believe security and IT actually matter. Otherwise, they will do just enough to not get caught or fired.

What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?

Build your defense around detections after the initial compromise. Initial vector is not nearly as important as what an attacker does after they are in. When you build your defense with the idea that the attacker is already in, it allows you to detect attacks from rogue devices, rogue employees, or ...