BOSTON- Tony Sager has not only witnessed the revolutionary change in cybersecurity over the past several decades \u2013 he has lived it, through several decades with the National Security Agency (NSA).The most significant, he says, is the transformation of cybersecurity from a government monopoly to a vast marketplace of threats, enemies, defensive tools and solutions that are far too complex for any one organization or institution to manage. The only hope, he said, is simplification and collaboration.Sager, a founding member and chief technologist at the Council on CyberSecurity and also director of the SANS Innovation Center, focused on explaining that change and its implications in his keynote address at the SANS Security Leadership Summit Wednesday morning in Boston.Among his key points:The way we were: A government monopoly facing a single enemy.\u201cI\u2019m a reformed monopolist,\u201d Sager said, noting that in the 1970s, early in his career at the NSA, \u201cthe business of cybersecurity was a government monopoly. Who controlled the context, who decided what constituted success, who decided what security was good enough, who paid the freight for most of the R&D? It was the government.\u201cIf you wanted encryption of sensitive or classified information, you had to come to a monopoly \u2013 the NSA. There was a kind of implicit notion that government would save us and solve the problem,\u201d he said.There was also the perception that the nation faced a single enemy \u2013 an existential threat from a single nation \u201cthat we didn\u2019t know much about, because it was a closed society.\u201dThe entire notion of connectivity was still in the future as well, so the notion was that cybersecurity was primarily a technology problem. \u201cIf we could build better technology, people could use that, our information would be safer, our operations would be more assured, and that would fix it,\u201d Sager said.The way we are: Millions of connections, millions of enemiesNone of those notions of the past, \u201cmatch the world we live in today,\u201d Sager said. \u201cWe don\u2019t have centralized ownership of the problem. We\u2019re all connected, all using the same commodity IT, no one is breathlessly waiting for the government to tell us what is safe enough.\u201dMeanwhile, \u201cwe\u2019re fighting all the time against an infinite number of bad guys,\u201d he said. \u201cIt\u2019s changed the flavor of the whole security business and how we think of leadership.\u201dSecurity leaders even have a tough time convincing their CEOs that the latest technology from Google, Apple, Microsoft or other vendors needs some study before it\u2019s deployed.\u201cYour boss is absolutely sure you must have it right now,\u201d he said. So, for security leaders, the new challenge is, \u201cWhat\u2019s the best we can do with what\u2019s coming out of the marketplace? What are the prudent steps we can take? It\u2019s no longer central control \u2013 it\u2019s driven by consumers.\u201dDon't drown in defensesIt\u2019s not that there is a lack of defensive tools. It is that there are too many. \u201cNever before have we had so many at our disposal,\u201d Sager said, \u201cyet the problem seems to be getting worse. We\u2019re drowning in stuff to help us \u2013 there\u2019s tons of stuff, but so much of it, and so much in conflict, you don\u2019t know where to begin.\u201dThat confusion, or conflict, extends to the experts, Sager said, highlighting a saying that has become a clich\u00e9 in the industry \u2013 that information security experts agree with one another 90% of the time, but then waste 90% of their time arguing to the death about the other 10%.Cut through \u201cthe fog of more\u201d with collaboration, simplicitySager said the explosion of threats and defenses resulting from universal connectivity \u2013 what he came to call \u201cthe fog of more,\u201d led him to the philosophy that the most effective way to confront and solve those problems was through collaboration. \u201cThere is a list of problems that none of us should have to solve on our own,\u201d he said. \u201cI started to bump into them over and over again.\u201dOne of them is high-level security and threat understanding. \u201cMost of you don\u2019t have the budget and staff to do high-level security or to understand threats in a comprehensive way,\u201d he said. \u201cSo you can do it by proxy \u2013 leverage a large community. It doesn\u2019t even make sense to know about it all. What you really want to know is what to do about it. \u2018What action should I take?\u2019\u201cEverybody\u2019s on networks, has partnerships and relationships with vendors. So, mapping from the knowledge of threats to action is a problem we should not be solving on our own,\u201d he said, when it can be vastly improved through, \u201can ecosystem of contributors, adopters, vendors, working, aides, consultants, teachers and more.\u201dAnother example is improved security through simplicity. Sager said nobody, not even the government, has the market weight to force a company of Microsoft\u2019s size to simply, \u201cimprove security.\u201dThe key, he said, is to ask for something specific. In one case, he sought a reduction in the vast number of desktop configurations. \u201cIf you have a preconfigured standard, it lets you manage security properties much more effectively,\u201d he said. \u201cIt\u2019s very hard to do with an uncontrolled environment. Millions of end points all configured differently is a nightmare. But if you can cut that down to five, or even 15, you can cut costs. \u201cIt\u2019s good for the vendor as well, he added, \u201csince they will know what a DoD desktop looks like. That saves them support costs. So it\u2019s an economic benefit for both parties.\u201dUse a simplified, prioritized, shared standard for securitySager said in 2001 he \u201cshifted my thinking\u201d on sharing government security recommendations with the public. \u201cI got permission to release all the security guidance that we were developing for the DoD to the public,\u201d he said. You could go to NSA.gov and get the same security guidance as the DoD. It was all designed to be unclassified and sharable.\u201dBut, he said, it eventually became clear to him that despite his good intentions, this had contributed to the \u201cfog of more.\u201d A private-sector associate told him that while he appreciated all the information, that he was, \u201cdrowning in this stuff. I need to know what should I do now. Not everything, but now.\u201dThat, Sager said, led him to convene a meeting with colleagues he trusted, where they whittled the list of \u201ceverything\u201d down to 10 crucial security practices. That, in turn was eventually adopted by the SANS Institute as a community consensus project, \u201cand took on a life well beyond anything we expected. And it started with nothing more grandiose than the question: \u2018What should people do first?\u2019\u201dThat became part of what is now SANS\u2019 well-known \u201cTop 20\u201d list, the first five of which are: Software whitelisting; secure standard configurations; application security patching; system security patching; and no administrative privileges while browsing the web or reading email.\u201cThis is based on the 80\/20 concept of security \u2013 that most of your value is derived from a small set of things,\u201d Sager said. \u201cIt really matters, because that\u2019s how we\u2019re getting eaten alive. If you can\u2019t handle this, you can\u2019t handle more sophisticated threats.\u201dAnd that led to his final thought on leadership: \u201cThe most common mistake of strong leaders I saw,\u201d he said, \u201cwas that they were great at telling you new things to do, but not so great at telling you what to stop doing.\u201cA lack of focus and priority is often a great weakness,\u201d he said, recalling the late Apple cofounder Steve Jobs saying he was just as proud of the 10,000 things Apple didn\u2019t do as the 10 things it did.\u201cIf everything is important, then nothing gets done,\u201d he said.