I\u2019ve talked about doing the simple stuff before\u2014mainly in the context of raising the resource costs for adversaries, so that they move on to a softer target. But this Coalfire survey really brought it home for me with this observation\u2014smaller organizations are doing better than enterprises at information security.\u00a0 Since this is based on a survey, I will caveat this by saying that 47% of security professionals believe that pronouncements based on surveys are nonsense.Before I unpack this concept of simplification for the security program and its cascading benefits, let\u2019s start with a few observations from today\u2019s marketplace.The false hope of next-gen cyber product promisesEnterprise-level organizations are constantly in the sights of sales professionals, who are deployed by companies hawking next-gen cyber whiz-bangery. Venture capital has flowed with enthusiasm toward companies promising to develop the magic product that will remove information security hassles from the purchaser\u2019s list of irritations.It is definitely seductive to think that technology will solve a problem that is fundamentally about people. Big organizations buy into new tech, largely in the hopes of automating the detection and response to failures of preventive controls. As a result, what they are experiencing is the need to throw people at the AI\/ML\/SOAR tech they're buying, thus achieving an outcome that is exactly the opposite of the one intended.Using security assessments instead of shiny penniesFrom the data we collect from our consulting operation, we know that most organizations have us perform some type of assessment, the results of which identify "simple things" to improve. Vulnerability management and employee messaging are examples that are nearly universal. These simple things have been called out in several ways, with the universal message being, \u201cyou\u2019re not doing the basics, and if you did the basics, 90% of the problem would go off a cliff\u201d.Here\u2019s an example. The Twenty Critical Controls is an informal standard of practice. It is intended to articulate preventive, detective, and responsive controls that align with regulatory requirements such as the PCI data security standard. What makes this informal standard so useful is that it is packaged in a way that makes the implementation very straightforward. Many of the controls can be automated.Has your organization implemented controls that align with the 20? If not, that\u2019s a great foundation to consider.Here\u2019s another example: the NIST Cybersecurity Framework (CSF). Again, designed to be consumable by any organization, it\u2019s an outcome-based framework. While the specific controls are not specified, the desired outcome is defined.\u00a0 How you choose to achieve that outcome is up to your organization\u2019s level of risk tolerance, budget, etc.The NIST CSF is split into 5 functions, the first of which is \u201cIdentify\u201d. Has your organization identified your most critical and valuable network-facing assets so that you understand where to focus controls? If no, then maybe it\u2019s time to de-prioritize machine learning, and prioritize building the fundamental functions of a robust cybersecurity framework.Most \u201cattacks\u201d are not personal or targeted.\u00a0 In fact, cyberattacks are usually the result of someone tripping over a rigged website or opening an attachment that has come out as part of a global campaign. Most are also not sophisticated. Hackers are using tools, techniques and procedures that are recognizable; therefore, effective defenses are well-known and published. This is true for the bulk of the background noise of the Internet\u2014that\u2019s the cyber stuff that\u2019s always banging on the front door. An assessment that identifies gaps in basic IT hygiene and execution of that corrective action plan has the potential to show rapid, positive change that turns the perception of these \u201cattacks\u201d into a benign annoyance.Smaller orgs are simply moving the security needleSecurity pros at the smaller organizations don\u2019t have the luxury of big budgets, so few enterprise-grade product vendors call\u2014investors want them selling to whales. Waiting for the commoditization of these detection and remediation automation technologies, they actually are going to work on those simple things. And guess what? We\u2019ve seen the smaller orgs work to fulfill mission-critical functions, and they actually move the security needle. Meanwhile, we\u2019ve seen enterprises get distracted by the bright shiny objects at the expense of establishing strong preventive controls, vulnerability management, good monitoring, and rapid, effective response.Markets want more security from everyoneSmaller orgs are also more open to novel solutions like managed security services, as they don't have a large security organization to support\u2014they can rely on trusted partners to provide experts. Given the escalating complexity of information security compliance\u2014even if you're only a supplier to a covered entity\u2014this is pushing smaller organizations into compliance activities in order to better compete. In order to do business, organizations must now routinely attest to security controls.\u00a0 Adopting novel solutions, like managed services from a trusted 3rd party provider, helps smaller businesses move more nimbly in the marketplace. Instead of managing a large security team, they can rely on trusted partners to provide expertise and resources, so they can focus on growing the business and executing on the core mission. This is also a cost-avoidance strategy; HR recruiting, compensation, and retention costs for scarce resources become irrelevant.I think a reasonable analogy here are the differences in the US and developing countries' approach to telecommunications. Developing countries went straight to wireless, learning from the evolution in developed countries. The mid-market does not want to inherit the challenges of recruiting, compensating and retaining qualified security professionals. In other words, rather than re-creating the mistakes of their more developed peers, they're learning from those mistakes and homing in on the simpler routes to success.