2015 Mission: Simplify Cyber Security (No more excuses, Mr CEO)

I've been in this for years and it seems like I am always living my first projects as security auditor. It is true that technology issues on the "Red Team" have improved a lot: Bad USB and other Firmware attacks, Air Gap attacks based on cyber physical systems, Ultra advanced malware evading 99% of the AV solutions, etc. But, What about the "Blue Team" (Organizations)?

In the last HP Cyber Security Report for 2015, you can read the following:

• 44% of known breaches in 2014 came from vulnerabilities that are between two and four years old
• Misconfigurations of servers as the top vulnerability in 2014

This is really a good (bad) indicator about Cyber Security awareness in organizations.
But, Why is this happening?.

If we look at other important report for 2014 from Information Week - Darkreading, we can find that most of the organizations surveyed have declared Complexity as the main concern for last year:

 1 Million Dollar question is: How they can thing patching and right configuring (hardening) is complex?

My only response to this question is they don't have security or even IT staff enough to apply the right procedures in the right manner. But if so, another question arises: Why are they not contracting Security Managed Services?
May be Mr CEO thinks this is very expensive and complex, but I will try to explain my approach to him in the next posts.