Don't drown in defenses
It's not that there is a lack of defensive tools. It is that there are too many. "Never before have we had so many at our disposal," Sager said, "yet the problem seems to be getting worse. We're drowning in stuff to help us there's tons of stuff, but so much of it, and so much in conflict, you don't know where to begin."
That confusion, or conflict, extends to the experts, Sager said, highlighting a saying that has become a cliché in the industry that information security experts agree with one another 90% of the time, but then waste 90% of their time arguing to the death about the other 10%.
Cut through "the fog of more" with collaboration, simplicity
Sager said the explosion of threats and defenses resulting from universal connectivity what he came to call "the fog of more," led him to the philosophy that the most effective way to confront and solve those problems was through collaboration. "There is a list of problems that none of us should have to solve on our own," he said. "I started to bump into them over and over again."
One of them is high-level security and threat understanding. "Most of you don't have the budget and staff to do high-level security or to understand threats in a comprehensive way," he said. "So you can do it by proxy leverage a large community. It doesn't even make sense to know about it all. What you really want to know is what to do about it. What action should I take?'
"Everybody's on networks, has partnerships and relationships with vendors. So, mapping from the knowledge of threats to action is a problem we should not be solving on our own," he said, when it can be vastly improved through, "an ecosystem of contributors, adopters, vendors, working, aides, consultants, teachers and more."
Another example is improved security through simplicity. Sager said nobody, not even the government, has the market weight to force a company of Microsoft's size to simply, "improve security."
The key, he said, is to ask for something specific. In one case, he sought a reduction in the vast number of desktop configurations. "If you have a preconfigured standard, it lets you manage security properties much more effectively," he said. "It's very hard to do with an uncontrolled environment. Millions of end points all configured differently is a nightmare. But if you can cut that down to five, or even 15, you can cut costs. "
It's good for the vendor as well, he added, "since they will know what a DoD desktop looks like. That saves them support costs. So it's an economic benefit for both parties."