“Do better” isn’t good cybersecurity advice
Recently, I saw a social media thread asking for bad recommendations organizations receive from consultants. Examples included “ensure all systems are patched”, “implement network segregation” and “Maintain an asset inventory.” From a high-level view, these suggestions seem anodyne, after all, they are based on and included in many security frameworks, including ones from NIST and