Don’t think Marriott “is a uniquely bad company poorly implementing cybersecurity controls while the majority of the rest of the world is doing everything right. Most organizations have large gaps in their cybersecurity controls. Most are not doing many basic things right. Marriott is far from an unusual bad actor,” Grimes said. “Most companies are doing cybersecurity controls like Marriott is doing, which is to say, likely doing a lot of the right things, but also with many gaps and many poorly implemented controls. Cybersecurity is often talked about as something we need to take very seriously, but in practice, most organizations have serious gaps.”
Matthew Webster, CEO of security firm Cyvergence, said he was also concerned about the settlements’ particulars.
“There are more questions than answers here regarding Marriott, but this settlement seems woefully insufficient. There are obvious challenges that need to be addressed,” Webster said. “There are the obvious failings such as poor detection methodologies, such as a SIEM, NGAV, EDR, but there are larger pictures to consider.”