C-DAYS 2024 is the biggest cybersecurity event in Portugal. It brings together ethical hackers, organizations, vendors, and governmental agencies to discuss trends, threats, and how to prepare for them. This edition was special: not only was it the 10th edition, but it was also hosted in Coimbra, Ethiack’s hometown and HQ.
These three days went by fast, and if I had to summarize my learnings from this conference, it would be this:
Organizations still prioritize defensive solutions
Defensive is still preferred against proactive solutions. Most organizations are just reacting to threats, instead of preventing them.
In fact, only 5% to 25% of the total cybersecurity budget goes towards proactive solutions.
I think this is changing and that companies are beginning to shift stances. Vulnerabilities are the root of attacks and remediating them before they get exploited by criminals is essential for a good security posture. I see higher budgets being allocated to proactive solutions in the near future.
Part of the Ethiack team that participated in the event
SMEs often do pentests just to get the certificate
I find this shocking. SMEs usually do one pentest at most, often none. When they do test their systems, it’s often just to get a certificate. In contrast, enterprises often do two to three pentests a year.
I think what SMEs are lacking is a cost-efficient solution. Protection, yes, but continuous and at an affordable price. I think we’re getting there. My hope is that they’ll realize that the value of investing in cybersecurity goes beyond getting a shiny certificate. It affects their revenue. Big enterprise customers prefer to work with certified and secure SMEs, and having those certifications ultimately helps them close deals.
André gave a presentation on Maturity Framework Assessment for SMEs
Cyber talent is scarce and burnout is increasing
This is a common complaint I’ve heard from companies. They can’t find skilled cybersecurity professionals, even if they have the budget. At the same time, it seems existing cybersecurity staff is being used inefficiently. Another common complaint was “vulnerability burnout” - too many false-positive findings that had to be triaged manually, which frustrated security teams.
This is not sustainable. We need to teach more professionals so the talent pool stays healthy while giving tools to security teams to work better and faster.
Another insight around hiring needs was that tech departments without a dedicated security team often outsourced their security hiring. This is positive in my opinion - better than not investing in security at all!
Myself and André with António Gameiro Marques, Lino Santos, and Isabel Baptista from CNCS
And about our Flipper Zero Giveaway…
Those who stopped by our booth had the opportunity to participate in our Flipper Zero giveaway. Many of you participated, with most completing the challenges from the mini-CTF successfully. Congratulations to everyone.
But the winner has been chosen. Pedro Simões is now the proud owner of a new Flipper Zero! We hope you use it to make those around you more secure.
See you next time,
Jorge