Securing the enterprise is no easy task. With a huge workforce to train, hundreds or even thousands of devices to manage and protect, and forever evolving security threats \u2013 the job never stands still.\nCSOs and CISOs rely on their strong network of information to keep their organization as secure as possible. IDG TECH(Talk) led a Twitter discussion, plus a live-streamed video, with security experts and tech industry watchers to talk about the state of enterprise security in 2020 and how to keep attackers out.\nSecurity ignorance an issue\nLack of security awareness still plagues the organization, as employees and IT staff often make mistakes that leave the company vulnerable. Those include: weak passwords, bad email practices, out-of-date policies and tools, no monitoring, and no knowledge of where data resides, said Peter Salvitti (@psalvitti), chief technologist at Boston College.\n\n[ Also read: The big task for CIOs in 2020: Bringing security and IT operations together. | Sign up for CIO newsletters. ]\n\nBusiness owners are often ignorant to threats and don\u2019t like to change things even if it means reducing the organization\u2019s vulnerability, added Wayne Anderson (@DigitalSecArch), security and compliance architect with Microsoft's M365 Center of Excellence.\n\u201cTwo phrases I hate [hearing when] working with business owners: \u2018But we have done it that way, and we really don\u2019t want to mess with what works\u2019 and \u2018We really just aren\u2019t that big a target,\u2019\u201d he said.\nTo combat the latter, Ed Featherston (@efeatherston), vice president and principal cloud architect for Cloud Technology Partners (CTP), said he shows people how the organization is, in fact, a target for hackers.\n\u201cI frequently sit with a client, setup a public share\/storage point with a honeypot, [and] usually within minutes, someone tries to hit it, prompting a \u2018Hmmmmm, [I] didn't expect that\u2019 [response] from client,\u201d he said.\nLack of awareness spreads into employees\u2019 personal actions, such as sharing too much information on social media, said Scott Schober (@ScottBVS), author of Hacked Again, a cybersecurity news pundit, and CEO of Berkeley Varitronics Systems.\nHow to improve enterprise security\nEnterprise security issues can be resolved by improving password policy basics, creating a system to verify passwords are being updated, and educating staff.\nA key aspect of doing that well is to empower staff to feel involved in ongoing security\u2014to create a culture of security. You want employees to feel part of the solution, not the problem.\nAs Salvitti said, \u201cDon't go around saying \u2018employees are the weak link.\u2019 Engage them, make them stakeholders and part of the program.\u201d\nWill Kelly (@willkelly), a technology writer, agreed: \u201cIt\u2019s [about] building the more security-minded employee, the more security-minded developer, the more security-minded Ops person. Then reinforce those people with industry standard frameworks, training, and tools. Rinse and repeat.\u201d\n\n\n \n\n\nIn addition, IT operations and security need to work together, Salvitti stressed. \u201cFirst and foremost, [IT operations] should partner with your security team! Don\u2019t leave them out. Join with them \u2026 like, at the beginning,\u201d he said.\nBy bridging the gap between these siloed teams, you improve visibility and have better security, Zeus Kerravala wrote in a recent CIO article, The big task for CIOs in 2020: Bringing security and IT operations together.\n\u201cIn organizations that lack collaboration between security and IT, it takes nearly two weeks longer to patch IT vulnerabilities than teams with a healthy relationship, the study found. This delay can put companies at significant risk of being breached, causing brand damage or even crippling an organization,\u201d Kerravala wrote.\nOrganizations must also verify the security of products and services they use, said Salvitti: \u201cAsk them: 1. Do you participate in, subscribe to, known security frameworks? 2. Do you know the CIS Top 20 [Security] Controls? 3. Are you a member of an industry body dealing with security (think: IoT here)? 4. Are they in compliance with latest regulations?\u201d\nIt boils down to have a defense-in-depth strategy, said Ben Rothke (@benrothke), senior information security specialist at Tapad. Layers of security can build in buffers to impending hacks, giving staff multiple lines of defense and reducing some of the strain they face to always be on alert.\n\u201cFirms need defense in depth. Use the lifecycle of infosec tools of firewall, filtering, DLP [data loss prevention], IoT security, encryption, IDS\/IPS [intrusion detection systems and intrusion prevention systems], DNS security, pen tests, container security, WAF [web application firewall], DDoS mitigation, cloud security, and more. And don\u2019t forget physical security,\u201d Rothke said.\nPlease join us for our next #IDGTECHtalk Twitter chat: Feb. 6 at 12pm ET. We will be discussing realistic expectations for 5G. See you there!