Q&A: Rapid7 CEO Corey Thomas on Cybersecurity, Privacy, and the Corporate World’s Challenges

August 25, 2018, 10:30 AM UTC
Lane Turner—The Boston Globe via Getty Images

IF ANYONE UNDERSTANDS your digital flaws, it’s probably Corey Thomas. A veteran of Microsoft and AT&T, the Rapid7 CEO has seen firsthand the security problems bedeviling corporate America. (He’s also betting his company on it: Rapid7’s annual revenue has almost doubled over the past two years to more than $200 million.) In conversation, Thomas makes the case for why it may be a while before we stop hearing about major breaches.

FORTUNE: It seems like every day another attack or theft of personal data is reported. What’s the state of cybersecurity in corporate America?

Cory Thomas: Our society deploys technology faster than it can manage it. The management and maintenance of our technology is the root cause of our cybersecurity challenges. In the rush to get some feature or functionality online, people don’t pay attention to the side effects.

Is it hopeless?

There are so many vulnerabilities that we know are out there—it’s low-hanging fruit we can address. People who are trying to compromise systems don’t have to put in that much effort because there are so many holes and gaps.

Are we making it harder for law enforcement to do its job?

We are, but you must have basic principles as a society. Having an infrastructure that is knowingly insecure so law enforcement’s job is easier is clearly not the solution. If it’s easier for law enforcement, it’s easier for everyone else too.

How effective is the government at protecting its own assets? Are there critical problems?

There are still a lot of problems, but things are improving. You can argue—and I do—that progress is going too slow. But I’d be hardpressed to say it’s not being made. The challenge is that it’s just not being made fast enough for the exposure and the risk that we have.

That’s the big picture. What about the small one? What do you recommend that friends and other ordinary citizens do to stay secure?

Start with the fundamentals: Don’t reuse your passwords. Get a password manager like LastPass, owned by LogMeIn, a local company in Boston like us. Use two-factor authentication anywhere you can. And just like you engage in spring cleaning elsewhere in life, periodically review the privacy settings on your top five major Internet services. It will take only an hour or two, but it’s well worth it. Many times, people aren’t aware of the control that they have. You have a whole privacy tab on your phone. Just look at it once a year.

This article originally appeared in the September 1, 2018 issue of Fortune.