As we close in on the year’s end, we’re taking a look back at some of those interviews and, we’ve pulled out one powerful idea from each conversation – and linked to the complete interview for those interested in reading more.
1) Cybersecurity without business disruption.
“The business of most companies is to innovate and deliver products or services to others. Unless you are a security company, the purpose of the business is not security, it’s to make, for example, chemicals that cure cancer, or develop rockets that go to Mars, or design aircraft that are faster, more economical and carry more people. As such, security is always something of an afterthought.
Generally, that’s the way we want it. We want companies that are investing their brainpower to cure cancer, to cure cancer, and we don’t want security to get in the way of that. So, the challenge of the CTO or the CISO in that environment is how to be secure enough to keep the bad guys out without interfering with your innovators?” – For this we definitively need cybersecurity training.
2) Cybersecurity is similar to medicine.
“Cybersecurity is similar to medicine because we can read the textbooks and case studies and see what things are common – but every patient is unique. We always have to open the possibility that there’s something involved that we hadn’t seen before.”
3) The best time to join a company as CISO.
“The best time to join a company as a Chief Information Security Officer (CISO) is after they’ve had a massive scare or a massive breach. That is when you’re going to get the time, resources and budget.”
4) CISOs need a strong peer network.
“The best CISOs I know – the ones that are most prepared and confident and are effective leaders – have strong peer networks. There’s power and knowledge in unity and collaboration. If I’m the CISO at a large healthcare system, then I should be talking to others in the same role. It’s like your personal life. No problem is too big to deal with if you have the proper support system in place.”
5) More intelligent adversaries.
“We have much more intelligent adversaries that know what they want, which has changed the scope of the threats. For example, adversaries are doing a thorough due diligence and reconnaissance before even approaching an intended target.
It’s not that these threats are finding vulnerabilities in software or using exploits. Instead, they are targeting those organizations with a lack of procedures, problems in permissions and privileges, and generally exploiting humans. So, rather than use an exploit to target software, they are going after people with access to the information they want.”
6) Security culture is where CEOs can add significant value.
“A CEO can absolutely allocate people and grow the size of a cybersecurity team. They can also insist on good processes and standards, including audits. And certainly, they can acquire and implement new technologies. That’s all true, but what binds people, process and technology together is culture. Culture is where the CEO can add the most value to the security posture. They can lead from the front by highlighting the important benefit of managing cybersecurity and risk. They can help explain key policies.”
7) The key is to get the business to understand risks.
“The key is getting the business to understand the risks, and I don’t mean using fear tactics. Fear tactics – telling them about scary trends, statistics and anecdotal examples – is only effective in the short-term. People grow numb to it.
What you have to do is present this in a risk mitigation and risk acceptance format. For example, you’ve got to demonstrate that you’ve done an assessment or penetration test on the network, and then list all the vulnerabilities you found. It’s very different when you show the business how an experienced hacker can gain access to the systems in five minutes and have root access to servers within 10.”
