As a network security solution provider, we are always looking to better understand the market. We do this in a number of ways:
- talking to customers and prospects;
- attending and sponsoring events and security conferences;
- pouring over industry cybersecurity studies; and
- conducting our own survey research.
We’ve also had the good fortune of interviewing some of the brightest minds in the industry and publishing the results of those interviews on this blog.
As we close in on the year’s end, we’re taking a look back at some of those interviews and, we’ve pulled out one powerful idea from each conversation – and linked to the complete interview for those interested in reading more.
1) Cybersecurity without business disruption.
“The business of most companies is to innovate and deliver products or services to others. Unless you are a security company, the purpose of the business is not security, it’s to make, for example, chemicals that cure cancer, or develop rockets that go to Mars, or design aircraft that are faster, more economical and carry more people. As such, security is always something of an afterthought.
Generally, that’s the way we want it. We want companies that are investing their brainpower to cure cancer, to cure cancer, and we don’t want security to get in the way of that. So, the challenge of the CTO or the CISO in that environment is how to be secure enough to keep the bad guys out without interfering with your innovators?”
2) Cybersecurity is similar to medicine.
“Cybersecurity is similar to medicine because we can read the textbooks and case studies and see what things are common – but every patient is unique. We always have to open the possibility that there’s something involved that we hadn’t seen before.”
– Ryan K. Louie, MD, Ph.D., Psychiatrist, Saint Francis Memorial Hospital (San Francisco)
3) The best time to join a company as CISO.
“The best time to join a company as a Chief Information Security Officer (CISO) is after they’ve had a massive scare or a massive breach. That is when you’re going to get the time, resources and budget.”
– Rebecca Wynn, CISSP, CRISC, CASP, CCISO, DSc, DHL, MBA, Head of Information Security / Data Protection Officer Company, Matrix Medical Network
4) CISOs need a strong peer network.
“The best CISOs I know – the ones that are most prepared and confident and are effective leaders – have strong peer networks. There’s power and knowledge in unity and collaboration. If I’m the CISO at a large healthcare system, then I should be talking to others in the same role. It’s like your personal life. No problem is too big to deal with if you have the proper support system in place.”
– Steve Morgan, Founder, Cybersecurity Ventures
5) More intelligent adversaries.
“We have much more intelligent adversaries that know what they want, which has changed the scope of the threats. For example, adversaries are doing a thorough due diligence and reconnaissance before even approaching an intended target.
It’s not that these threats are finding vulnerabilities in software or using exploits. Instead, they are targeting those organizations with a lack of procedures, problems in permissions and privileges, and generally exploiting humans. So, rather than use an exploit to target software, they are going after people with access to the information they want.”
– Michal Purzynski, Staff Security Engineer – Threat Management, Mozilla Corporation
6) Security culture is where CEOs can add significant value.
“A CEO can absolutely allocate people and grow the size of a cybersecurity team. They can also insist on good processes and standards, including audits. And certainly, they can acquire and implement new technologies. That’s all true, but what binds people, process and technology together is culture. Culture is where the CEO can add the most value to the security posture. They can lead from the front by highlighting the important benefit of managing cybersecurity and risk. They can help explain key policies.”
– Ben Levitan, President, Cedalion Partners and member of the Bricata Board of Directors
7) The key is to get the business to understand risks.
“The key is getting the business to understand the risks, and I don’t mean using fear tactics. Fear tactics – telling them about scary trends, statistics and anecdotal examples – is only effective in the short-term. People grow numb to it.
What you have to do is present this in a risk mitigation and risk acceptance format. For example, you’ve got to demonstrate that you’ve done an assessment or penetration test on the network, and then list all the vulnerabilities you found. It’s very different when you show the business how an experienced hacker can gain access to the systems in five minutes and have root access to servers within 10.”
– Steve Swansbrough, Healthcare Security Expert
* * *
If you’d like to be interviewed for this Q&A series with thought leaders in cybersecurity, please contact us by sending an email to media [at] Bricata [dot] com.
If you enjoyed this post, you might also like:
Cybersecurity Case Study: Securely Integrating a Business Network After a Merger and Acquisition