“I’ve got all the security I need.”

“I’m not a target for hackers.”

These are just a few of the many rationalizations companies make when they’re in denial of cyberthreats. Why are these excuses still prevalent and how should a cyberprofessional respond?

Check out this post by Ian Murphy, co-founder of LMNTRIX, for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers.

Got feedback? Join the conversation on LinkedIn.

Thanks to this week’s podcast sponsor, Varonis

On this episode of Defense in Depth, you’ll learn:

• Security professionals must endure an endless string of excuses to not improve a security program. On this episode, the ones we saw fall into four categories: “What I’ve got is good enough”, “Denial”, “False safety net”, “Costs too much time/money”.
• Never rest on what you’ve got today. Today’s configuration is tomorrow’s vulnerability. Security is a process, not an end state.
• There are always issues because humans are involved.
• Small companies may not have a huge payout, but their defenses are usually weaker making them an easy score. A bunch of small companies add up to a big one.
• If you have not invested well in a good security program, you are already breached and don’t know it.
• As this show title explains, you can’t rely on a single layer of defense (e.g., firewall) to protect you.
• No CISO is complaining they’re spending too much on security.
• A great security partner is awesome, but you don’t hand off your security to someone else. It’s a shared responsibility.
• Don’t rely on cyber insurance in the same way you don’t leave your front door unlocked even though you’ve got home insurance.