“I’ve got all the security I need.”
“I’m not a target for hackers.”
These are just a few of the many rationalizations companies make when they’re in denial of cyberthreats. Why are these excuses still prevalent and how should a cyberprofessional respond?
Check out this post by Ian Murphy, co-founder of LMNTRIX, for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers.
Got feedback? Join the conversation on LinkedIn.
Thanks to this week’s podcast sponsor, Varonis
On this episode of Defense in Depth, you’ll learn:
- Security professionals must endure an endless string of excuses to not improve a security program. On this episode, the ones we saw fall into four categories: “What I’ve got is good enough”, “Denial”, “False safety net”, “Costs too much time/money”.
- Never rest on what you’ve got today. Today’s configuration is tomorrow’s vulnerability. Security is a process, not an end state.
- There are always issues because humans are involved.
- Small companies may not have a huge payout, but their defenses are usually weaker making them an easy score. A bunch of small companies add up to a big one.
- If you have not invested well in a good security program, you are already breached and don’t know it.
- As this show title explains, you can’t rely on a single layer of defense (e.g., firewall) to protect you.
- No CISO is complaining they’re spending too much on security.
- A great security partner is awesome, but you don’t hand off your security to someone else. It’s a shared responsibility.
- Don’t rely on cyber insurance in the same way you don’t leave your front door unlocked even though you’ve got home insurance.