With every cybersecurity breach, we still don’t seem to be getting through. Many companies don’t seem to be taking cybersecurity seriously. What does it take? Obviously not scare tactics.

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Ben Sapiro, global CISO, Great-West LifeCo.

Thanks to this week’s podcast sponsor, Sonatype

Sonatype is laser focused on helping organizations continuously harness all of the good that open source offers, without any of the risk. Click to learn how we help over 1,000 organizations and 10 million developers make better decisions, innovate faster at scale, and rest comfortably knowing their applications consist of the highest quality open source components.

Got feedback? Join the conversation on LinkedIn.

On this episode of Defense in Depth, you’ll learn:

  • Even with attacks and breaches on a constant march, far too many companies operate under the “it will never happen to me” ostrich strategy.
  • Problem with the “I’m too small to attack” defense is you probably also have minimal security protections which also makes you far easier to attack. Far easier to penetrate 100 low defense targets than one huge target with high defenses.
  • Watching other companies survive a breach makes one feel as if they’ll be just as resilient.
  • Many companies not showing interest in cybersecurity may simply not be doing appropriate risk-based analysis.
  • A company in a highly regulated industry has no choice but to take cybersecurity seriously.
  • Businesses that are highly built on trust and have a low barrier to exit often understand the need to take cybersecurity seriously. They are always cognizant of reputational risk.
  • Many feel that they are powerless against the onslaught of attacks and even if they do take cybersecurity seriously and spend money defending themselves it will all be a giant waste of effort.
  • Many people simply don’t feel attached to any type of cybersecurity effort. If you’re not vested in it, why care about it?
  • Those of us in cybersecurity forget what it feels like to not know anything about cybersecurity.