In Episode 5 of our Security Leaders Perspectives series, security leaders discuss whether companies have done enough to improve cybersecurity given the current security environment.
We’re Not There Yet – Aric Perminter
“We’re not going far enough down the supply chain in order to enforce the same level of rigor that we would within our enterprise.”
The SolarWinds hack impacted organizations that had excellent cybersecurity in-house but did not extend their cybersecurity requirements far enough down their supply chains. Efforts like the Cybersecurity Maturity Model Certification (CMMC) are working to fix this and should help to prevent incidents like the SolarWinds hack in the long run.
You Can’t Rest on Your Laurels – Benjamin Corll
“You close those 100 holes correctly. And then it’s time to circle back and start again and make sure you’re still covered.”
As defenders continue to develop and improve their defenses, attackers are looking for ways to bypass and overcome them. A defender needs to plug all of the holes, but an attacker only needs to find one. Cybersecurity is a continual cycle of plugging holes and then circling back to start over and make sure that they are all still closed.
Everything Changes – Larry Trittschuh
“The technology is going to continue to advance. The threats are going to continue to evolve and advance.”
The cybersecurity industry is constantly evolving as technology and threats advance. We’ll never “be there” because we need to constantly work to improve and respond to this changing environment.
Cyberwar is the Future – Leon Ravenna
“The bad guys are better, the good guys are better, there’s more things to exploit.”
Everyone is improving their cybersecurity capabilities, and geopolitical tensions and manipulations have not gone away. My guess is that the next war is actually a cyberwar, not necessarily a hypersonic missile war.
Security Needs to Be Taken for Granted – Tim Tillman
“The iPhone put computing into the hands of everybody, and it made it a form of computing that everybody understood from the start, they didn’t need to be trained. If security were a part of that, it was integral to that experience, to the point that they didn’t have to think about it all the time, that they just took it for granted… that’s when we’ve made it.”
We’ve been trying to teach users the importance of security for thirty years now and still haven’t succeeded. Security, even something as simple as good password management, is seen as a burden and part of “check the box” compliance. We haven’t made it until security is integral to technology and everything that we do.
Security Now is Protective, Not Proactive – Charles Blauner
“The vast majority of security programs are ‘keep me out of jail’, ‘keep me out of the press’ security programs. It’s not where you need to be for you to really have a truly world class security program.”
An effective security program is one that facilitates changing how the business works and drives the business forward. Most organizations’ security programs stop at keeping people out of jail. Until CISOs regularly spend one-on-one time working with and strategizing with the CEO, we’re not there yet.