View this email in your browser

Defense in Depth

Reputational Damage from Breaches

Security professionals talk a lot about the reputational damage from breaches. And it seems logical, but major companies still do get breached and their reputation seems spared. What's the reality of what breaches can do to a company's reputation?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap, CISO, LinkedIn. We welcome our guest Cecil Pineda, CISO, R1. In this episode we discussed the following about reputational damage from breaches.

Does a company’s brand truly pay a financial price for a breach? It can happen… initially. But as Chris Gebhardt, CISO of Synoptek noted, "Investors are greedy and they love a bargain stock.” After the Equifax breach, the company lost 1/3rd of its value and then bounced back, more than doubling. But Bryan Solari of AppOmni disagrees: "Looking to stock prices post-breach does not, in my opinion, calculate the reputation damage... It depends on the type of data exposed, the amount of time between the date of exposure and time to remediation and disclosure, and the actions of the company before, during, and after the breach." 

Anyone can get breached. Your reputation will be determined by how you handle it. There are so many factors, noted Sandor Slijderink, "What’s the nature of the business that was breached, reason for the breach, public response to the breach, business activities between breach, announcement of breach, and brand loyalty." What you’re doing at each stage both privately and publicly will reflect upon your brand.

Will we all be breached inevitably? Is it like a tax audit? Some day your number will come up and you’ll have to deal with it. “People realize now how hard it is to keep the ‘bad guys’ out, and just assume it will happen,” said Jonathan Weekes of Lazard. "Reputation harm for most companies is overblown as people become accustomed to it," admitted Justin Daniels of Baker Donelson.

Is the breach itself enough of a punishment? Synoptek’s Gebhardt doesn’t think it is. "The only way to impact these companies to take security seriously is through large, impactful fines," he said. “Privacy regulation and real enforcement (fines) are necessary for larger businesses that fail to exercise due care and due diligence in their operations,” said Robert Busby. “Step one: fire or fine the CEO and CFO, not just the poor, underfunded CISO scapegoat." I think we’re past the days of using the CISO as the scapegoat when a breach happens. 

You can listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, Brinqa

Super Cyber Fridays!

Join us NEXT WEEK, Friday [06-02-23], for "Hacking the Future of Risk Management"

Join us Friday, June 02, 2023, for “Hacking the Future of Risk Management: An hour of critical discussion on how we need to evolve our measurement and reduction of risk.”

It all begins at 1 PM ET/10 AM PT on Friday, June 2nd, 2023 with guests Meghan Maneval, director of technical product management, Reciprocity and a special guest (that means we’re still in booking mode). We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, RiskOptics

LIVE!

 Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter 

Richard Stroffolino

. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Rich Greenberg, distinguished fellow, ISSA International.

Thanks to this week's headlines sponsor, Sonrai Security

Cyber chatter from around the web...

Jump in on these conversations 

"What am I protecting from at this point?" (

More here

)

"How common are unused accounts on active directory and should they be addressed?" (

More here

)

"What's a little-known fact about your profession that would make other people lose their s**t?" (

)

Coming Up On Super Cyber Friday...

Coming up in the weeks ahead on Super Cyber Friday we have:

• [06-02-23] Hacking the Future of Risk Management

• [06-06-23] Hacking Data Loss

Save your spot

and register for them all now!

Thank you!

Thank you for supporting CISO Series and all our programming  

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.