8-22-19 - When CEOs Make Unreasonable Security Requests

When CEOs Make Unreasonable Security Requests

August 22, 2019

CISO | Security Vendor Relationship Series

This week's episode of Defense in Depth

100% Security

 On this episode of Defense in Depth:

Co-host Allan Alford and our guest Rich Friedberg, CISO, Blackbaud. discuss:

  • Even though security people learned a long time ago that 100 percent security is not achievable if you can run a business, CEOs are still asking their security departments to deliver it.

  • The most common response to the 100 percent security request is to point out that nothing in business is 100 percent. Everything is a type of a risk.

  • Pointing out that everything is a risk doesn't necessarily endear a CISO to the security department. Instead, use empathy and try to understand what are they really asking when they make the 100 percent security request.

  • It's often difficult for a CEO to initiate a discussion about risk.

  • The question shouldn't be "how safe are we" but rather "how prepared are we". Should a breach happen, which seems inevitable these days, how quickly can the business respond and continue to function. A breach doesn't need to destroy a business.

  • The best way to connect with the business on security risk is to correlate it to another risk decision that makes sense to them. For example, battling fraud. No business tries to eliminate 100 percent of fraud because at one point the cost to eliminate the remaining fraud far exceeds the cost of the remaining fraud.

  • As a theoretical exercise, most agreed that if you truly did try to achieve 100 percent security, the business would cease to function.

Special thanks to this week's Defense in Depth podcast sponsor, Anomali.

Anomali

harnesses threat data, information, and intelligence to drive effective cyber security decisions.

Network with InfoSec Professionals in NYC on 9/5/19

The CISO Series is returning to NYC for a night of InfoSec networking and recording of one of your favorite cybersecurity podcasts. My guest co-host will be JJ Agha, vp of information security for WeWork, and our guest will be Matt Southworth, CISO, Priceline. Networking begins at 6:00 PM and we start recording at 7:00 PM.

Liam Connolly, CISO, Seek on MSSPs

Defense in Depth wants trending security discussions

What has made the Defense in Depth podcast so successful is that we model the show on compelling security debates we find or my co-host, Allan Alford, is able to generate. We know there are lots of great cybersecurity conversations going on out there, it's just we don't always know where they are.Watch this video to see our plea, and then when you see a really hot discussion going online, please send me a link. And if you think you've got a great topic, but you don't see the discussion, start the discussion yourself and when you get enough momentum, send me a link.

Ian McShane, vp of product marketing, Endgame

SUBSCRIBE TO BOTH PODCASTS

Go ahead and click on any of these links to subscribe to the podcast feed of your favorite podcast catcher.

If you're already a subscriber, THANK YOU! If you like either or both shows, please tell all your friends on social media and write a review on iTunes.