What is your definition of security?

Culture & ValuesSecurity Strategy & RoadmapSecurity & GRC
1.3k views4 Comments
VP, Director of Cyber Incident Response in Finance (non-banking), 10,001+ employees
In the financial sector, my job is to secure the bank. Not only the infrastructure of the bank, but also make sure the products are available for our customers. That's the simple view of what security is for me: making sure that the network is available, that we can provide access to our customers in a secure manner and be good custodians of their data. Yeah.
SVP in Finance (non-banking), 1,001 - 5,000 employees
When I think of cybersecurity, I think of two things: 

1. Enable everyone to weigh cyber as part of their decision making. When folks are trying to make a decision, I want to ensure that the context of cybersecurity is part of that decision framework. They need to weigh the risks and everything else that comes with it as part of that decision. It has to be a calculated decision rather than something that you just go ahead with, only to realize you have to worry about cybersecurity after the fact.

2. Minimize the financial impact from cyber incidents. We all know we can't stop them from ever happening again; people find their way around. If you're doing all the right things, you can mitigate and minimize the impact, particularly the financial impact. And I specify financial impact because you often need something that's measurable and there's always a dollar number you can ascribe. It could be soft dollars or just resource times. And if those things are happening frequently, you have an underlying issue that you need to solve for. If you're reducing those problems, you're already doing everything correctly to save you time, money and resources in responding to cyber issues. You're doing security preventively.
1 Reply
VP, Director of Cyber Incident Response in Finance (non-banking), 10,001+ employees

I agree with you on that point. In my former role at Intel, they could tell you what the cost per hour was if a fab was offline. If the fab is offline, then you're not manufacturing processors and you can't sell what you don't make. So that was an interesting, eye-opening experience when I found out what those numbers were like. 

It’s similar at the bank, because if there's a denial of service attack against the bank and the attackers take out the credit card processing, online banking, or our ability to conduct trades through our wealth management division, the business will be able to tell you what they were expected to do during those time windows. That gives you a pretty hard number on what the impact was, and then adding in the time and effort to recover from it gets you pretty close.

CISO in Software, 51 - 200 employees
I'm from biotech pharma, which deals with a lot of protected health information. I always had to worry about patients’ privacy and there are many different angles in that context. Once we had a famous person as part of our study and someone from our customer support team was so starstruck they wanted to share that information. But that would get them in trouble internally, of course. It was to the extent that we couldn't even leave paper on our desk because it could have a name or number on it. 

The other side is productivity. I was taking care of labs and the problem was that we had these million dollar robots processing all the samples hooked up to a Windows 95 or a Windows 98 machine, that we weren’t allowed to patch. We couldn’t put AV on anything; it would break the firmware of that machine if we did because that's how it was validated. Some of those machines in the lab had a shared username and password, and at some point a janitor got onto one of them and visited an insecure, explicit website. That machine got infected as a result, which then caused the whole lab to get infected.

And the problem is it's not as easy as rebuilding the PC after that, because every single one is validated. You have to get the vendor of each robot to come out, replace the machine and get the firmware set up, which only takes a week. But because the re-validation process takes another four to six weeks, our lab was down. This was a certified lab running samples and we were down for six weeks. We had to come up with a new way to protect those machines in case one got hit. So even before I was in security, I was still running security but we just had VLANs. That's the best we could do: put each lab machine in it’s own VLAN.

Content you might like

Are short term bans of the use of GenAI applications and tools (such as ChatGPT) a good idea for end users in most organizations? For context see this article on the State of Maine Government's directive before you vote: https://www.govtech.com/artificial-intelligence/chatgpt-generative-ai-gets-6-month-ban-in-maine-government

Applications & PlatformsEnd-User Services & CollaborationPeople & Leadership+4 more

Yes - Maine did the right thing. There are too many security risks with free versions of these tools. Not enough copyright or privacy protections of data.31%

No, but.... - You must have good security and privacy policies in place for ChatGPT (and other GenAI apps). My organization has policies and meaningful ways to enforce those policies and procedures for staff.52%

No - Bans simply don't work. Even without policies, this action hurts innovation and sends the wrong message to staff and the world about our organization.12%

I'm not sure. This action by Maine makes me think. Let me get back to you in a few weeks (or months).3%


353 PARTICIPANTS
9.3k views9 Upvotes1 Comment

Would anyone be willing to share best practices about how their organization deals with ensuring Cookie Compliance, specifically to GDPR rules? Where should this sort of compliance review sit in an organization? The particular issue we have is who should review new web deployments that use cookies and to make the decisions on whether Cookies are Strictly Necessary or Functionality Cookies. For example is a Cookie required for a Live Chat to work Functionality or Strictly Necessary? Our Security team does not consider taking on these compliance reviews as their domain, as Cookie Compliance is not an internal security matter and the Data Protection team has a limited interest as the GDPR rules around Cookies apply in case of any Cookie being used by a website, whether or not it contains personal data. 

Security & GRCRegulatory Compliance
210 views1 Comment

What's your favorite password management service?

Security & GRCSecurity Operations Center (SOC)Vendor/Product Recommendation+1 more

1Password20%

OneLogin41%

LastPass24%

BitWarden3%

Other (comment below!)12%


331 PARTICIPANTS
1.4k views1 Upvote11 Comments

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
142 19 Replies
Read More Comments
46.5k views133 Upvotes324 Comments

What are some ideas to keep up team morale remotely? Are there specific or structured adjustments you've made to counteract burnout/keep up productivity and mental health?

People & LeadershipProcess ManagementTeam & Organizational Design+9 more
Community User in Software, 11 - 50 employees

organized a virtual escape room via https://www.puzzlebreak.us/ - even though his team lost it was a fun subtitue for just a "virtual happy hour"
10
Read More Comments
13.4k views27 Upvotes67 Comments