How can InfoSec leaders stimulate engagement with cybersecurity across organizations?

When I started out in security, they would say that security needs to be a boardroom conversation. And it is now. They would also say that security belongs to everybody, not just security professionals, and I think it is evolving to that point. It does feel like we are still talking about the same things we’ve been talking about, but I think it becomes a culture issue.

Because now it's the culture at our organization that's changing people. You have to influence people and it takes a long time. Looking at it optimistically, I feel we are now right with the people who are making that change. Our developers and the board are actually talking about security, so I'm hopeful that in 10 years we'll be way ahead.

Security incidents are like fire: No matter how small or big, a fire is a fire. Even if a fire starts small, it can expand to be really big and security breaches are the same. They can start small—like the persistent threats where somebody gets in without you knowing—and then spread to the point that you lose control.

I had my first security training in 1997, and since then threats have evolved to become very structured and large-scale. They were previously straightforward incidents that happened because somebody was curious, or maybe malicious at an individual level. Now they have become nation state attacks across borders. And they have their own industry with a payment method that is encouraged by middle agencies. On the other side, when we are all on the Internet, every activity that we do is exposed to outside threats. Everything is open. But as much as the magnitude and characteristics of threats are changing, the fundamental thinking should still be the same. You don't play with the fire, and you can't take chances with security either. It’s as simple as that.