With increased media attention on security operations, are boards maintaining the right focus when it comes to cybersecurity?
VP - Head of Information Technology in Software, 1,001 - 5,000 employees
I think boards are probably behind where they need to be in terms of thinking about technological risk in a different way as opposed to the 2,000-year-old risk management concept.Board Member, Former CIO in Software, 10,001+ employees
Boards are behind—their focus is on the wrong things.
Board Member, Former CIO in Software, 10,001+ employees
Generally, cybersecurity has gone to the audit committee because they’re about risk management. Frankly, I don't think that's a bad place for it to go, but they’re focused on compliance. The mindset of the audit committee is to show that our financials are accurate by proving that our controls are functioning, and having an auditor go through and validate that the controls are there. That's okay, but it doesn't guarantee that there isn't fraud going on, it just means that your controls have been tested. When you get beyond things that they understand, then they start looking for certifications of proxy: “Okay, do we have a SAC2? Do we have a 17799 certification?”What I have seen with my companies, is that when they do red teaming, that’s when you learn that there are things that would pass that checklist test. We have antimalware, we rotate our passwords, and we do have MFA. We have all that stuff, but in the implementation of it, something was missed. You only need to miss one little thing—one grandfather service account, or misconfigured firewall—for all those security measures to become completely irrelevant. You can have the best technology purchased and implemented, and that failure will cause you to be compromised.
Content you might like
Yes55%
No32%
Unsure12%
510 PARTICIPANTS
Patch management: to reduce attack surface and avoid system misconfigurations39%
Malware and ransomware prevention: to protect endpoints from social engineering attacks58%
Malware and fileless malware detection and response: to protect against malicious software49%
Threat Hunting: to detect unknown threats that are acting or dormant in your environment and have bypassed the security controls33%
Not planning to change endpoint security strategy10%
184 PARTICIPANTS
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.ISSO and Director of the IRU in Healthcare and Biotech, 10,001+ employees
I would definitely suggest this based of how you categorize your types of data/systems and information being stored in certain parts of your data center. I think it’s really dependent on the size of your organization and ...read more
I know CISOs hate talking about tools, but some tools are essential to have. Some are nice to have, but there's this fine balance between frameworks and tools because you have to protect what you have. You really do need to weigh out your risk. Say, "Here's our risk tolerance. How much money do we want to actually spend to protect us against a potential risk?" That's another problem: How do I, as a CISO, say to the board, "There's all this bad stuff out there that could potentially impact us. Can you give me some money so I can protect us against all these things?"
I think that's going back a couple thousand years to when risk management was invented. It's the same approach: What's my risk, and can I apply a dollar figure to it and approach it that way? As opposed to: what's my landscape of risk and what would the threat model be to compromise my environment? They also don’t realize that it's not an insurance policy. There are ways that you can cover yourself from multiple threats with the same thing. Ransomware is a threat, but it's one of many. There are many threats you can overcome with a couple of key strategies to mitigate those threats. I think it's a backwards mindset.