7 Big Ideas from Cybersecurity Leaders We’ve Interviewed

As a network security solution provider, we are always looking to better understand the market. We do this in a number of ways:

We’ve also had the good fortune of interviewing some of the brightest minds in the industry and publishing the results of those interviews on this blog.

As we close in on the year’s end, we’re taking a look back at some of those interviews and, we’ve pulled out one powerful idea from each conversation – and linked to the complete interview for those interested in reading more.

1) Cybersecurity without business disruption.

“The business of most companies is to innovate and deliver products or services to others. Unless you are a security company, the purpose of the business is not security, it’s to make, for example, chemicals that cure cancer, or develop rockets that go to Mars, or design aircraft that are faster, more economical and carry more people. As such, security is always something of an afterthought.

Generally, that’s the way we want it. We want companies that are investing their brainpower to cure cancer, to cure cancer, and we don’t want security to get in the way of that. So, the challenge of the CTO or the CISO in that environment is how to be secure enough to keep the bad guys out without interfering with your innovators?”

Bob Gourley, CTO & Co-Founder at OODA LLC, Publisher and

Read more: Cybersecurity Executive Bob Gourley on Trends, Due Diligence, and the Software Defined Perimeter

2) Cybersecurity is similar to medicine.

“Cybersecurity is similar to medicine because we can read the textbooks and case studies and see what things are common – but every patient is unique. We always have to open the possibility that there’s something involved that we hadn’t seen before.”

Ryan K. Louie, MD, Ph.D., Psychiatrist, Saint Francis Memorial Hospital (San Francisco)

Read more: Why People Who Protect Others Need to be at Their Best; Tackling Mental Health in Cybersecurity [Q&A with Dr. Ryan Louie, MD, Ph.D.]

3) The best time to join a company as CISO.

“The best time to join a company as a Chief Information Security Officer (CISO) is after they’ve had a massive scare or a massive breach. That is when you’re going to get the time, resources and budget.”

Rebecca Wynn, CISSP, CRISC, CASP, CCISO, DSc, DHL, MBA, Head of Information Security / Data Protection Officer Company,  Matrix Medical Network

Read more: Healthcare Needs Cybersecurity Pros that Anticipate What Threat Actors Will Do Next [Q&A with Dr. Rebecca Wynn]

4) CISOs need a strong peer network.

“The best CISOs I know – the ones that are most prepared and confident and are effective leaders – have strong peer networks. There’s power and knowledge in unity and collaboration. If I’m the CISO at a large healthcare system, then I should be talking to others in the same role. It’s like your personal life. No problem is too big to deal with if you have the proper support system in place.”

Steve Morgan, Founder, Cybersecurity Ventures

Read more: The Growing Surface of Attack and What Cybercrime has in Common with Street Crime [Q&A with Steve Morgan of Cybersecurity Ventures]

5) More intelligent adversaries.

“We have much more intelligent adversaries that know what they want, which has changed the scope of the threats. For example, adversaries are doing a thorough due diligence and reconnaissance before even approaching an intended target.

It’s not that these threats are finding vulnerabilities in software or using exploits. Instead, they are targeting those organizations with a lack of procedures, problems in permissions and privileges, and generally exploiting humans. So, rather than use an exploit to target software, they are going after people with access to the information they want.”

Michal Purzynski, Staff Security Engineer – Threat Management, Mozilla Corporation

Read more: Zeek IDS [formerly known as Bro] is One of the Most Powerful Cybersecurity Tools You’ve Never Heard Of

6) Security culture is where CEOs can add significant value.

“A CEO can absolutely allocate people and grow the size of a cybersecurity team. They can also insist on good processes and standards, including audits. And certainly, they can acquire and implement new technologies. That’s all true, but what binds people, process and technology together is culture. Culture is where the CEO can add the most value to the security posture. They can lead from the front by highlighting the important benefit of managing cybersecurity and risk. They can help explain key policies.”

Ben Levitan, President, Cedalion Partners and member of the Bricata Board of Directors

Read more: Four-Time CEO Says Corporate Culture is the Most Important Defense in Cybersecurity

7) The key is to get the business to understand risks.

“The key is getting the business to understand the risks, and I don’t mean using fear tactics. Fear tactics – telling them about scary trends, statistics and anecdotal examples – is only effective in the short-term. People grow numb to it.

What you have to do is present this in a risk mitigation and risk acceptance format. For example, you’ve got to demonstrate that you’ve done an assessment or penetration test on the network, and then list all the vulnerabilities you found. It’s very different when you show the business how an experienced hacker can gain access to the systems in five minutes and have root access to servers within 10.”

Steve Swansbrough, Healthcare Security Expert

Read more: Healthcare Security Expert: The Top Cyberthreat in Healthcare is Finance

* * *

If you’d like to be interviewed for this Q&A series with thought leaders in cybersecurity, please contact us by sending an email to media [at] Bricata [dot] com.

If you enjoyed this post, you might also like:
Cybersecurity Case Study: Securely Integrating a Business Network After a Merger and Acquisition

*** This is a Security Bloggers Network syndicated blog from Bricata authored by Bricata. Read the original post at: