Ciso Quotes

It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.

Technology trust is a good thing, but control is a better one.

The five most efficient cyber defenders are: Anticipation, Education, Detection, Reaction and Resilience. Do remember: "Cybersecurity is much more than an IT topic.

One of the main cyber-risks is to think they don’t exist. The other is to try to treat all potential risks. Fix the basics, protect first what matters for your business and be ready to react properly to pertinent threats. Think data, but also business services integrity, awareness, customer experience, compliance, and reputation.

Threat is a mirror of security gaps. Cyber-threat is mainly a reflection of our weaknesses. An accurate vision of digital and behavioral gaps is crucial for a consistent cyber-resilience.

Digital freedom stops where that of users begins... Nowadays, digital evolution must no longer be offered to a customer in trade-off between privacy and security. Privacy is not for sale, it's a valuable asset to protect.

The Internet of Things (IoT) devoid of comprehensive security management is tantamount to the Internet of Threats. Apply open collaborative innovation, systems thinking & zero-trust security models to design IoT ecosystems that generate and capture value in value chains of the Internet of Things.

held Chief Information Security Officer (CISO) Meetings to devise a system of cooperation with the government to be implemented in

As Stephen Katz, former CISO of Citibank, once said, "Controls don't slow the business down; like brakes on a car, controls allow you to go faster.

Situations like this only reinforce my deep suspicion of developers: They’re often carelessly breaking things and then disappearing, leaving Operations to clean up the mess. The only thing more dangerous than a developer is a developer conspiring with Security. The two working together gives us means, motive, and opportunity. I’m guessing our CISO probably strong-armed a Development manager to do something, which resulted in a developer doing something else, which broke the payroll run.

Even the bravest cyber defense will experience defeat when weaknesses are neglected.

To turn [a] progressive vision for security into reality, the CIO and CISO both need a seat at the decision-making table.

All the metrics above are lag measures. To illustrate, consider W. Edwards Deming's comments that managing a company by looking at financial data, which are lag measures, is like “driving a car by looking in the rearview mirror.

Now, Porter explains in his book: “To identify a new value chain, a firm must examine everything it does, as well as its competitors' value chains, in search of creative options to do things differently. A firm should ask questions including ‘How can the activity be performed differently or even eliminated?

Opportunity cost is the loss of gain from other options by selecting the one at hand. Note that a security initiative that goes unfunded faces a preferred opportunity cost more often than not. By choosing a platform technology, I may lock myself in from accessing best-of-breed tooling.

Courage is willingness to take the risk once you know the odds. Optimistic overconfidence means you are taking the risk because you don't know the odds. It's a big difference. — Daniel Kahneman

I have heard CISOs frequently exclaim, they have enormous accountability and responsibility, but they lack the authority to get things done. It comes down to architecting the choices your business makes by blending perspectives enough to get the best outcome.”2

Yogi Berra once said, “In theory, there is no difference between theory and practice. In practice, there is.

However, the point here is that incentives are a necessary but insufficient source of influence required to modify behaviors.

FIGURE 3.2 The Six Sources of Influence Source: Grenny, J., Maxfield, D., and Shimberg, A., How to 10X Your Influence. Used with permission.

Cyber resilience is much more than a matter of technology. Agility, balance and high level view are indispensable...

Education has always been a profit-enabler for individuals and the corporation. Education, both conception and delivery, must evolve quickly and radically to keep pace with digital transition. Education is a part of the digital equation.

At a boardroom or at a 'nuke proof' datacenter, a Chief Information Security Officer 2.0 participates in creating and protecting the digital value. The role of a CISO evolves from a ´policeman of computers´ to a ´dietician of risk appetite´. For success in digital transformation, turn the comprehensive risk management and cybersecurity into key business differentiators.

The only thing more dangerous than a developer is a developer conspiring with Security. The two working together gives us means, motive, and opportunity. I’m guessing our ciso probably strong-armed a Development manager to do something, which resulted in a developer doing something else, which broke the payroll run. Information Security is always flashing their badges at people and making urgent demands, regardless of the consequences to the rest of the organization, which is why we don’t invite them to many meetings. The best way to make sure something doesn’t get done is to have them in the room. They’re always coming up with a million reasons why anything we do will create a security hole that alien space-hackers will exploit to pillage our entire organization and steal all our code, intellectual property, credit card numbers, and pictures of our loved ones.

As a skilled choice architect, you are conscious of utilizing the WRAP and NUDGES frameworks in preparing your presentation and framing of the issues. Having completed a study of the value agenda, you recognize that you need to overlay the risk and mitigation costs into a single picture.

You will want to dive into the four C's of Cloud-Native Security and ensure you have a clear understanding of how you will secure technology investments to address the cloud, cluster, container, and code.15

Effective people are not problem-minded; they're opportunity-minded. They feed opportunities and starve problems. — Stephen R. Covey

FIGURE 5.2 9 Box of Controls Source: Harkins, M.W., Managing Risk and Information Security: Protect to Enable. Used with permission.

In my experience, if you get the messaging and financial analysis correct in a business case, mistakes in other elements of your business case are more readily forgiven and forgotten.

I strongly feel that you must also be an excellent salesperson to be an effective cybersecurity leader.

What appears to be happening is that organizations have decided to eliminate the Director of IT title and simply adopt the Chief Information Officer title so they can say they have one.  But they have not made all the required changes in authority or compensation or their recruiting methods to ensure that the person they hire is really qualified to serve in these strategic positions.  In many organizations, the Director of Networks or other similar level positions have been retitled as a Chief Information Security Officer. Some organizations have split up the roles of security and privacy and actually have a Chief Information Security Officer and a Chief Privacy Officer (CPO) creating serious confusion and conflict within the organization. They typically hire lawyers in the CPO positions and a technology person in the CISO positions. Instead of combining the salaries and hiring the right person, they have purposefully depressed the salaries of both positions and will have trouble recruiting for both positions.

He turns around and resumes his pace, saying over his shoulder, “Tell me. All those projects that Jimmy your CISO is pushing. Do they increase the flow of project work through the IT organization?” “No,” I quickly answer, rushing to catch up again. “Do they increase operational stability or decrease the time required to detect and recover from outages or security breaches?” I think a bit longer. “Probably not. A lot of it is just more busywork, and in most cases, the work they’re asking for is risky and actually could cause outages.” “Do these projects increase Brent’s capacity?” I laugh humorlessly. “No, the opposite. The audit issues alone could tie up Brent for the next year.” “And what would doing all of Jimmy’s projects do to WIP levels?” he asks, opening the door

A CISO's job is to streamline, harmonize and propagate cybersecurity and cyber hygiene throughout the organizational IoT microcosm and staff

When we become an autonomous organization, we will be one of the largest unadulterated digital security organizations on the planet,” he told the annual Intel Security Focus meeting in Las Vegas. “Not only will we be one of the greatest, however, we will not rest until we achieve our goal of being the best,” said Young. This is the main focus since Intel reported on agreements to deactivate its security business as a free organization in association with the venture company TPG, five years after the acquisition of McAfee. Young focused on his vision of the new company, his roadmap to achieve that, the need for rapid innovation and the importance of collaboration between industries. “One of the things I love about this conference is that we all come together to find ways to win, to work together,” he said. First, Young highlighted the publication of the book The Second Economy: the race for trust, treasure and time in the war of cybersecurity. The main objective of the book is to help the information security officers (CISO) to communicate the battles that everyone faces in front of others in the c-suite. “So we can recruit them into our fight, we need to recruit others on our journey if we want to be successful,” he said. Challenging assumptions The book is also aimed at encouraging information security professionals to challenge their own assumptions. “I plan to send two copies of this book to the winner of the US presidential election, because cybersecurity is going to be one of the most important issues they could face,” said Young. “The book is about giving more people a vision of the dynamism of what we face in cybersecurity, which is why we have to continually challenge our assumptions,” he said. “That’s why we challenge our assumptions in the book, as well as our assumptions about what we do every day.” Young said Intel Security had asked thousands of customers to challenge the company’s assumptions in the last 18 months so that it could improve. “This week, we are going to bring many of those comments to life in delivering a lot of innovation throughout our portfolio,” he said. Then, Young used a video to underscore the message that the McAfee brand is based on the belief that there is power to work together, and that no person, product or organization can provide total security. By allowing protection, detection and correction to work together, the company believes it can react to cyber threats more quickly. By linking products from different suppliers to work together, the company believes that network security improves. By bringing together companies to share intelligence on threats, you can find better ways to protect each other. The company said that cyber crime is the biggest challenge of the digital era, and this can only be overcome by working together. Revealed a new slogan: “Together is power”. The video also revealed the logo of the new independent company, which Young called a symbol of its new beginning and a visual representation of what is essential to the company’s strategy. “The shield means defense, and the two intertwined components are a symbol of the union that we are in the industry,” he said. “The color red is a callback to our legacy in the industry.” Three main reasons for independence According to Young, there are three main reasons behind the decision to become an independent company. First of all, it should focus entirely on enterprise-level cybersecurity, solve customers ‘cybersecurity problems and address clients’ cybersecurity challenges. The second is innovation. “Because we are committed and dedicated to cybersecurity only at the company level, our innovation is focused on that,” said Young. Third is growth. “Our industry is moving faster than any other IT sub-segment, we have t

One of the main AI challenges lies in conjugating safety and efficiency. Equilibrium between AI ethics and performance will forge our future.