Here is another video of great moments from Super Cyber Friday “Hacking Risk Reduction: An hour of critical thinking about actions we should take to lower risk.”
Our guests for this discussion were:
- Guy Bejerano (@GuyBejerano), CEO, SafeBreach
- Peter LIebert, CISO, LiveOmic
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor SafeBreach
Best Bad Idea
Congrats to Larry Rosen, manager, security advisory, Avanade for winning this week’s Best Bad Idea.
Other honorable mentions go to:
“Air gap everything. No internet connectivity allowed.” – Benjamin Corll, VP, cyber security, Coats
“Buy all the security tooling but don’t hire any security folks to implement and monitor it.” – Carlota Sage, vCISO principal, Fractional CISO
“Manually set the risk to low because it looks better in your report.” – Mariano Mattei, private consultant
“Expect the insurance to pay for everything without question.” – Ian Poynter, vCISO, Kalahari Security
“Teach your exec’s to play ‘I Object’ and have them determine what risks to deal with based on who wins the game.” – Craig Hurter, director security operations, Colorado Governor’s Office of Information Technology
10 percent better
“This goes back to the basics of CIS. Know your environment and know what exists in your environment then determine what is the acceptable risk tolerance and build your plans around that.” – Craig Hurter, director security operations, Colorado Governor’s Office of Information Technology
“Connect all cyber security programs with the revenue generator of the company. Each time you speak about cyber use it in a sentence with ‘and it helps me to grow the revenue of the company by XYZ….'” – Eli Migdal, CTO, co-founder, Boardish
Quotes from the chat room
Cyber Insurance is a negative ROI outcome. Also once you have insurance, you are actually a much better target. Now the bad guys ( and girls ) know exactly who to hack and get paid. – Eli Migdal, CTO, co-founder, Boardish
“The damage is done when you invest in insurance without it being part of an overall security plan.” – Ian Poynter, vCISO, Kalahari Security
“Insurance as a small part of the ‘tool set’ is not bad, but many companies actually think insurance is a risk reduction. It’s not, It’s a very small financial mitigaiton.” – Eli Migdal, CTO, co-founder, Boardish
“Each business unit will have a different idea of impacts so will define risk differently. The important thing is to be able to map those to overall business impacts and prioritize properly.” – Kevin Kentner, senior security advisor, CrowdStrike
“You need to understand what the company does, which business units are making the MOST money, and which activities within those are most critical. The platforms, data, and systems that support all of those activities are where you need to start looking for risk.” – David Peach, CISO, head of information risk, The Economist Group