Aug 22, 2019
100% Security. A great idea that's impossible to achieve.
Regardless, CEOs are still asking for it. How should security
people respond and we'll discuss the philosophical implications of
this post for the discussion that is the basis of our
conversation on this week’s episode co-hosted by me, David
Spark (@dspark), the
creator of CISO
Series and Allan
Alford (@AllanAlfordinTX). Our
guest for this episode is Rich Friedberg (@richf321), CISO, Blackbaud.
Thanks to this week’s podcast sponsor,
Anomali harnesses threat data, information, and intelligence to
drive effective cyber security decisions.
On this episode of Defense in Depth, you'll
- Even though security people learned a long time ago that 100
percent security is not achievable if you can run a business, CEOs
are still asking their security departments to deliver it.
- The most common response to the 100 percent security request is
to point out that nothing in business is 100 percent. Everything is
a type of a risk.
- Pointing out that everything is a risk doesn't necessarily
endear a CISO to the security department. Instead, use empathy and
try to understand what are they really asking when they make the
100 percent security request.
- It's often difficult for a CEO to initiate a discussion about
- The question shouldn't be "how safe are we" but rather "how
prepared are we". Should a breach happen, which seems inevitable
these days, how quickly can the business respond and continue to
function. A breach doesn't need to destroy a business.
- The best way to connect with the business on security risk is
to correlate it to another risk decision that makes sense to them.
For example, battling fraud. No business tries to eliminate 100
percent of fraud because at one point the cost to eliminate the
remaining fraud far exceeds the cost of the remaining fraud.
- As a theoretical exercise, most agreed that if you truly did
try to achieve 100 percent security, the business would cease to