Preview Mode Links will not work in preview mode

Defense in Depth

Aug 22, 2019

100% Security. A great idea that's impossible to achieve. Regardless, CEOs are still asking for it. How should security people respond and we'll discuss the philosophical implications of 100% security.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Rich Friedberg (@richf321), CISO, Blackbaud.

Thanks to this week’s podcast sponsor, Anomali.


Anomali harnesses threat data, information, and intelligence to drive effective cyber security decisions.

On this episode of Defense in Depth, you'll learn:

  • Even though security people learned a long time ago that 100 percent security is not achievable if you can run a business, CEOs are still asking their security departments to deliver it.
  • The most common response to the 100 percent security request is to point out that nothing in business is 100 percent. Everything is a type of a risk.
  • Pointing out that everything is a risk doesn't necessarily endear a CISO to the security department. Instead, use empathy and try to understand what are they really asking when they make the 100 percent security request.
  • It's often difficult for a CEO to initiate a discussion about risk.
  • The question shouldn't be "how safe are we" but rather "how prepared are we". Should a breach happen, which seems inevitable these days, how quickly can the business respond and continue to function. A breach doesn't need to destroy a business.
  • The best way to connect with the business on security risk is to correlate it to another risk decision that makes sense to them. For example, battling fraud. No business tries to eliminate 100 percent of fraud because at one point the cost to eliminate the remaining fraud far exceeds the cost of the remaining fraud.
  • As a theoretical exercise, most agreed that if you truly did try to achieve 100 percent security, the business would cease to function.