Vendor Risk Management

4 Things CISOs & Security Managers Are Thinking About Today

Melissa Stevens | March 31, 2017

We were curious about what CISOs and security managers have on their minds these days—so we searched around online and asked a few to share their thoughts. Below, you’ll find some interesting insights and observations to get a good conversation started in your office. 


“There are still too many CISOs out there running ‘security in a vacuum,’ where they fail to take into consideration the needs of the business. When security is conducted in a vacuum, it results in ineffective controls that waste resources and does not effectively move the business forward. Traditionally, security and business were seen as being ‘at odds’ with each other with the business wanting things fast, cheap, and easy to use, while strong security controls can go too far in the other direction, resulting in controls being slow, expensive, and not user friendly. Neither end of the spectrum is optimal. The trick is for security and the business to work together in a partnership to find the right balance of controls so things are secure enough to protect what's really at risk while helping the business achieve its goals.”

Celia Baker
CISO, IntelliGRACS Group, Inc.

2. “Strong authentication.” Reporting-Cybersecurity-To-The-Board

“Usernames and passwords are no longer strong enough to properly authenticate an authorized individual. Password databases are leaked almost daily, and oclHashCat can now brute-force passwords up to 55 characters long.

Moving to 2FA authentication seems absolutely required these days, but 2FA tokens need to be secured adequately, too. iCloud backups are regularly broken into, Authy accounts can be hijacked alongside a cellular phone number, and companies that use SMS as a second factor of authentication are learning that enabling SMS 2FA actually decreases the security of accounts, thanks to cellphone providers' lack of security measures.

Anyone can call a cell provider, impersonate an account holder, and request a new SIM card to replace their old one. The attacker can then receive the victim's text messages even though the victim is still holding their handset. You can enable a verbal password on your cellphone account, but not all providers enforce them. T-Mobile and Sprint seem to enforce passwords well; however, Verizon doesn't seem to enforce verbal passphrases on support calls at all.

Our company has made the decision to move all 2FA tokens onto hardware devices (like Yubikeys) and forbid anyone from using a cellphone provider that does not enforce verbal passphrases if they need that cellphone for business.”

Michael Perklin
CISO, ShapeShift

3. “How do we get ahead of the cybersecurity threats?”

“In general, cybersecurity seems to be reacting to threats after they appear. How do we get security systems in place that anticipate coming threats or can address a significant number of certain threat types?”

Dr. Jim Sullivan
Senior Director Of IT, Pharmaca Integrative Pharmacy

4. “The speed at which vulnerabilities are exploited to create cyberweapons.”

In a recent Inc. article, contributor Joseph Steinberg interviewed Lou Modano, CISO and global head of infrastructure services of Nasdaq, regarding his fears about keeping Nasdaq safe from cyber incidents.

“It is no secret that, in recent years, hackers have become much more adept at creating cyberweapons to exploit vulnerabilities and that the time between the disclosure of a particular vulnerability and the creation of a weapon that exploits it has dramatically decreased… While businesses can work to make their patching and change management process extremely efficient, even doing so does not fully solve the problem—especially in situations in which vulnerabilities are announced before patches are available, in which cases criminals often create cyberweapons that exploit the vulnerabilities even before the associated patches are released by vendors… Lesson: Make sure you have an efficient process for obtaining, testing, and deploying security fixes, and be aware of when you may be at risk even with such a process in place.”

Joseph Steinberg
CEO, SecureMySocial

Note: To learn more about the impact a vulnerability could have on your network, take a look at this article on the MongoDB vulnerability.

Can you effectively share what’s on your mind to the board? 

Cybersecurity is something companies today prioritize—all the way up to the boardroom. But do you have the tools you need to present it effectively? This guide helps you nail down your presentation goals and style, select metrics your board will care about, and more. Download it for free today.

New Call-to-action

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...


Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...


Subscribe to get security news and updates in your inbox.