One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 1813717 |
| Date de publication | 2020-07-19 17:07:57 (vue: 2020-07-19 21:13:20) |
| Titre | How CEOs think |
| Texte | Recently, Twitter was hacked. CEOs who read about this in the news ask how they can protect themselves from similar threats. The following tweet expresses our frustration with CEOs, that they don't listen to their own people, but instead want to buy a magic pill (a product) or listen to outside consultants (like Gartner). In this post, I describe how CEOs actually think.CEO : "I read about that Twitter hack. Can that happen to us?"Security : "Yes, but ..."CEO : "What products can we buy to prevent this?"Security : "But ..."CEO : "Let's call Gartner."*sobbing sounds*- Wim Remes (@wimremes) July 16, 2020The only thing more broken than how CEOs view cybersecurity is how cybersecurity experts view cybersecurity. We have this flawed view that cybersecurity is a moral imperative, that it's an aim by itself. We are convinced that people are wrong for not taking security seriously. This isn't true. Security isn't a moral issue but simple cost vs. benefits, risk vs. rewards. Taking risks is more often the correct answer rather than having more security.Rather than experts dispensing unbiased advice, we've become advocates/activists, trying to convince people that they need to do more to secure things. This activism has destroyed our credibility in the boardroom. Nobody thinks we are honest.Most of our advice is actually internal political battles. CEOs trust outside consultants mostly because outsiders don't have a stake in internal politics. Thus, the consultant can say the same thing as what you say, but be trusted.CEOs view cybersecurity the same way they view everything else about building the business, from investment in office buildings, to capital equipment, to HR policies, to marketing programs, to telephone infrastructure, to law firms, to .... everything.They divide their business into two parts:The first is the part they do well, the thing they are experts at, the things that define who they are as a company, their competitive advantage.The second is everything else, the things they don't understand.For the second part, they just want to be average in their industry, or at best, slightly above average. They want their manufacturing costs to be about average. They want the salaries paid to employees to be about average. They want the same video conferencing system as everybody else. Everything outside of core competency is average.I can't express this enough: if it's not their core competency, then they don't want to excel at it. Excelling at a thing comes with a price. They have to pay people more. They have to find the leaders with proven track records at excelling at it. They have to manage excellence.This goes all the way to the top. If it's something the company is going to excel at, then the CEO at the top has to have enough expertise themselves to understand who the best leaders to can accomplish this goal. The CEO can't hire an excellent CSO unless they have enough competency to judge the qualifications of the CSO, and enough competency to hold the CSO accountable for the job they are doing.All this is a tradeoff. A focus of attention on one part of the business means less attention on other parts of the business. If your company excels at cybersecurity, it means not excelling at some other part of the business.So unless you are a company like Google, whose cybersecurity is a competitive advantage, you don't want to excel in cybersecurity. You want to be |
| Envoyé | Oui |
| Condensat | the *sobbing 2020the @wimremes about above accomplish accountable accounting action activism actually admin admins advantage advice advocates/activists africa against agenda ago aim all also analyst analysts answer appreciate approach are ask atlanta attention average backed backup baltimore barometers basically battles because become been before being below benefits best between big boardroom breeches broken building buildings business but buy call can capital case ceo ceos changing cities cliche client clients comes common communicated companies company competency competent competitive competitors computer computers concerned condition conferencing consequences conservative consultant consultants consulting convince convinced core corporate correct cost costs could credibility cso cyber cybersecurity data define describe describes desktop desktops destroy destroyed difference dispensing divide document doesn doing domain don down due dumb dumbest either else employees end enough enough: enterprise entire equally equipment ernst ethical even everybody everyone everything excel excellence excellent excelling excels except existential expertise experts explain express expresses extraordinarily face face: faction fairly fight fighting figure find firm firms first fix fixed flaw flawed focus follow following from frustration gartner gartners general get gets getting goal goes going gone good google got guidance hack hacked happen happened hardest has have haven having help here hidden hire hired hires hit hold hole honest hopefully hoping how ibm imperative incident industries industry infect infected infrastructure innovation inside insiders instead integrity internal investment isn issue itself job judge july just keep keys kingdom know last law leader leaders leadership leaking learn less let like listen long look loss lot lots maersk magic maintain make manage manufacturing marketing markets mass massive matter means measuring microsoft money moral more most mostly much myself nearly need news nobody none not notpetya numerous obvious occasionally off office often one only operating operation organization organizations other out outside outsiders own paid part parts parts:the patch pay peers people person phrased pill pills plug point policies political politics post pox practices precisely prevent price primarily problem problems process product products programs protect proven qualifications question quick random ransomware ransomwared rather read reading realize really recently records reduce reflect reliance remes reports requiring resist resists responsible restore restored rewards risk risks rocks running salaries same saw say saying second secure security see send seriously server servers several similar simple simply since sinking skilled slightly slowly small smarter solution some something sound sounds* spin/tilt stake steered stops study such surprise system take taking talk tech techies techy telephone tell term than that them themselves then there therefore these thing things think thinking thinks third those threats through thus tilt time times top toward track tradeoff training tried true trust trusted trying turned tweet twitter two unbiased understand unless users variety vendor video view waiting want way week well what when where whereas which who whose why wide wim wipe work works world worth would wreck write wrong years yet young your |
| Tags | Ransomware Guideline |
| Stories | NotPetya |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.