Nastiness at NASDAQ

Of course, I realize that my proposals above require very large amounts of time, effort and money. But not doing so allows increasingly costly intrusions and attacks. The first step is to build in the instrumentation. This means. As stated above, that infosec professionals need to be heavily involved in the systems requirements and design stages. This will be hard to do and cannot be effective unless there is top-down support from senior management. Ironically, one good breach and support will follow … ask Bob Carr, CEO of Heartland Payments.


  1. Vivek Oct 11, 2015 at 10:51 pm | Permalink

    Unfortunately, many people stick to the sinayg “if it ain’t broke, don’t fix it!” but this mentality when having to do with security is normally very dangerous.I think that in security (especially in IT Security) we need a proactive approach as you did with the 5-year plan, but not everyone does this – in most cases, security is considered a luxury and they only realise the importance of security once they fall victims to some attacks – but by this time, most of the damage is already done.

  2. Alex Oct 11, 2015 at 11:04 pm | Permalink

    Having the CISO report to the CIO only works if the CIO spprouts and understands the importance of security. This directly relates to the culture of a company and can only be remedied (in my humble opinion) by direct reporting to Compliance or Operational Risk.Unfortunately in an environment where the CIO marginalises security, it is far easier for projects to steam roll their way into the enviornment

Post a Comment

Your email is never published nor shared. Required fields are marked *