
Why CEOs fail cybersecurity (hint: they aren't asking the right questions) - bnb
https://www.inc.com/schuyler-brown/5-questions-every-ceo-needs-to-ask-about-data-security.html
======
sasas
Relevant to Equifax.. the article should have -

6) Do you have a up to date list of all assets in your network/platform with
assigned owners? Have the components of the assets been registered for
vulnerability notifications?

You are running blind if you don't know what's in your platform. How can you
secure something if you don't know it "exists" ?

------
Kevin_S
I've come to a point where I really think no company will ever have even
competent InfoSec practices. I've worked at a fortune-100 (terrible due to
scale probably), a small InfoSec consulting firm (terrible due to lack of
scale and non-caring leadership as ironic as it is) and now a global firm
(terrible due to scale and poor training).

I have no idea how to solve this problem, it seems impossible.

~~~
sbrown12
Hiya Kevin. I wrote that Inc article. I feel you. How many times have you seen
one (or all of these)...

-credentials shared across teams -database credentials stored in plain text config files -unsecured mongodb clusters

I used to think that none of this stuff would change until people were held
accountable. Imagine if a data breach at work meant that I had to pay a fine
so steep that I had to declare personal bankruptcy...bet that might get
people's attention, but I doubt there's the political will to pass laws like
that.

Instead, I've spent my time trying to tackle it from the other end of
incentives- how do we make security tools easier to adopt than the
alternative? The SSO guys have done a great job, but there's plenty more to
do.

*Full disclosure, I founded a data security company

------
grumble
Why give hint, why not just state the fact in title grrr give me an old
fashioned headline any day ;)

