Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Cybersecurity News

3 Strategies to Improve Your Enterprise’s Security Posture

By Sam Kassoumeh
hacker
August 25, 2015

The job of the Chief Information Security Officer (CISO) has become challenging. As security has become a top-level concern for executive boards who are paying attention to the business impact of security, CISOs now have a seat at the table. This is good news for CISOs who want to make a positive impact and be aligned with corporate strategy. The bad news is that while the security conversation is becoming more strategic for the business, the confidence in the ability to identify and stop threats from occurring is weak at best.

How Can Organizations Protect What They Cannot See?

According to a recent NYSE Governance Services survey, 66 percent of respondents are "less than confident" can protect against attacks. With over 70 percent of respondents being “significantly concerned” about third-party risk in their supply chains, security risk is spread beyond the ability of even the most mature security organizations ability to handle it.

The average total cost of a data breach in 2015 has grown 23 percent since 2013 to $3.79 million, according to the most recent Ponemon Institute report(May 2015). The cost of lost customers has risen to $1.57 million per breach. Brand name after brand name is feeling the effects. Those companies that have not been attacked yet are worried they could be the next company in the news. Target, Home Depot, Sony Pictures, Anthem Health, JPMorgan and many others, including most recent big name, the U.S. government’sOffice of Personnel Management are the unfortunate case studies in weak security damaging the business.

New approaches and strategies by the C-level are needed to reorient the mindset of business units, technology teams, and the security behavior of employees. Here are three approaches CISOs and cyber-responsible CSOs can use right now, in 2015, to affect change.

1. Increase Security Visibility Into Your Emerging Partner Ecosystem

CISOs are inevitably accountable for the protection of data in their respective company. It used to be that data lived only inside the four walls of our fortress behind firewalls, behind two-factor authentication, protected by passwords, and monitored by systems and full-time employees that we trusted to hold the keys to the kingdom. Also, we used to have an added layer of financial protection via vendor contracts and SLAs. Lockdown was much easier.

In today’s interconnected world, we’ve discovered that commerce isn’t executed in the isolation of the fortress, but thrives on the massively complex, interconnected, sometimes symbiotic network of B2B relationships. Business departments are taking advantage of the cost efficiencies and turn-key conveniences from cloud, mobile and a whole host of unique, time-saving or cost-effective technologies. Developers carry around their company’s entire production source code on their laptop, and the mobile workforce now operates in a fully distributed model – and are no longer shackled to the cubicle. 

Most security leaders, however, do not have the transparency, tools and visible reach into the new security landscape beyond our own four walls. Let’s say your company uses an externally-hosted third-party cloud infrastructure to host their application. How do you ensure that the third-party ecosystem uses the same security standards that you use inside your corporate fortress?  If a hacker has non-intrusively exfiltrated your data from a third-party network, how do you know?

The emerging operational habitat is decentralized, so we have to adapt. Data is now in systems that we do not own, cannot see and cannot access. How can the CISO protect what they cannot see?

2. Empower Your Weakest Links

One of the most striking discoveries from this year’s Verizon Data Breach report showed how quickly attackers can access and exfiltrate a company’s data reflecting the sheer agility of hackers. The report cites that in over 60 percent of breaches, attackers were able to infiltrate a target within minutes. Security owners may not want to publically admit the difficulty in preventing a breach, and many discover a breach only after it has occurred.

Now that digital operations are more dispersed than they have ever been, and includes the flaws, vulnerabilities, and security behavior of third parties that you cannot control, how do you effectively achieve an accurate risk profile and risk mitigation strategy? How do you apply controls that see and understand the context of the decentralized habitat as it interacts with the partner ecosystem and your fortress? Once we're breached, and once an intruder is inside of our fortress, what are the steps to identify and isolate an intruder – and prevent them from persisting to your most valuable and sensitive data, such as intellectual property or customer and employee data that may put you in jeopardy with regulators (or adversely affect your company’s revenue targets or shareholders)?

Protective layering, of course, helps, but it might not be enough when authorized credentials bypass that layering. The volume of interconnected technologies and systems from external, third-party sources combined with poor security behavior from your average employee make for fertile data theft crop. After all, you’re only as strong as your weakest link.

Even with amazing fortress-protecting perimeter technologies supplemented by highly competent security team talent, breaches are occurring at rates much higher than 10 or 15 years ago. The surface area has grown exponentially. CISOs need thick skin to accept this reality and shift their team’s mindset from complete prevention to rapid detection and remediation, which is not nearly as easy as it sounds.

3. Communicate the Right Security Story

After the next major, highly publicized data breach of a major company, you should expect the CEO or executive board to ask the following questions:  "How secure are we? Could that happen to us too?”. Security tools are distributed, and speak a very technical language making security risk questions an incredibly hard question to answer.

It is our duty to find an approach that executives can understand in a vocabulary and format  that relates to larger corporate strategy and goals. Executives want business metrics that tell a story. How secure were we a month ago versus today? What are the historical security trends and pitfalls for our industry? How secure are our business partners that we are connected to?

We are very good at tracking and presenting our own security operations through technical metrics, security KPIs and the like, but they do not tell the story that needs to be heard. We do not tell how we are doing compared to our industry or competition. We have little to no ability to benchmark ourselves and our peers. CISOs who understand this will learn how to put the right business lens on their reporting and communications, and will use it to their advantage to secure strategic budget and stay aligned with company priorities.CISOs will need tojointly define and understand acceptable risk thresholds from business units and departments.

KEYWORDS: data breach costs layered security mobile security security posture

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Sam Kassoumeh is the COO and co-founder of SecurityScorecard. A seasoned cybersecurity professional, he has been the Head of Security and Compliance at Gilt and lead Global Security at Federal-Mogul. Kassoumeh has a keen understanding of the cybersecurity space with more than 10 years of experience leading security teams.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • SMBs can improve their cybersecurity posture

    Practical tips and resources to improve the cybersecurity posture of your business

    See More
  • BoonEdam-image.jpg

    Security entrances: Essential tools to improve facility security posture

    See More
  • Webcor implements managed security services to mitigate risk

    Commercial construction company Webcor implements managed services to improve its security posture

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • school security.jpg

    School Security: How to Build and Strengthen a School Safety Program

  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!