CISO MAG, a publication dedicated to covering issues near and dear to corporate chief information security officers everywhere, has graciously awarded this author the designation of “Cybersecurity Person of the Year” in its December 2019 issue.
KrebsOnSecurity is grateful for the unexpected honor. But I can definitely think of quite a few people who are far more deserving of this title. In fact, if I’m eligible for any kind of recognition, perhaps “Bad News Harbinger of the Year” would be more apt.
As in years past, 2019 featured quite a few big breaches and more than a little public speaking. Almost without fail at each engagement multiple C-level folks will approach after my talk, hand me their business cards and say something like, “I hope you never have to use this, but if you do please call me first.”
I’ve taken that advice to heart, and now endeavor wherever possible to give a heads up to CISOs/CSOs about a breach before reaching out to the public relations folks. I fully realize that in many cases the person in that role will refer me to the PR department eventually or perhaps immediately.
But on balance, my experience so far is that an initial outreach to the top security person in the organization often results in that inquiry being taken far more seriously. And including this person in my initial outreach makes it much more likely that this individual ends up being on the phone when the company returns my call.
Too often, these conversations are led by the breached organization’s general counsel, which strikes me as an unnecessarily confrontational and strategically misguided approach. Especially if this is also their playbook for responding to random security researchers trying to let the company know about a dangerous security vulnerability, data breach or leak.
At least when there is a C-level security person on the phone when that call comes in I can be relatively sure I’m not going to get snowed on the technical details. While this may be a distant concern for the organization in the throes of responding to a data security incident, the truth is that the first report is usually what gets repeated in the media — whether or not it is wholly accurate or fair.
This year’s CISO MAG awards also honor the contributions of Rik Ferguson, vice president security research at Trend Micro, and Troy Hunt, an expert on web security and author of the data breach search website Have I Been Pwned? More at cisomag.com.