Reading List

[Sponsor] 1Password: Without C-Suite Buy-In, Security Is Just Rearranging Deck Chairs from Daring Fireball RSS feed.

[Sponsor] 1Password: Without C-Suite Buy-In, Security Is Just Rearranging Deck Chairs

There’s a line in Titanic that any IT or security professional can relate to. The ship’s architect explains that he wanted to include enough lifeboats for all the passengers, “but it was felt the deck would look too cluttered.”

That decision takes on a tragic significance in the second half of Titanic, and yet it’s a choice that’s replicated (although with less dire consequences) in companies to this day. It’s a constant challenge to get leadership to invest in breach prevention–many leaders would prefer to pay for cybersecurity insurance and hope for the best.

Yet, just as the famous shipwrecks of old inspired today’s laws about lifeboats, there are signs that the endless parade of data breaches is forcing greater investment in vulnerability management. (To be clear, we’re talking about “vulnerability management” in the broadest sense; not just patch management.)

In the past few years, NIST, the SEC, ISO, and PCI DSS have all published updated guidelines that mandate more proactive vulnerability management. Many of those guidelines specifically call out the role of leadership, such as the SEC, which now requires companies to report on how their managers and board of directors deal with vulnerabilities.

This is good news for IT and security teams; in a 2023 survey, 50% of respondents said that their organization’s vulnerability management program had support from leadership to “a large/great extent.” But obviously, that still leaves 50% of respondents out in the cold.

If you’re trying to get buy-in at your own organization, come equipped with the facts about the risks you’re facing, and come with a clear plan to remediate them. Thankfully there are plenty of resources available to help prioritize your needs. And if you’re still not getting through, you’re welcome to borrow the Titanic analogy.

To learn more about how vulnerability management is changing, read the full blog post.