Is Compliance Hurting More Than It's Helping?

Compliance Is Often In The Way Of What We Actually Want And Undermines Protection Of What Matters Most.

posted by Douglas Ferguson on December 17, 2018

Why do so many security experts lament when their leadership choose a compliance first security strategy? Because they know from experience that evidence of security is not proof of protection. Security compliance is akin to ‘security theatre’. There’s lots of action and posing, it looks and feels good, but in the end, the protection results aren’t aligned to real business risks. There’s no other way to say it, a compliance first approach hurts more than it helps. Read more...

Compliance Hurting

4 Essential Elements Of A Successful Security Program

Understand Risk. Have a Strategy. Optimize SecOps. Translate The Security Program.

posted by Dan Holden on November 14, 2018

The Tweet below so succinctly captures the challenges facing those responsible for securing our digital existence. It’s also a powerful distillation of why Pharos Security exists. Inspired by Ian’s Tweet I’d like to focus on the fundamental elements that successful CISO’s we have worked with leverage when building out and maturing their security programs. Read more...

Successful Security Program

Why Evidence Of Security Isn’t Proof Of Protection

What is the difference between Security and Protection?

posted by Douglas Ferguson on October 2, 2018

At Pharos, we often point out that “evidence of security is not proof of protection”. What do we mean? It’s no secret that CISO’s and security programs often have a tenuous relationship with the business and executive leadership. We hear a lot of ‘the business doesn’t get it’, ‘they only want a check box for security’, or ‘we cannot succeed unless we have a seat at the Board. Simply put, business leadership are not being given reasonable outcomes to invest in. The onus is not on the business to ‘get it’ or to capitulate to the CISO’s budget and authority demands. The CISO must articulate outcome options, measure value and report on progress in terms that are immediately meaningful to the business. The previous blog post introduced a set of six questions that are key to bridge this gap and articulate and influence at the executive and board level, raising security’s profile within the leadership of the organization. In this post we’ll focus on why evidence of security is not proof of protection. Read more...

Proof Of Protection

6 Questions Every CISO Must Answer

The Protection Problem Space vs. The Security Problem Space

posted by Douglas Ferguson on September 23, 2018

When a corporate Board invests in security, they expect results. Usually, this means, “Keep us from having a headline making breach.” The threat landscape, the implications for the firm’s risk profile and the options available to mitigate risk are not well understood. In fact, according to CSO Magazine, “Because cybersecurity issues are complex and technical, it is common for directors to express anxiety regarding whether the board has sufficient expertise and is informed enough to serve its risk oversight function in this area.” That anxiety can lead to bad decision making, for example, “more than half of boards delegate responsibility for overseeing cybersecurity risk oversight solely to a compliance or audit committee,” according to CSO. A focus on compliance is not the same as focusing on managing corporate-wide risk. The Board understands what they want, but they don’t have a firm grasp on what they need. What if they could be presented with information about cyber security in a familiar format, with familiar terms, like the CEO gets from all of their direct reports? Read more...

Security Board Report