Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.
This week I spoke to the CISO of a Fortune 500 retailer. He asked that his name not be disclosed. See the interview below and thanks for reading!
You’re the CISO of a Fortune 500 retailer, and you were the CISO of another large retailer when the Target breach occurred. A lot of people say that the Target breach turned security into a board level issue. Would you agree with this? Have you shifted your approach to security at all in the wake of the breach?
For many the Target and Home Depot breaches did get Boards to take notice, but other Boards were already quite aware of the business risk. Many forget about the TJMaxx breach several years ago, for me that is when information security became a Board topic. I have been briefing Boards since 2007 on information security. No, the Target breach did not change my approach. What it did do is highlight the need for risk transfer via cyber insurance.
We hear a lot about the benefits of information sharing in the security community. You’ve been a big proponent of threat information sharing for a while now. Is threat sharing being done on a large scale in industry today? Have you used any of the commercial threat sharing products out there today?
Threat sharing is gaining momentum within the Retail sector and other industries have been sharing intel for many years. Unfortunately many large retailers are still uncomfortable sharing intel and legal departments continue to be an obstacle in greater adoption of intel sharing. I have invested in multiple intel sharing solutions with moderate success. Currently I am working to get R-CISC to be the go-to destination for intel sharing within the retail, hospitality, and gaming industries.
What’s the process like for finding and ultimately introducing new security products into your organization? There’s no shortage of early stage security products out there, how can these companies get your attention?
It is not easy to get on my calendar. The best way for new companies to get my ear is to work through trusted integrators I partner with who know what types of solutions are of interest.
Are there any areas in security that the commercial market isn’t adequately addressing today?
Nothing comes to mind – more often it is more of an opportunity to solve a current security need in a more efficient manner or in more of a service model rather than a sunk cost capital model.
VCs often talk about having relationships with CTOs and CISOs that they can introduce to their portfolio companies. Do you have much interaction with VCs? How should VCs that want to meet more CISOs go about establishing a mutually beneficial relationship?
Yes, I speak with several VC about companies in their portfolio. Dinners work well for me to network and discuss companies being incubated by VCs.
The News:
- The series B comes from Insight and Accel bringing their total raised to $300 million (they raised a $50 million series A from Accel). Tenable apparently grew billings 50% last year and has a run rate that “exceeds $100 million.” Also see “Despite Record $250 Million Tenable Investment There Is ‘No Cybersecurity Bubble.”
Security Tools : Why more findings are bad for your security program
- Twitter CISO Michael Coates explains why tools producing more false negatives are preferable to those producing more false positives for building a scalable security program.
Microsoft Goes For Another Israeli Security Firm Buying Secure Islands
- Reports say Microsoft paid $77-150 million for the company. Secure Islands protects files so that they can be securely moved across platforms and networks. This is the third cloud security company that Microsoft has purchased in the past year, after Aorato (purchased for $200 million) and Adallom (purchased for $320 million).
Charges Announced in J.P. Morgan Hacking Case
- The three masterminds hacked 12 companies including ScottTrade and Etrade, and made hundreds of millions of dollars through various schemes.
- Great weekend read on the origins and current state of the Linux operating system. Linus Torvalds, who founded and still controls the Linux kernel, has frequently been at odds with the security community, which argues that Linux is long overdue for a security overhaul.
Non-Security:
Snapchat Isn’t the Only Startup in Fidelity’s Crosshairs
- News came out earlier this week that Fidelity had recently marked down its investment in SnapChat by more than 25%. Turns out it also marked down investments in companies such as Blue Bottle Coffee, Zenefits, and Dataminr.
Benchmarking Atlassian’s S-1 – How 7 Key SaaS Metrics Stack Up
- Amazingly low customer concentration, customer acquisition costs, high sales efficiency, and positive net income?!?! Only thing average about them is their growth rate. Huge week for Accel with this announcement and the Tenable funding round.
Nick's Cybersecurity Blog 