“If you don’t understand the risks, you don’t understand the costs,” security guru Bruce Schneier advised during a TED talk.
He was discussing security in the abstract — but it got me thinking about IT security in particular and the difficulty many executives face trying to determine if their organizations are safe from cyberattack.
The problem is that these conversations nearly always turn technical. Soon, a flurry of technology acronyms — confounding but apparently reassuring — begin flying around the room.
And, reports Schneier, it works. People, he says, will “respond to the feeling of security and not the reality.”
So what can a CEO do to understand the reality of security risk and grasp what the actual cost of security failure might do to the organization?