WannaCry scared the world with its massive disruption. NotPetya reminded everyone why they can’t forget about exploits after the first time they are used. Mirai irritated consumers for a full day with record-breaking distributed denial-of-service levels from its infected botnet. The good news is that headlines from all of these attacks caught the attention of executives who suddenly started asking if they were vulnerable to these attacks. The bad news? They started asking the wrong questions.
Security is not a one-and-done project; it is a constant battle against creative hackers evolving new and improved threats. But top executives and board members are still learning about security practices, so when they stop at their CISO’s desk they only know to ask “Are we protected against WannaCry?”
The only job-preserving answer to that question is “Yes,” but that omits so many other factors that leave the executive with a false sense of security. A smart CISO can take advantage of the executive’s attention to explain how blocking specific malware variants is only a stopgap measure.