Our recent conversation with the Managing Director of Cyber Risk and CISO Advisory for a large consulting firm centered on information security vendors and macro trends. On the topic of spending priorities, he said it “is different by sector,” with “highly regulated industries such as banks” continuing to focus on pressing cybersecurity concerns and putting innovative projects like AI/ML in the back seat for a while. Meanwhile, he says some industries unfortunately still see cybersecurity as “optional,” calling out some pharmaceutical and food processing companies as examples where they “have 30,000 to 50,000 employees, with two people working in cybersecurity.” He says the “CIO’s explanation for the two-person strategy is, ‘We haven’t had any problems yet, so we’re not going to grow that area.” Our guest quickly rebutted that the “hasn’t happened to me” defense may not even be true, since “the bad guys can be in there 250 days before anybody finds out. In fact, if you don’t have the right tools, you’re never going to find out.”
