Society of Cyber Risk Management and Compliance Professionals- https://www.opsfolio.com/

1. THOUGHT PROVOKING
QUOTES
FROM FAMOUS CYBERSECURITY EXPERTS

2. Only after users have been fake-phished will they really pay
attention to the training.
I Todd Fitzgerald
I @SecurityFitz
I Grant Thornton International global director of Information Security - November 2015

3. If you outsourced something and your third-party provider lost your data,
your insurance might not cover that.
I John Kennedy
I Corporate partner at Wiggin and Dana LLP -
11th November 2015

4. Incident Response plans that are 30, 40 or 100 pages long may have their
place. But a shorter document helps not only during an incident, but also
before it, raising awareness with the senior leadership about the types of
decisions they’re going to be asked to make.
I Liisa Thomas
I @WinstonLaw
I Chair of the data security practice at Winston & Strawn LLP - 11th November 2015

5. UK organisations we spoke to were under a far higher rate of attack than
the European average.
I Bob Tarzey
I @tarzey
I Service Director, Quocirca, UK - Sept 2015

6. There has been an explosion in both frequency and severity
of cyber-attacks.
I Chris Fischer
I @Allianz @AGCS_Insurance
I CEO, Allianz Global Corporate and Specialty - Sept 2015

7. JP Morgan is a company that has 2,000 people dedicated to cyber
security. They have spent $250 million dedicated to cyber security. They
did everything right, and they still got hacked.
I Erik Avakian
I Chief Information Security Officer, Commonwealth of Pennsylvania, USA - Sept 2015

8. What Would You Do Differently If You Knew You Were Going
To Be Robbed?
I Michael Sentonas
I @MichaelSentonas
I VP & CTO, McAfee Security Connected, Intel, USA - Aug 2015

9. Any CEO who really understands risk knows that cyber is possibly the most
unpredictable risk there is. It’s more unpredictable than a flood or tornado.
I Malcolm Marshall
I @WightMarshall
I KPMG’s Global Head of Cyber Security - UK - July 2015.

10. The emerging nature of cyber risk is that it’s becoming systemic - as were
the risks that led to the credit crisis.
I John Scott
I Chief Risk Officer
I Global Corporate, Zurich - June 2015

11. There's no conceivable system that can stop 1 person in 100 opening a
phishing email and that can be all it takes.
I Ciaran Martin
I @GCHQ
I Director General for Cyber Security - GCHQ, UK - June 2015

12. You would never dream of a CFO not coming to a board meeting. In
addition, you would never see a CFO passing up using external audit or
teams of external advisors. The same diligence has to be assigned to
cybersecurity.
I Val Rahmani
I @valrahmani
I Non-Executive Director, Aberdeen Asset Management, USA - April 2015

13. Investors see data breaches as a threat to a company’s material value
and feel dis-couraged in investing in a business that has had its sensitive
information compromised.
I Malcolm Marshall
I @WightMarshall
I KPMG’s Global Head of Cyber Security - UK - July 2015.

14. Key stakeholders often underestimate how complex and overwhelming it
can be to manage all the ancillary people and groups who must play a role
in mitigating a major breach incident, including internal and external
attorneys, internal and external investigators, law enforcement, regulators,
insurers and many others.
I Bryan Sartin
I Managing Director
I Data breach response and forensics - Verizon - April 2015

15. All companies go through crises, but this kind of crisis is unique in the
number of unknowns.
I Brian Brink
I Senior Counsel Litigation
I Schnuck Markets, USA - April 2015

16. There was this horrible moment where I realized there was absolutely
nothing at all that I could do.
I Amy Pascal
I Former CEO of Sony Pictures
I USA - February 2015

17. It will take a major global company going down in the wake of a cyber
attack to really shake up information security.
I Adrian Leppard
I @adelepp
I City of London Police Commissioner - UK - Jan 2015

18. A breach alone is not a disaster, but mishandling it is.
I Serene Davis
I Underwriter with Beazley
I California, USA - Sept 2014

19. It’s the not knowing that’s the worst... After a breach, there are more
questions than answers.
I Dwayne Melancon
I @ThatDwayne
I Chief Technology Officer, TripWire, Portland, USA – July 2014

20. Credit monitoring services only give consumers limited help, with a very
small percentage of the crimes that can be inflicted on them. These are
basically PR vehicles for most of the breached companies who offer credit
report monitoring.
I Avivah Litan
I @avivahl
I Vice President with Gartner Inc, Washington DC, USA - March 2014

21. There are only two types of companies: those that have been hacked, and
those that will be.
I Robert Mueller
I FBI Director
I USA - March 2012