author photo
By Bruce Sussman
Wed | Nov 14, 2018 | 5:24 AM PST

Here are cybersecurity quotes that will come in handy for a presentation, PowerPoint deck or your next team meeting. 

These are our top 20 quotes on cybersecurity, by leaders in cybersecurity.

All of these InfoSec quotes were part of presentations during 2018 SecureWorld regional conferences. 

#1 Passwords: “Passwords are like underwear: make them personal, make them exotic, and change them on a regular basis.”  — overheard at SecureWorld Atlanta

#2 The stress on CISOs: “Security leaders are under a lot of pressure to show quick wins while knowing full well that everything they do will be heavily scrutinized and challenged, and ultimately, they will pay the price for things that are not under their control.”  — Yaron Levi, CISO, Blue Cross and Blue Shield of Kansas City, at SecureWorld Kansas City

#3 IoT and privacy: “How many IoT devices exist, with how many computing devices do they share data? How many others have access to that data and what decisions are being made with this data? No one really knows. We just don’t know.”  — Rebecca Herold, The Privacy Professor, at SecureWorld Atlanta

#4 Security of biometric data: “We are giving away too much biometric data. If a bad guy wants your biometric data, remember this: he doesn’t need your actual fingerprint, just the data that represents your fingerprint. That will be unique, one of a kind.”  — Mike Muscatel, Sr. Information Security Manager, Snyder's-Lance, at SecureWorld Boston

#5 For security leaders at multinationals: “As a Global CISO, the best advice I can give is don’t try to do something different for every part of the world. Pick and choose what you’re going to use from a policy and procedure standpoint. Generally, pick from a global perspective the most onerous and strict regulations you have to comply with and implement them globally.”  — James Waters, Global CISO, Black & Veatch, at SecureWorld Kansas City

#6 On a positive security mindset: “I really think that if we change our own approach and thinking about what we have available to us, that is what will unlock our ability to truly excel in security. It’s a perspectives exercise. What would it look like if abundance were the reality and not resource constraint?”  — Greg York, VP, Information Security, Tribune Media, at SecureWorld Chicago

#7 What security leaders must do: “As cybersecurity leaders, we have to create our message of influence because security is a culture and you need the business to take place and be part of that security culture.”  — Britney Hommertzheim, Director, Information Security, AMC Theatres, at SecureWorld Kansas City

#8 DLP: “USBs are the devil. They just are.”  — overheard at SecureWorld Atlanta

#9 Industrial Control Systems: “In an ICS environment, typical enterprise IT doesn’t work. Small maintenance windows are part of the problem. When things must run around the clock, sometimes there is just once a year where there’s enough downtime to do a security upgrade.”  — Tauseef Ghazi, Principal, Security & Privacy Services, RSM, at SecureWorld Houston

#10 Security controls: “What we should actually be doing is thinking about what are our key controls that will mitigate the risks. How do we have those funneled and controlled through the team that we have, how do we work through that in a well formatted, formulated process and pay attention to those controls we have chosen? Not a continual, add more, add more, add more.”  — Dr. Chris Pierson, CEO, Binary Sun Cyber Risk Advisors, at SecureWorld Charlotte

#11 Insider threat risk: “We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever."  — Dr. Larry Ponemon, Chairman, Ponemon Institute, at SecureWorld Boston

#12 Boards are waking up: “Finally, we’re seeing that nearly everyone understands security is a business risk issue at the end of the day. I joke with my clients, 'the board gets it, so they want to do something about cybersecurity, that’s the good news.' But the bad news is, 'the board gets it and they want to do something about cybersecurity.' But of course it really is good news.”  — Bruno Haring, Director, Cybersecurity & Privacy, PwC; President, InfraGard Atlanta, at SecureWorld Atlanta

#13 Incident Response: "The biggest problem in incident response is understanding how the business is using its servers, its data, and who has access."  — Incident Response panel at SecureWorld Chicago

#14 Implementing a modern cyber risk program: "A modern cybersecurity program must have Board and Executive level visibility, funding, and support. The modern cybersecurity program also includes reporting on multiple topics: understanding how threats impact revenues and the company brand, sales enablement, brand protection, IP protection, and understanding cyber risk."  — Demitrios 'Laz' Lazarikos, Founder and CEO, Blue Lava, Inc., at SecureWorld Philadelphia

#15 Rapid change in InfoSec: “Disruptive technologies are fundamentally expanding the 'Art of the Possible'; reshaping the solution provider ecosystem with a new hierarchy of winners and losers and discombobulating expectations of how and by whom risk and security should be managed and led.”  — Thornton May, IT Futurist, at SecureWorld Charlotte

#16 Security budgets: "The biggest bang for the buck in security is to ask for more money—because it's free!"  — overheard at SecureWorld Chicago

Quotes on cybersecurity and leadership, from a panel on careers at SecureWorld Kansas City:

#17 “Information security is one of the few spots in the business where you can be involved in almost every part of the business.”

#18 “Change is challenging. And security is like a moving target, so make sure you are able to deal with and work through frequent changes.”

#19 “Find your wheelhouse, where you really shine, and you will do well with that. Then surround yourself with people who are stronger than you in other areas. That combination of skill-sets will deliver what the organization needs.”

#20 “As leaders in cybersecurity, we’ve become part of the value proposition for our business, and that’s exciting!”

It is exciting.

Security leaders and their teams are more valuable than ever to their organizations.

New podcast: more cybersecurity quotes and insights 

SecureWorld is proud to announce The SecureWorld Sessions, a new cybersecurity podcast that gives you access to thought leaders who share strategies for securing your organization and growing your cybersecurity career. 

Listen to our trailer and search for it on your preferred podcast platform. 

You can already download interviews with security leaders like Bruce Schneier, with Aflac Global CSO Tim Callahan and Dawn Marie Hutchinson, GSK's CISO for Pharmaceuticals and R&D. 

Tags: Cybersecurity,