Presented by
Protocol's experts on the biggest questions in tech.

If your company had a blank check to improve cybersecurity, what would be your first action?

Blank check illustration

Many leaders say they'd use their blank check to instill a security-first culture or bring in new talent.

Good afternoon! We asked security leaders to tell us what their first actions would be if they woke up with an unlimited budget tomorrow. Want more on cybersecurity? This week, we published a new, in-depth special report about securing the enterprise. You can read the whole thing here.

Heather Hinton

CISO at PagerDuty

Along with meeting the service expectations, protecting the data of customers, their employees, and their users is how I earn and maintain their trust over the course of our relationship. Following industry best practices, we are continuously monitoring, alerting, and responding to abnormal and suspicious activity including access to data and systems hosting data.

Following a brief happy dance for the blank check, my first investment would be focused on enhancing our ability to monitor, alert, and detect any abnormal activity with regard to employee and customer data. Today’s best practices aren’t enough — bad actors are stealthier, smarter, and more aggressive than ever. If we don’t continually improve, even when processes are best-in-class, we are already falling behind the next generation of attacks. No matter how good our discipline is today, we are focused on enhancing it for tomorrow’s challenges.

Those enhancements would fall into two categories. first, deepening the already-existing protections on both our customer and our internal employee data, as well as the ability to identify when something in that data set changes unexpectedly. Second, adding staff dedicated exclusively toward researching and implementing the next generation of data protection practices to relentlessly push our organization forward even when we feel confident in our existing discipline.

Tweet this.

Carlos Fuentes

CISO at Pega

If I was given a blank check, I would place a greater focus on initiatives to enhance security automation for the enterprise. Security automation is used to address security operations tasks without human intervention and is an important component of security orchestration. Specifically, I would mature the DevSecOps function and add predictive analytics to enhance security monitoring oversight. The volume and rate of development work increase pressures on security teams to keep pace.

As exciting as a blank check might seem, it is not practical or scalable to hire your way through problems today. There are not enough security engineers and analysts in the marketplace to cover everything. Similarly, adding too many new security products to an environment does not always lead to better outcomes. It can often lead to a poorer experience for employees and can also add overhead to manage product conflicts.

Organizations already deal with massive amounts of data and adjusting to changes in environments. Security products that integrate with development pipelines and monitor the vast amount of data being generated allow teams to respond faster to issues and understand security risks. These tools become the eyes and ears, and can augment a team’s capability across more areas.

Lastly, security automation should be used to inform/instruct employees when they make security mistakes. This allows the security teams to provide more timely education to correct and improve behaviors. Employees will always be the most vulnerable attack vector with phishing and ransomware campaigns.

Tweet this.

Tyler Healy

VP of security at DigitalOcean

Improving cybersecurity is not about what you can buy at a single point in time, and is as much cultural and behavioral as it is technical. I would amortize a blank-check investment into change management, awareness, and culture-building that allows full adoption of technical shifts like FIDO2 authentication on every single system for all employees and customers. Expanding on that would be an authorization model that is based on adaptive functional access control down to the field and function level per system. It requires employees to shift their thinking about security and their jobs, and with that shift a security team has a paved path to adjust to new threats, technologies, supply chains, etc. that create the constantly shifting landscape of security.

Tweet this.

Drew Simonis

CISO at Juniper Networks

I would actually say that money is a Band-Aid to cover cultural challenges that are far more impactful to security. Sure, we need basic tools to secure and monitor the environment, but those are within reach for most organizations. But the real problems come from decisions people make, be those engaging with a third party without proper vetting, rushing projects to the finish line without concern for quality (which includes security), not prioritizing operational maintenance and basic hygiene, or even more fundamentally, sharing accounts and reusing passwords. Until we can change the decisions people make, we will never practically have enough money to solve the problems those decisions can cause.

Tweet this.

Rotem Iram

Co-founder and CEO at At-Bay

If money were not an issue, the first thing I would do is move all of our customers to the cloud. A nice twist on a known proverb: Security is already here, it's just not evenly distributed.

As an insurer, we know that moving your business systems, data, and services to established cloud environments can dramatically reduce your attack surface and improve security controls, while reducing the time and cost to recover in the event you’re hit with an attack.

The reality is that most software barely works and requires significant effort by the customer to implement and configure correctly. Even the smallest organizations with minimum IT resources rely on dozens of technology vendors to operate, which means that something, somewhere is always broken. Attackers know this. It's why they’re able to successfully exploit the same basic technology and configuration issues over and over. Take just one example from our portfolio: The cyberinsurance claims frequency for customers using Exchange is 141% higher than those using cloud-based email.

Learn more.

Tweet this.

Desiree Lee

Field CTO for data at Armis

Creating a strong cybersecurity posture doesn’t start with tools or solutions. People are the backbone of protective defense against cybercriminals, but this resource is not easy to come by. The U.S. government agrees as well, seeing as the White House this summer met to brainstorm how to fill the hundreds of thousands of open cybersecurity positions in the country — an issue that will only worsen amid expanding threat surfaces and ruthless hackers.

Given a blank check to improve cybersecurity, most leaders would likely jump to snatch up their dream tools and solutions, but I would invest in people. The only way to combat this ongoing talent shortage is by investing in training and building tomorrow’s cybersecurity experts and champions. Putting money back into people will never prove fruitless in the long term.

Tweet this.

Rob Duhart

VP, deputy CISO at Walmart Global Tech

I’d continue our efforts to embed even more talent who can work directly with our business and technology teams to guarantee the right protocols, controls, and capabilities are built into business operations from the beginning and accelerate growth. One of the best ways to continuously improve cybersecurity capabilities is to scale a team focused solely on cybersecurity partnerships throughout the enterprise. We are proud of our investment in this space and look forward to growing our partnership program further.

Whether startups or Fortune 500 companies, rapidly growing organizations face the challenge of effectively scaling cybersecurity alongside the business. But cybersecurity should act as seamlessly as the brakes on a Formula 1 race car: If operating correctly, it won’t hinder the speed at which an organization can grow, but rather build in the right protocols and levers so they can safely reach top speeds. Cybersecurity cannot be an afterthought.

We know this to be true at Walmart, which operates approximately 10,500 stores and clubs under 46 banners in 24 countries, and ecommerce websites, as the world’s largest retailer. Not only is Walmart transforming retail and ecommerce; we’re also taking on health and wellness, financial services, supply chain, and more — each of these pillars alone would require a cybersecurity team of hundreds if operating independently. We’re constantly focused on ensuring these operations can deliver value securely and maintain customer trust across our business.

Tweet this.

Tommy Gardner

CTO at HP Federal

HP invests heavily in cybersecurity, yet there is always room for more. Cyber research is our No. 1 priority, and furthering that work is the place I’d start with a blank check. If we can’t stay ahead of cyberthreats and protect our customer's data and privacy, we’ll soon be out of business. For example, we know that ransomware is the biggest threat IT leaders are facing today, particularly as hybrid work makes the edge of a company or organization’s network more difficult to identify and secure. Continuing to research and develop protections like zero-trust strategy, which can be built into network architecture to reduce a network’s entry points and mitigate damage, is critical to our work. The dynamic nature of cybersecurity threats demands that we adopt a dynamic response. We must continue to enhance and advance our leading systems and solutions that can identify and neutralize evolving threats in real time so that organizations can adapt cybersecurity measures as quickly as criminals change their methods of attack. Tamper-proofing, quantum-safe encryption, a next-generation secure internet, and component-level security in printers, personal systems, and 3D printers will all be crucial in this as well.

Tweet this.

Kimberly Smathers

CISO at AgentSync

My first action would be to create a plan to establish processes, implement tools, and appropriately staff a program targeting supply chain risk: from individual (and unknown) software downloads to the use of open-source software components in commercial products. It is the biggest risk SaaS organizations and startups are currently faced with.

Tweet this.

See who's who in the Protocol Braintrust and browse every previous edition by category here (Updated Oct. 3, 2022).

More from Braintrust
Latest Stories