If you are looking for cybersecurity quotes for a presentation, team meeting, or conference session, you've come to the right place.
All 20 of these quotes were shared by security leaders and professionals during their conference sessions, media interviews, or podcast interviews at recent SecureWorld cybersecurity conferences across North America.
20 top cybersecurity quotes for 2020
1. Bruce Schneier, cybersecurity author and thought leader, on increasing government regulation ahead [at SecureWorld Boston]:
"The internet is about to start killing people, and the government regulates things that kill people."
2. Tim Callahan, SVP & Global CISO, Aflac [at SecureWorld Atlanta]:
"Security program design must start with a risk assessment: enterprise risk, business risk, regulatory risk, technology risk, industry risk. And you must keep looking at what's happening in the world right now that could heighten these."
3. Ricardo Lafosse, CISO of Morningstar, on how to really cut down your breach potential [at SecureWorld Chicago]:
"60% of data breaches are caused by a failure to patch. If you correct that, you've eliminated 60% of breaches. And I didn't even have to say AI or Blockchain! See how that works?"
4. Deborah Wheeler, CISO of Delta Airlines [at SecureWorld Atlanta]:
"In the aviation industry, safety is job 1. So we're not using the word cybersecurity, we're using the word safety. Safety of the digital self. And that resonates with our 80,000+ employees at Delta."
5. Col. Cedric Leighton (USAF, Ret.), CNN Military Analyst, on increasing the government-corporate link to create a collective cyber defense [at SecureWorld Twin Cities]:
"Certain trusted individuals from critical companies need to receive government security clearances. It's not just for the CEOs. It's not just for the CTOs or the CIOs, it is for everybody who is involved in this directly. They have to be trusted people, they have to be vetted. And it will take some time to do this. But that's one step because we really have to be on the same team.”
6. David Sherry, CISO of Princeton University, on creating a cybersecurity culture [at SecureWorld New York]:
"Just the process of doing a risk assessment changes the culture. People now realize, 'Oh, I do have something that's worthy enough,' [of a cyberattack] just by going through those risk assessments. We flipped the model around. We focused first on what you are doing well that we want you to keep doing. And in places that they may not be doing so well we said you're not really hitting best practice, let us help you get there. So that was a big, big change right off the bat on how people looked at our group."
More on the podcast:
7. Gary Patterson, Director of Security Architecture at Home Partners of America, on security speaking the language of its customers [at SecureWorld Chicago]:
"Users are used to doing their jobs in a very specific manner. The closer you can align security to how they currently do their jobs, the less friction there's going to be and the more they're going to trust security is looking out for them. You also have to have executive support, buy-in from the senior leadership.
And you have to have the same lexicons, the same language. When I say risk or threat or vulnerability, they have to understand what I mean by that. Or I have to understand what they mean in their language. So one of us has to adapt, right?"
8. Dr. Larry Ponemon, Founder and Chairman of the Ponemon Institute [at SecureWorld Detroit]:
"A data breach is about both privacy and security. And security becomes very, very important because you can't have privacy unless you have good security. And if someone tries to say otherwise, they are crazy people!"
9. How could we limit Dr. Larry Ponemon to a single quote? Here is another great insight he shared [at SecureWorld Detroit]:
"The big cost issue for many organizations is a turnover factor. As you have large breaches, consumers say why would I entrust this organization with my sensitive, confidential information. If you lose less than 1% of the total customers as a result of your data breach, that could translate into tens of millions of dollars of loss."
10. Rebecca Harness, CISO at St. Louis University, on being aware of whom you are speaking to and when [at SecureWorld St. Louis]:
"You can see from a big convention like this we are an interesting group, we like to learn about things, we like to talk about things. We have ideas and ways that we want to help others in security to do stuff. But the reality is, we have to save those conversations for when we're with our peers and then figure out how to transform that language when we're speaking to folks outside of security. Use the right language to help them do what they want to do from a business perspective, but in a safe and secure way."
11. Maarten Van Horenbeeck, CISO at Zendesk, on working with security startups [at SecureWorld Bay Area]:
"I look for alignment with the purpose of what a startup company is trying to accomplish. Ethics matter significantly to me. Their behavior needs to treat the issue of cybersecurity like it's something we can solve together."
12. Special Agent Chris McMahon of the U.S. Secret Service, on Business Email Compromise [at SecureWorld Seattle]:
"Since 2016, BEC losses have topped $26 billion. And that's just the tip of the iceberg because many are too embarrassed to report it. Everyone, and every organization, is a potential target."
13. Aleta Jeffress, Chief Information & Digital Officer for the City of Aurora, Colorado, on uncovering potential security talent [at SecureWorld Denver]:
"Cybersecurity is really problem solving. You know, there's a lot that you have to take in really quickly, there's a lot that you have to triage, and potentially, a lot of different ways to make sure that your customers are protected. So it's really enabling people to see that they might have that skill set.
So for example, it could be a healthcare person or somebody else who was a project manager or even a business systems analyst, right? Somebody who does those things over and over again. You can do that same job, you're just applying it to a different vertical, you're applying it to cybersecurity."
14. Zaki Abbas, VP and CISO at Brookfield Asset Management, on helping the board understand the big security picture [at SecureWorld Toronto]:
"There's not a 'one and done' solution for cybersecurity, no silver bullet as we like to call it. With cyber, there needs to be continuous caring and feeding of the program. It's a program that requires ongoing improvement. And that's something very important to explain to the board."
15. Andy Purdy, Chief Security Officer at Huawei USA, [on The SecureWorld Sessions podcast]:
"One frustrating thing is sometimes people hear that I'm a defender of Huawei and they have a tendency not to listen to what I'm actually saying. I would suggest I'm not a defender of Huawei. People say, well, do you trust China? And do you just trust Huawei? I don't trust anybody!
I think the approach has to be you don't ask people for trust. We need to have mechanisms in place, and they exist, where you don't need to trust anybody. Because the mechanisms make sure we have an objective and transparent basis to know that we're going to be okay."
More on the podcast:
16. Dawn-Marie Hutchinson, CISO of Pharmaceuticals and R&D at GSK, on data governance [at SecureWorld Philadelphia]:
"Sometimes the best way to find all of the third parties we're working with is to go to accounts payable and find out who we’re paying. And the same is true when it comes to data.
Sometimes we need to take a step back and go right to the business and find out how is the data coming in, particularly in digital transformation. How's the data coming in? How is the business using it? Because often times there's people with spreadsheets doing tremendous amounts of activities on spreadsheets that we don't know about. And that's data that requires protection."
17. Dale Zabriskie, Evangelist at Proofpoint Security Awareness [in our SecureWorld Behind the Scenes interview]:
"The idea of cybersecurity training has to be evangelized within an organization. Because, 'Hey, I've been using a computer my whole life. Why do I need to be trained on this stuff?'
The things that an organization learns from their phishing simulations need to be coupled with knowledge assessments so that you know what your users know, and more importantly, what they don't know. Let's say that you are implementing or trying to drive home a password policy. Let's do an assessment and see how well our people understand creation of passwords.
When you couple the data that you get from both a phishing simulation and from a knowledge assessment, that really helps drives what you train on."
18. Sam Masiello, CISO at Gates Corporation [on the SecureWorld DMARC web conference]:
"Over the past seven years or so, adoption of DMARC has really taken off. I would say that we're at a tipping point now. There are some pretty major brands today that are utilizing DMARC in a capacity that allows them to reject spoofed messages from getting into the inbox.
For example, if a message tries to get delivered alleging to be from Groupon dot com, and it does not pass email authentication, those messages will get rejected. And so phishing messages from Groupon or that appear to be from Groupon, I should say, have gone down relatively significantly as a result of being able to implement DMARC.
What organizations are trying to accomplish here is kind of reestablish, at least in some way, the level of trust that people have in messages that are delivered to their inbox because right now, that trust model is broken. DMARC is a useful tool for this."
19. Jordan Fischer, Co-Founder and Managing Partner of XPAN Law Group, on navigating the large number of data privacy laws [on The SecureWorld Sessions podcast]:
"My one piece of advice is don't be afraid to ask questions. I think that a lot of the C-suite, the leadership level, those executives are almost afraid to delve into this. It feels like Pandora's box. 'I'm going to open up this can of worms that I don't know if I'm going to want to deal with.'
But a lot of times you might be doing good things. You just don't know it. Because you don't have the documentation in place, because you haven't thought, 'Okay, we're putting stuff in the cloud, is that a good thing? Is that a bad thing? Are we making informed decisions?'
And so I would say the first thing, start asking questions. 'Where do we store our data? What data do we have? What are we doing with that data when we have it?' These are simple questions that will provoke responses that will start the conversation going, and that's the first step with anything."
More on the podcast:
20. Annie Searle, Senior Lecturer at the University of Washington, who specializes in the ethics of IT [at SecureWorld Seattle]:
"Don't underestimate the race with China because it is a race for rather complete forms of power. And I don't just mean in a military sense. So much of this world, so much of what is behind the scenes, will govern how societies work and how decisions are made—and probably whether democracy survives. I'm very serious about that."
Cybersecurity quotes and nuggets of wisdom for 2020
Join your regionally-focused SecureWorld cybersecurity conference this year and have access to one or two full days of insights like these. See the conference calendar here: SecureWorld 2020 conferences.
And if you have knowledge to share or an area of passion in cybersecurity or privacy, submit your speaking proposal here.