Rick McElroy, Security Strategist, Carbon Black

Rick McElroy, security strategist for Carbon Black, has more than 15 years of information security experience educating and advising organizations on reducing their risk posture and tackling tough security challenges. He has held security positions with the U.S. Department of Defense, and in several industries including retail, insurance, entertainment, cloud computing, and higher education.
McElroy’s experience ranges from performing penetration testing to building and leading security programs. He is a Certified Information Systems Security Professional (CISSP), a Certified Information Security Manager (CSIM), and Certified in Risk and Information Systems Control (CRISC). As a United States Marine, McElroy’s work included physical security and counterterrorism services.
A fierce advocate for privacy and security who believes education and innovation are the keys to improving the security landscape, McElroy is program chair for the Securing Our eCity Foundation’s annual CyberFest, a San Diego event dedicated to educating public and private sector security and IT professionals and business executives on the realities of security.
Carbon Black is the leader in next-generation endpoint security. IDC, in its latest specialized threat analysis and protection (STAP) report, named Carbon Black the leader in the endpoint security segment with 37% market share. By the end of 2015 the company expects to achieve 70 percent growth, 7 million+ software licenses sold, almost 2,000 customers worldwide, partnerships with 60+ leading managed security service providers and incident response companies, and integrations with 30+ leading security technology providers. For more information, visit https://www.carbonblack.com/.
Please login create discussion.


10 Questions Today’s CEOs Should Ask (& Know the Answers To)

The First Question(s) Today’s CEOs Should Ask (& Know the Answers To)

The Second Question(s) Today’s CEOs Should Ask (& Know the Answers To)

The Third Question(s) Today’s CEOs Should Ask (& Know the Answers To)

In my previous blogs, we discussed the importance of risk management and highlighted a list of questions CEOs should know the answers to – answers that help you to stay informed, up to date and ready for any security issues.
The next question we will dive into is: What are the top five risks and has the priority changed recently?

While it is necessary to track major risks in your organization, not all will be information security related. CEOs are probably familiar with the diversity of risks, from taking new business initiatives to withholding sensitive customer information. As we discuss this question in detail, focus on the management of risks as a whole instead of risks related to a specific department.

Asking this question provides you with sufficient overview on your risks in present-time, helps you to understand the maturity of your risk management strategy and ensures that information security risks are being accounted for. This will also encourage your team to get into a habit of constantly tracking and managing information on risks that can be made readily-available when required. Narrowing down your risks to the top five is a great number for CEOs to start with, and as your organization matures, this number can be increased accordingly.

The events in 2017 showed just how important it is for CEOs to be engaged in the risk management process. Those who failed to do so had to answer to legislative bodies and faced expensive fines that could potentially harm the survival of the company.

In today’s business climate, it is increasingly important to take proactive steps to mitigate risks while being transparent with all your actions. This includes understanding that risks need to be re-prioritized regularly. For example, you are aware that your business is exposed to high risks of a cyber breach for the last five years, yet no action was taken. Today, a breach actually occurs. As a CEO, you would have a real hard time justifying why nothing was done to mitigate, or at least reduce your business’ exposure to this risk.

The output of your risk assessment process should allow you to make an informed decision to accept, transfer or mitigate risks while strengthening your management strategy. CEOs need to develop a process that works for their organization and track key risks throughout the life cycle of the business.

A key point to remember is that most of the significant failures that could have been easily avoided are caused by poor risk management, and not because the organization took risks.

It’s your job to ensure your team is managing risks appropriately and flagging the ones that require immediate mitigation. After you have set your Commander’s Intent, you need to regularly ask this question to ensure your intent is being managed effectively. The right management strategy will allow your team to take the right risks at the right time and take action against the potentially damaging ones.

Asking this question will aid the process of protecting your organization from failures, but it also provides you with the information you need to avoid legal implications when things go wrong. There is no such thing as ZERO risk in businesses, there is only a way to manage them.