When 'No' & 'Good Enough' Challenge Cybersecurity

As the digital landscape evolves, these words must become an impetus for innovation and dialogue, not insurmountable barriers.

Tyler Farrar, CISO, Exabeam

May 24, 2024

3 Min Read
Digital green padlock floating over a digital background
Source: Skorzewiak via Alamy Stock Photo


In the realm of cybersecurity, the path to securing necessary resources often is strewn with obstacles, chief among them hearing the word "no." This response is not just about budgets, although financial constraints play a significant role; it's also about convincing leadership of the indispensable value of comprehensive cyber defense strategies. The reality is, every chief information security officer (CISO) will, at some point, face pushback — be it from a chief financial officer (CFO) who is skeptical about the return on investment of a new cyber platform, or a CEO who underestimates the vulnerability of the enterprise, believing a "good enough" EDR or SIEM solution will suffice.

However, the reliance on "good enough" in cybersecurity is a precarious stance at best. In physical security terms, it's akin to leaving the doors unlocked in a neighborhood where break-ins are rampant. These vulnerabilities are not novel; organizations have struggled to protect against them for decades. Weak passwords and phishing scams have persisted as root causes of security breaches because we have failed to effectively remove shared secrets from the process of verifying users, and social engineering makes it easy to reset or steal credentials.

Advanced cybersecurity capabilities aren't just technological upgrades; they're essential defenses against increasingly sophisticated attacks. Without the right tools and resources, organizations — especially those handling vast amounts of data — become significantly more susceptible to cyber threats. The aftermath of a "no" can be dire, transforming potential threats into real, often headline-making data breaches.

Influencing the Organizational Mindset

The challenge, therefore, for CISOs is not only in navigating the immediate impact of these refusals but also in influencing the broader organizational mindset toward cybersecurity. It's about painting a vivid picture of the potential consequences of inadequate defenses and advocating for the investments that are necessary to mitigate the risks. One recent and high-profile example was a mistaken $25 million payout by a finance worker after being duped by a deepfake video. Very costly errors like this are also why it's essential to recognize when an impasse may signal a deeper misalignment with an organization's values and priorities. In such cases, a CISO could find themselves exploring career opportunities elsewhere, whether by choice or by necessity. In either case, you'd want your new environment to be more receptive to and conducive of proactive cybersecurity practices.

That said, even the most forward-thinking leaders may face genuine budgetary constraints that can limit cybersecurity spending. In these situations, strategic risk management becomes crucial. CISOs must work closely with executive leadership to identify areas where some risk is acceptable, and other areas where it's not.

Reflecting on this, a notable moment from my own personal career came when we identified a gap in our security capabilities due to the absence of advanced tooling in our product infrastructure. Despite initial budgetary concerns from the CFO about the impact on cost of goods sold (COGS), we engaged in constructive dialogue, emphasizing the long-term benefits, such as foundational security protections, compliance with emerging standards, enhancing customer trust, and reinforcing our brand's reputation. By presenting the investment as a proactive measure for business growth and risk mitigation, rather than just an additional cost, we shifted the perspective.

This approach led to a unanimous decision to upgrade our security infrastructure, marking a significant stride in our commitment to cybersecurity. Documenting these decisions is vital, creating a paper trail that not only delineates agreed-upon risks and vulnerabilities, but also shares accountability. This narrative serves as an essential reference, underscoring the collective responsibility for cybersecurity decisions along with their outcomes.

The journey of a CISO in advocating for robust cybersecurity measures is complex, marked by negotiations and strategic compromises, and sometimes resulting in the exploration of new career opportunities. The key lies in persistent advocacy for comprehensive security strategies, strategic risk management, and, when necessary, the courage to seek alignment in environments that prioritize cybersecurity. As the digital landscape evolves, so must our approaches to securing it, ensuring that "no" becomes an impetus for innovation and dialogue, rather than an insurmountable barrier.

About the Author(s)

Tyler Farrar

CISO, Exabeam

Tyler Farrar is the Chief Information Security Officer (CISO) at Exabeam. In this role, he is responsible for protecting Exabeam — its employees, customers, and data assets — against present and future digital threats. Farrar also leads efforts in supporting current and prospective customers’ move to the Exabeam cloud-native New-Scale SIEM and security operations platform by helping them to address cloud security compliance barriers. With over 15 years of broad and diversified technical experience, Farrar is recognized as a business-focused and results-oriented leader with a proven track record of advancing organizational security programs.

Prior to Exabeam, Farrar was responsible for the strategy and execution of the information security program at Maxar Technologies, which included security operations, infrastructure governance, cyber assurance, and USG program protection functions. As a former naval officer, he managed multiple projects and cyber operations for a multimillion-dollar US Department of Defense program.

Farrar earned an MBA from the University of Maryland and a Bachelor of Science in Aerospace Engineering from the United States Naval Academy. He also holds a variety of technical and professional certifications, including the Certified Information Systems Security Professional (CISSP) certification.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights