QOTD - Do Executives Get InfoSec?

[...] security issues have been worded in arcane language since they first came about – and this has led to the emergence of the Chief (information) Security Officer.

This means that the rest of the C-level staff can carry on as they want – cyber security is someone else's responsibility. Unfortunately, CSO staff tend to be security specialists – not business specialists, and so get in the way of business happening, with more of an approach of “don't do this”, rather than “how can we do this securely?”.

Security has to be baked in to the business – and not just at a cyber level.  Security is a business issue, and has to include how people operate; how information is used (including via telephone, paper and any other way).
-- Clive Longbottom, founder and analyst at Quocirca

Src: CEOs still don't get cyber security, study finds - SC Magazine UK

QOTD - Visa's CRO on High-Level Support of InfoSec & Risk

If you don't have the support of the CEO, or the board, or the owners ... you will never get anything done. Period.
-- Ellen Richey, Visa International's Chief Enterprise Risk Officer

Src: IT security is national security -- but you're not alone - Network World

QOTD - On the Value of Watering Holes

Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.

[...] the lesson from the incident was clear: Companies scrambling to seal up their systems from hackers and government snoops are having to look in the unlikeliest of places for vulnerabilities.
-- Nicole Perlroth, technology reporter for The New York Times

Note: emphasis is mine.

Src: Hackers Lurking in Vents and Soda Machines - NYTimes.com