Brandeis GPS Blog

Insights on online learning, tips for finding balance, and news and updates from Brandeis GPS

Tag: MS in Information Security Leadership

Of reasonable security and other mythical creatures

The blue light from the screen of a half-open laptop lights up the keyboard

Written by: Alain Marcuse, Brandeis GPS Faculty

Imagine you are responsible for cybersecurity at your company. Your mission is to support the business, but you’re among the 90% of security leaders who believe they are falling short in addressing cyber risk, according to the 2021 Security Priorities study by Foundry. You are well aware that threats continue to evolve faster than your budget and/or resources; according to the same study, 54% of CISOs expect no increase at all in their budget next year. 

Against this backdrop, cybersecurity threats are certainly not standing still. According to PwC’s 2022 Global Digital Trust Insights report, more than 50% of organizations expect a surge in reportable incidents, over the 2021 rate. In short, the threat landscape continues to grow more rapidly than the resources available to you. 

But the challenge is not only a “simple” matter of balancing resources against threats. Cybersecurity is an increasingly regulated field, governed by sectoral laws such as HIPAA or industry standards such as PCI DSS, state laws such as in Massachusetts or New York, and even extra-territorial laws such as the European Union’s GDPR. Insurance companies are increasingly imposing their own requirements as well, in order to better manage underwriting risk.

In short, you need to make sure security doesn’t interfere with the business, or slow it down; but your primary responsibility is to maintain the organization’s security, in a context where the threats keep increasing, regulations keep multiplying, but the budget made available to you remains flat. 

You are expected to maintain “reasonable security”, but how do you define that, let alone achieve it? What’s deemed reasonable can well be in the eye of the beholder, and also changes over time. Technology evolution also requires updating the concept of what’s reasonable; what made sense in 2012 does not necessarily make sense in 2022. Consider something as simple as password length. PCI DSS 3.2.1, a standard released in 2018 and which still governs security requirements at merchants that use credit cards, requires passwords to be 7 characters long. In 2022, it is estimated that such weak passwords can be cracked within 7 seconds. Is this “reasonable?” If a breach happens, how will you answer “how could you let this happen?”

The key to resolving this challenge is to regularly take the time to take stock of the threat landscape, and the security program’s ability to confront it, by means of a formal risk assessment – whether conducted internally or by an external party. While most security teams are often stretched simply keeping up with day-to-day challenges, it is important to take the time to look at the broad picture and ensure security strategy and tactics are still aligned to the threats, regulations, and business requirements at hand. A risk assessment will also help with prioritizing what initiatives will be undertaken and why, and what risks will be deemed acceptable, making the program more defensible when discussing it with other executives, the Board, or regulators. 

While regular risk assessments provide a frame of reference to enable an answer to the “reasonableness” question, it is important to remember that the reality is that all security programs will fail, in one way or another, sooner or later. Cybersecurity is a form of asymmetric warfare where the enemy is typically better equipped and less constrained than the defenders. As a result, two key elements must be prioritized: defense in depth, and incident response. 

If you have received a breach notification from a company you work with, you will undoubtedly have noticed that the breach was always the result of a “sophisticated” attack, possibly leveraging a “zero-day” vulnerability. By definition, a “zero-day” vulnerability is one for which no patch currently exists. As of mid-2022, 18 such vulnerabilities came to light just this year. Given the near-certainty that some attack vectors will succeed, implementing a defense-in-depth strategy will help minimize the damage, in a cybersecurity version of James Reason’s “Swiss cheese model” metaphor in describing failure of complex systems.

While a defense-in-depth strategy can help minimize the damage, damage will almost certainly happen at some point; it is here that a well-developed incident response program matters most. This is really not dissimilar to good crisis management practice in any other discipline; a well-prepared, well-rehearsed plan for managing and communicating about a cybersecurity incident will go a long way towards mitigating damage, including reputational damage. 

The concept of “reasonable security” may well be an elusive beast, given it can be subjective and/or defined differently depending on the entity or circumstances in which the reasonableness question is answered. But a security program structured on the foundation of regular risk assessments, deploying a well-considered strategy of defense in depth, and supported by a properly-rehearsed incident response plan, will be more likely to be perceived as meeting a “reasonableness” standard.

Alain Marcuse teaches Cloud Security at Brandeis University, and is the Chief Information Security Officer at Validity Inc.

For more information about online master’s degrees available at GPS, please visit

Brandeis GPS Student Spotlight

Student Spotlight

Portrait of Dominic Lombardi

Dominic Lombardi ‘22

Worcester, MA

Senior Manager, Security Risk and Trust, Klaviyo

Program: MS in Information Security Leadership

In his spare time, Dominic enjoys hiking, camping and exploring the outdoors with his wife and two daughters. 

Get to know Dominic Lombardi! 

Why did you choose Brandeis GPS?

I chose Brandeis GPS because it was built for working professionals. GPS’s online-first approach allows me to learn from and alongside a global group with industry leaders. 

What inspired you to choose your field of study?

I wasn’t sure if I wanted to pursue an MBA or an MS in Information Security Leadership, but when I spoke with a program curriculum advisor and mentor Sandy Silk, she had nothing but great things to say about the program, the faculty, and the students. I knew that an MS in Information Security Leadership would distinguish me from other professionals as I continue to advance myself and build my professional brand. 

How have you enjoyed your experience at Brandeis thus far? 

The program has met all my expectations so far; the courses are challenging and I’ve been able to dive deeper into concepts and theories that I’ve experienced throughout my career. In several of the courses, I’ve been able to apply my academic work directly to my profession and company after workshopping ideas and gaining helpful feedback from my classmates and professors alike. I could not ask for more transferable coursework that I’ve experienced at Brandeis!  

What are your hopes and aspirations for the rest of your time at Brandeis? 

I know the program will continue to challenge me to think differently about the concepts and areas we study. I hope that my peers and professors continue to provide critical feedback that requires me to dive deeper into subject areas and to continually apply what we’re studying to my company. 

What are your plans for after graduation?

Klaviyo is truly a growth rocket ship – having reached unicorn status this past year with a $4.5 billion valuation. I plan to continue to advance the risk managing program at Klaviyo to help our leaders make more risk informed decisions as we tackle new challenges and take over new markets.  

What advice would you give to incoming students?

The GPS program is what YOU make it out to be. The reading and assignments are manageable, but you can truly revolutionize your career by taking a few extra hours to go beyond the assignments and to think about how your program translates to your profession and company. 

What has been your favorite class to-date?

Computer Incident Response by far! I’ve been on incident response teams and led investigations over the course of my career, but I’ve never taken an academic approach to this domain before; all of my learning in their domain has been experiential, and often, your company culture influences the type of incident response program you build. By approaching it from an academic stance, I was able to examine an incident program holistically and then think critically about what I needed to bring to my company and our program to help mature our response efforts. 

© 2023 Brandeis GPS Blog

Theme by Anders NorenUp ↑

Protected by Akismet
Blog with WordPress

Welcome Guest | Login (Brandeis Members Only)