December 10, 2019

CISO MAG, a publication dedicated to covering issues near and dear to corporate chief information security officers everywhere, has graciously awarded this author the designation of “Cybersecurity Person of the Year” in its December 2019 issue.

KrebsOnSecurity is grateful for the unexpected honor. But I can definitely think of quite a few people who are far more deserving of this title. In fact, if I’m eligible for any kind of recognition, perhaps “Bad News Harbinger of the Year” would be more apt.

As in years past, 2019 featured quite a few big breaches and more than a little public speaking. Almost without fail at each engagement multiple C-level folks will approach after my talk, hand me their business cards and say something like, “I hope you never have to use this, but if you do please call me first.”

I’ve taken that advice to heart, and now endeavor wherever possible to give a heads up to CISOs/CSOs about a breach before reaching out to the public relations folks. I fully realize that in many cases the person in that role will refer me to the PR department eventually or perhaps immediately.

But on balance, my experience so far is that an initial outreach to the top security person in the organization often results in that inquiry being taken far more seriously. And including this person in my initial outreach makes it much more likely that this individual ends up being on the phone when the company returns my call.

Too often, these conversations are led by the breached organization’s general counsel, which strikes me as an unnecessarily confrontational and strategically misguided approach. Especially if this is also their playbook for responding to random security researchers trying to let the company know about a dangerous security vulnerability, data breach or leak.

At least when there is a C-level security person on the phone when that call comes in I can be relatively sure I’m not going to get snowed on the technical details. While this may be a distant concern for the organization in the throes of responding to a data security incident, the truth is that the first report is usually what gets repeated in the media — whether or not it is wholly accurate or fair.

This year’s CISO MAG awards also honor the contributions of Rik Ferguson, vice president security research at Trend Micro, and Troy Hunt, an expert on web security and author of the data breach search website Have I Been Pwned? More at cisomag.com.

This entry was posted on Tuesday 10th of December 2019 11:46 AM


83 thoughts on “CISO MAG Honors KrebsOnSecurity

  1. Mikey Likes It

    CONGRATULATIONS, Brian!

    This is well-deserved — not only because of your incredible investigative focus, but also your writing. Every reporter, in any field, will do well to look to you as a role model.

    Keep up the good work!

  2. Dean

    Congratulations!! No doubt, well deserved. Your articles are much more focused and detailed than any other writer I have seen.

    No need to be humble, you have proven to be an valuable resource for many headline topics.

  3. frederick felman

    Congratulations Brian – Well done – your analysis and coverage helps us all understand the evolving threat landscape and respond to it. Thank you. – f

  4. Donna

    Congratulations, Brian! I heartily agree that you certainly do deserve this honor. Your hard work and superb reporting style deserve to be recognized. °\(ˆ⌣ˆ)/°

  5. ASB

    Well done, Brian. Congrats and keep up the good work, please.

    And it is good that these CxOs are interested in being notified as early as possible. It says a lot about how organizations handle incidents in many cases.

    -ASB

  6. ASB

    >>Too often, these conversations are led by the breached organization’s general counsel, which strikes me as an unnecessarily confrontational and strategically misguided approach. Especially if this is also their playbook for responding to random security researchers trying to let the company know about a dangerous security vulnerability, data breach or leak.<<

    Well said.

  7. David Gittens

    Congrats Brian. The security world needs more people like you who can both report accurately and in an unbiased fashion, and still communicate very well. You are extremely valuable to our community because of this mix of qualities.

  8. MarkW

    Congrats Brian, you deserve it, and more… although when I saw the subject line from your mailing list the first thing that came to mind was “they must have been hacked and someone else has my subscription info”.

  9. L Jean Camp

    Well earned!

    You are also an invaluable resource for my students. In my lecture notes at semester’s beginning I have “whatever Brian has recently reported” as I discuss economics of ecrime, security as a lemons market, and vulnerabilities.

    Thank you so much for a decade of pedagogical support!

Comments are closed.