All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-why-dont-more-companies-take-cybersecurity-seriously/) With every cybersecurity breach, we still don't seem to be getting through. Many companies don't seem to be taking cybersecurity seriously. What does it take? Obviously not scare tactics. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Ben Sapiro, global CISO, Great-West LifeCo. Thanks to this week's podcast sponsor, Sonatype. On this episode of Defense in Depth, you’ll learn: Even with attacks and breaches on a constant march, far too many companies operate under the "it will never happen to me" ostrich strategy. Problem with the "I'm too small to attack" defense is you probably also have minimal security protections which also makes you far easier to attack. Far easier to penetrate 100 low defense targets than one huge target with high defenses. Watching other companies survive a breach makes one feel as if they'll be just as resilient. Many companies not showing interest in cybersecurity may simply not be doing appropriate risk-based analysis. A company in a highly regulated industry has no choice but to take cybersecurity seriously. Businesses that are highly built on trust and have a low barrier to exit often understand the need to take cybersecurity seriously. They are always cognizant of reputational risk. Many feel that they are powerless against the onslaught of attacks and even if they do take cybersecurity seriously and spend money defending themselves it will all be a giant waste of effort. Many people simply don't feel attached to any type of cybersecurity effort. If you're not vested in it, why care about it? Those of us in cybersecurity forget what it feels like to not know anything about cybersecurity. On this episode of Defense in Depth, you’ll learn: Even with attacks and breaches on a constant march, far too many companies operate under the "it will never happen to me" ostrich strategy. Problem with the "I'm too small to attack" defense is you probably also have minimal security protections which also makes you far easier to attack. Far easier to penetrate 100 low defense targets than one huge target with high defenses. Watching other companies survive a breach makes one feel as if they'll be just as resilient. Many companies not showing interest in cybersecurity may simply not be doing appropriate risk-based analysis. A company in a highly regulated industry has no choice but to take cybersecurity seriously. Businesses that are highly built on trust and have a low barrier to exit often understand the need to take cybersecurity seriously. They are always cognizant of reputational risk. Many feel that they are powerless against the onslaught of attacks and even if they do take cybersecurity seriously and spend money defending themselves it will all be a giant waste of effort. Many people simply don't feel attached to any type of cybersecurity effort. If you're not vested in it, why care about it? Those of us in cybersecurity forget what it feels like to not know anything about cybersecurity.