Of course, there are many threats facing NASDAQ - from criminals to hacktivists to nation states - and the stock exchange obviously has an army of highly skilled information-security professionals, intensive information-security-related training, and a robust information-security technological infrastructure, so my question went beyond the usual technological and human issues, and, instead focused on what risks are hardest to correct even with significant cybersecurity resources.
Modano pointed out, however, that the because the time between the issuance of a patch and the discovery of weapons that exploit the associated vulnerability in unpatched systems is going down, organizations wishing to stay secure often have a lot less time to deploy patches than they used to have in the past.
Because a formal change management process including the testing of patches is needed in order to ensure that patches do not interfere with system functions or otherwise have adverse side effects, organizations face a growing risk of being unable to fully deploy patches before hackers start attacking unpatched systems or of deploying inadequately tested patches.
Modano pointed out that industry groups and other methods of exchanging information do help - as one organization that detects something anomalous or hostile can share its findings with others both to warn them and to see if others have observed similar potential threats.
At the same time, however, as Modano noted to me, there is a lack of standardization across federal and state regulators on matters related to privacy, information sharing, breach notification, and other areas of security; a lack of uniformity complicates matters related to knowledge sharing, as not all businesses are subject to same rules and requirements.