I had a pleasure to participate in the keynote panel discussion on cyber security Board reporting at the CISO Executive Network event in Sydney. It was an insightful discussion where I had a chance to share my views on aligning on Board expectations, developing relationships and tailoring your message for maximum impact.
We also covered common challenges and strategies for winning the Board over as well as good practices for reporting. It was a great opportunity to contribute to the community and learn from my peers in the industry.
Cyber security strategy and execution is one of the top priorities for a CISO. It helps articulate the value of security, provide clarity on short and long term goals and outline a cyber security uplift roadmap.
In this blog I recommend a proven step-by-step guide for developing a cyber strategy.
Data breaches are unforeseen events that can have significant repercussions for organisations, demanding immediate action, composure, and transparent communication. In this blog, I explore the essential components of managing a data breach and provide practical guidance for security leaders to effectively navigate this complex situation.
Data strategy begins with an understanding of your business goals. What capabilities do you need to develop to realise your strategic objectives? In this blog I continue to build on the data analytics concepts to outline how to improve the analytics capability in your organisation.
Picture an easy Sunday morning. It’s sunny and quiet with only birds chirping outside. You make yourself a cup of coffee and sit on the sofa to catch-up on what’s happening in the world. You open your favourite news site and here it is – first story of the day in large font.
Breaking news: massive data breach! It’s your company in the headline.
This is the modern reality, cyber attacks are becoming increasingly common and it’s no longer a matter of if but when.
How do you manage this PR nightmare? What do you tell the media? Can you regain the trust of your customers and partners?
These are not the questions you want to be thinking about in the middle of a crisis. The real story begins way before that. It starts with responsible data management practices and securing people’s information.
How can security support the business? To answer this question in financial terms, I outline two sides of the story. On one hand, CISOs can demonstrate positive impact on the EBITDA through elevating security capabilities. On the other hand, we can list potential downsides of poor security practices from both revenue and cost perspectives.
It’s not about carrots and sticks, it’s about seeing the full picture of opportunity and risk.
It’s widely understood that cybersecurity should support the business – it’s a common theme of this blog. However, it’s often difficult to achieve true alignment without understanding the business context, priorities and challenges and being able to communicate in the language of business stakeholders.
I decided to enrol to the Master of Business Administration (Executive) degree to broaden my knowledge and enhance my strategic thinking to better serve organisations. Developing my skills in finance, leadership, strategy and innovation will help equip me to better understand current challenges and make a positive, lasting impact. The Australian Graduate School of Management (AGSM) program at the University of New South Wales will help me learn about the latest business practices and how to effectively apply them to add value to the business.
I have a strong technical background and analytical skills and I look to build on this foundation to enhance my contribution to the C-Suite. Throughout my career I’ve worked in consulting, corporate and startup organisations; my understanding of challenges and opportunities of both large corporations and nimble startups globally will bring a unique perspective to the AGSM community. I can also leverage my extensive professional network around the world to support fellow Executive MBA candidates and alumni.
I’ll be writing about my experience and learning in this blog, so stay tuned for more updates on how cybersecurity practices can be aligned to wider business strategy and objectives.
I previously wrote about building security culture in the organisation, in this blog, I look at the security team itself and share some tips for CISOs to develop a culture of performance for their teams.
I’m often asked what security control framework is the best. Spoiler alert – I don’t think there is one! No single framework is a silver bullet – they all have pros and cons. Some frameworks are highly-prescriptive and have a narrow scope – cardholder and account data for PCI DSS, for example.
SOC 2, on the other hand is more principled-based and doesn’t mandate specific controls but rather a Trust Services Criteria.
ISO 27001 is another popular choice: it’s a risk-based framework, although also has a set of example controls in the standard that many people chose to adopt.
NIST Cybersecurity Framework and its functions (Identify, Protect, Detect, Respond and Recover) can aid communication with business stakeholders but it has its limitations too.
Your particular industry may have other specialised sets of requirements, like NERC CIP for electric power grid in North America. The list goes on.
Many organisations are subject to multiple regulation and legislation simultaneously, having to adopt multiple frameworks and compliance regimes. If not managed appropriately, this can be labour-intensive to maintain and demonstrate compliance. It helps to recognise that often, although worded differently, controls from different frameworks aim to achieve the same objective, so it pays to maintain cross-framework control mapping to streamline your compliance program.
While achieving compliance with a security framework is often a necessary step in establishing a baseline level of security, it’s often not sufficient to mitigate modern threats.
Compliance frameworks were developed with a specific objective in mind – to reduce risk. And they can get you part of the way there, just not all the way. An organisation can be compliant but still insecure. Security leaders should go beyond compliance and move towards actively identifying and managing risks, focusing on the overall security posture and risk reduction to survive and thrive in the digital world.
Reference Architectures; Why, What and How, Architecting Forum
While working as a consultant, I had an opportunity to serve as an Interim Head of Enterprise Architecture for one of the banks in the Middle East. The objective was to set up an Enterprise Architecture function at the company and demonstrate its benefits. It was a rare chance to build a capability from the ground up and I wanted to share some of my learnings in this blog. I hope this will help people looking for their next opportunity.
Cyber Security Leadership 