Category Archives: Security Strategy

Implementing cyber security strategy

Illustrative example: cyber roadmap

CISOs and security leaders are often called upon to develop a security strategy. It’s an important step to understand what your current state is, in what direction you’re going and the roadmap to get there. It’s also an opportunity to demonstrate how cyber security activities and programs align to business objectives.

There is more to the CISO role than just setting the direction, however. It’s also about execution. As a security leader, it’s key to take ownership of the strategy and deliver on its promise. It’s useful, therefore, to be able to track progress against your objectives and demonstrate to the executive leadership team and the Board the impact the security team is making in enabling the business.

More

Cyber security operating model

Designing a target operating model for an organisation is a complex activity. It is important, therefore, to keep it simple initially. At a very high, level, I suggest CISOs start with three key capabilities:

  • Governance, Risk and Compliance
  • Security Architecture
  • Security Operations

These can then be decomposed further, tailoring to the needs of your particular organisation. Understand how each domain interacts with and supports the others, capturing key outcomes and dependencies for each function.

Key security capabilities are supported by Leadership and Governance streams, including Security Strategy, Business Alignment, Integration, Oversight, Optimization, Finance, Security Culture, Program Management, Stakeholder Management and Reporting.

Business as usual activities required to keep the lights on are often neglected when capability uplift is prioritized. For this reason, I placed it in the centre of the diagram, emphasising the ongoing importance of providing consistent security service to your organisation.

The NIST Cybersecurity Framework functions at the intersections of domains aim to illustrate the collaborative nature of the security teams. It’s important to go beyond silos , ensuring frequent interaction with the business as well as within the security department.

Cybersecurity Board reporting – CISO Executive Network

I had a pleasure to participate in the keynote panel discussion on cyber security Board reporting at the CISO Executive Network event in Sydney. It was an insightful discussion where I had a chance to share my views on aligning on Board expectations, developing relationships and tailoring your message for maximum impact.

We also covered common challenges and strategies for winning the Board over as well as good practices for reporting. It was a great opportunity to contribute to the community and learn from my peers in the industry.

How to uplift your data analytics capability

Source: adapted from Davenport and Harris (2017)

Data strategy begins with an understanding of your business goals. What capabilities do you need to develop to realise your strategic objectives? In this blog I continue to build on the data analytics concepts to outline how to improve the analytics capability in your organisation.

More

Ethical cyber security leadership

Picture an easy Sunday morning. It’s sunny and quiet with only birds chirping outside. You make yourself a cup of coffee and sit on the sofa to catch-up on what’s happening in the world. You open your favourite news site and here it is – first story of the day in large font.

Breaking news: massive data breach! It’s your company in the headline.

This is the modern reality, cyber attacks are becoming increasingly common and it’s no longer a matter of if but when.

How do you manage this PR nightmare? What do you tell the media? Can you regain the trust of your customers and partners?

These are not the questions you want to be thinking about in the middle of a crisis. The real story begins way before that. It starts with responsible data management practices and securing people’s information.

More

Financial benefits of cyber security

How can security support the business? To answer this question in financial terms, I outline two sides of the story. On one hand, CISOs can demonstrate positive impact on the EBITDA through elevating security capabilities. On the other hand, we can list potential downsides of poor security practices from both revenue and cost perspectives.

It’s not about carrots and sticks, it’s about seeing the full picture of opportunity and risk.

More

Starting an Executive MBA

It’s widely understood that cybersecurity should support the business – it’s a common theme of this blog. However, it’s often difficult to achieve true alignment without understanding the business context, priorities and challenges and being able to communicate in the language of business stakeholders.

I decided to enrol to the Master of Business Administration (Executive) degree to broaden my knowledge and enhance my strategic thinking to better serve organisations. Developing my skills in finance, leadership, strategy and innovation will help equip me to better understand current challenges and make a positive, lasting impact. The Australian Graduate School of Management (AGSM) program at the University of New South Wales will help me learn about the latest business practices and how to effectively apply them to add value to the business.

I have a strong technical background and analytical skills and I look to build on this foundation to enhance my contribution to the C-Suite. Throughout my career I’ve worked in consulting, corporate and startup organisations; my understanding of challenges and opportunities of both large corporations and nimble startups globally will bring a unique perspective to the AGSM community. I can also leverage my extensive professional network around the world to support fellow Executive MBA candidates and alumni.

I’ll be writing about my experience and learning in this blog, so stay tuned for more updates on how cybersecurity practices can be aligned to wider business strategy and objectives.