A practical approach
ISO 27001 is a widely adopted international standard that sets out systematic and adaptable approach to managing information security. It enables organisations to establish a culture of continuous improvement, staying ahead of emerging threats, and ensuring business resilience in the face of evolving cybersecurity challenges.
A new version of this standard – ISO 27001:2022 – was published on 24 October 2022. I recently led the transition to this version and wanted to share my key takeaways.
Not every conversation a CISO is having with the Board should be about asking for a budget increase or FTE uplift. On the contrary, with the squeeze on security budgets, it can be an opportunity to demonstrate how you do more with less.
To demonstrate business value and achieve desired impact, a CISO’s cyber security strategy should go beyond cyber capability uplift and risk reduction and also improve cost performance.
Security leaders don’t have unlimited resources. Significant security transformation, however, can be achieved leveraging existing investment and security resource levels.
What supply and demand factors are influencing the current industry equilibrium? What types of economies are most relevant for firms in the industry? Will firms with large shares earn above-normal profits? Are the positions of incumbents “contestable”? Are these industries global or local? Does a firm’s success in one industry yield competitive advantages in others? Do the valuations of individual companies operating in these industries make sense? How will major technological changes, e.g., 5G and AI, affect the industry and individual firms? What regulatory and legal issues are most relevant?
These and many other questions were discussed during my semester exchange at the Yale School of Management as part of my Executive MBA program.
I’m incredibly proud to be recognised as one of the top CISOs in Australia.
The CSO30 Australia Awards celebrates the leading individuals and organisations delivering cybersecurity initiatives that have changed the way the business is protected.
Following-up on my recent update on starting an Executive MBA, I wanted to share that I’ve reached a milestone in my learning journey; I’m half-way through with six modules completed.
I already wrote about Data Analytics and Decision Making and in this blog I’ll briefly summarise a few other courses I’ve completed and how some of the learnings can be applied to cyber security leadership.
I’ve been shortlisted for the CISO of the Year Award! It’s great to be recognised for excellence and innovation in cybersecurity alongside such accomplished leaders in the industry.
To remain competitive, modern technology businesses should take steps to implement responsible business practices that customers, employees and partners expect.
Customers want to purchase products that protect the environment and improve local communities. A useful tool to pursue inclusive growth is a sustainability balanced scorecard.
Below is an example sustainability strategy map I developed for a technology startup.
For a technology business, environmental impact can be achieved through close examination and streamlining of company’s supply chain, including datacentres and cloud infrastructure providers. Companies could also analyse their software development lifecycles to make it more sustainable.
Achieving financial objectives can produce societal benefits through creating shared value.
Finally, implementing responsible business practices aligns with UN Sustainable Development Goals (SDGs), specifically SDG9: Industry, Innovation and Infrastructure and SDG17: Partnerships for the Goals.
In this 15 minute interview I spoke with Ed Kennedy of CSO Australia, reflecting on Australian cyber security incidents of 2022, leadership and my approach and insights to cyber security at Linkly.
CISOs and security leaders are often called upon to develop a security strategy. It’s an important step to understand what your current state is, in what direction you’re going and the roadmap to get there. It’s also an opportunity to demonstrate how cyber security activities and programs align to business objectives.
There is more to the CISO role than just setting the direction, however. It’s also about execution. As a security leader, it’s key to take ownership of the strategy and deliver on its promise. It’s useful, therefore, to be able to track progress against your objectives and demonstrate to the executive leadership team and the Board the impact the security team is making in enabling the business.
I had a great day speaking at the Cloud Security Summit on ransomware threats in cloud environments and how they’ve evolved over time. In this discussion I shared tips on the essential elements of a robust ransomware defence strategy in the Cloud and specific steps for incident response planning and recovery strategies.
I also provided recommendations for aligning cloud security measures with an organisation’s existing IT architecture and strategy, and how can businesses ensure this alignment contributes to their overall security posture effectively. Looking towards the future, I also shared my thoughts on evolutions in ransomware threats, and how can organisations prepare themselves for these events.
Cyber Security Leadership 