Cyber security operating model

Designing a target operating model for an organisation is a complex activity. It is important, therefore, to keep it simple initially. At a very high, level, I suggest CISOs start with three key capabilities:

  • Governance, Risk and Compliance
  • Security Architecture
  • Security Operations

These can then be decomposed further, tailoring to the needs of your particular organisation. Understand how each domain interacts with and supports the others, capturing key outcomes and dependencies for each function.

Key security capabilities are supported by Leadership and Governance streams, including Security Strategy, Business Alignment, Integration, Oversight, Optimization, Finance, Security Culture, Program Management, Stakeholder Management and Reporting.

Business as usual activities required to keep the lights on are often neglected when capability uplift is prioritized. For this reason, I placed it in the centre of the diagram, emphasising the ongoing importance of providing consistent security service to your organisation.

The NIST Cybersecurity Framework functions at the intersections of domains aim to illustrate the collaborative nature of the security teams. It’s important to go beyond silos , ensuring frequent interaction with the business as well as within the security department.

Cybersecurity Board reporting – CISO Executive Network

I had a pleasure to participate in the keynote panel discussion on cyber security Board reporting at the CISO Executive Network event in Sydney. It was an insightful discussion where I had a chance to share my views on aligning on Board expectations, developing relationships and tailoring your message for maximum impact.

We also covered common challenges and strategies for winning the Board over as well as good practices for reporting. It was a great opportunity to contribute to the community and learn from my peers in the industry.

How to uplift your data analytics capability

Source: adapted from Davenport and Harris (2017)

Data strategy begins with an understanding of your business goals. What capabilities do you need to develop to realise your strategic objectives? In this blog I continue to build on the data analytics concepts to outline how to improve the analytics capability in your organisation.

More

Trust in People: Macquarie University Cyber Security Industry Workshop

I’ve been invited to to share my thoughts on human-centric security at the Macquarie University Cyber Security Industry Workshop.

Drawing on insights from The Psychology of Information Security and my experience in the field, I outlined some of the reasons for friction between security and business productivity and suggested a practical approach to a building a better security culture in organisations.

It was great to be able to contribute to the collaboration between the industry, government and academia on this topic.

Scuba diving and cyber security

During one of my dives I pondered if there are any parallels we can draw between scuba diving and cyber security. They may seem like vastly different activities, but they share many important similarities. Both are dealing with unknown and often rapidly changing environments, where careful preparation, attention to detail and a focus are critical for success. I list some themes in this blog, feel free leave a comment to add your own.

More

CISO’s perspective: a guest lecture at UNSW

As technology becomes increasingly integrated into our daily lives, the importance of cyber security cannot be overstated. Cyber attacks are becoming more sophisticated, and the costs associated with them are rising. This is why it is crucial for businesses and organisations to have a robust cyber security strategy in place.

Recently, I had the opportunity to deliver a guest lecture at the University of New South Wales as part of the Cybersecurity Management and Governance course.

I discussed the importance of having a clear understanding of cyber security threats. I emphasised that cyber threats are constantly evolving, and businesses need to stay vigilant and adapt their security measures accordingly. This means that cyber security is not a one-time fix; it requires continuous effort.

I also spoke about current challenges and opportunities in the field and what skills and ways of thinking are particularly useful. It was a fantastic experience, and I appreciated the chance to share my insights with a group of future cyber security professionals.