Starting an Executive MBA

It’s widely understood that cybersecurity should support the business – it’s a common theme of this blog. However, it’s often difficult to achieve true alignment without understanding the business context, priorities and challenges and being able to communicate in the language of business stakeholders.

I decided to enrol to the Master of Business Administration (Executive) degree to broaden my knowledge and enhance my strategic thinking to better serve organisations. Developing my skills in finance, leadership, strategy and innovation will help equip me to better understand current challenges and make a positive, lasting impact. The Australian Graduate School of Management (AGSM) program at the University of New South Wales will help me learn about the latest business practices and how to effectively apply them to add value to the business.

I have a strong technical background and analytical skills and I look to build on this foundation to enhance my contribution to the C-Suite. Throughout my career I’ve worked in consulting, corporate and startup organisations; my understanding of challenges and opportunities of both large corporations and nimble startups globally will bring a unique perspective to the AGSM community. I can also leverage my extensive professional network around the world to support fellow Executive MBA candidates and alumni.

I’ll be writing about my experience and learning in this blog, so stay tuned for more updates on how cybersecurity practices can be aligned to wider business strategy and objectives.

Working with Indigenous communities in Australia

I recently completed a six week secondment, working in an Aboriginal community organisation on the Far West Coast of South Australia. I had the privilege to listen, learn and understand some of the challenges faced by Indigenous communities across Australia and apply my skills to contribute to their long-term success. 

Transferring my knowledge and skills to these communities was a very enriching experience both personally and professionally and something I would like to continue being involved with in the future.

In this blog I would like to summarise my experience participating in this Jawun secondment.

More

Building a security community

The CISO role can be stressful at times, so it’s important to have the right support network around you. The cyber security industry is still relatively small and some great communities have emerged around professional certification bodies and special interest groups.

Wherever you are in the world, it’s likely there will be a security meetup around you. And if there isn’t you should definitely start one! These social gatherings don’t have to be face-to-face – online and fully remote options also exist.

Over the years I’ve been fortunate to be a member of some outstanding security leadership communities. It’s very rewarding to be able to share your experience and also learn from your peers. Feel free to reach out if you’d like an introduction.

Applying Lean practices to security

Photo by siddhu2020 https://flic.kr/p/61m23G

I had an opportunity to follow the Lean Silver Belt pathway of Cardiff University’s Lean Competency System and work with a coach to deliver measurable business process improvement in the workplace. This resulted in significant cost savings for the business and was supported by the official accreditation.

A lot of it is to do with the mindset: spotting inefficiencies, eliminating waste and continuous improvement are at the core of the approach. It’s also about applying these concepts and techniques to real world challenges.

More

What is the best security framework for your business?

I’m often asked what security control framework is the best. Spoiler alert – I don’t think there is one! No single framework is a silver bullet – they all have pros and cons. Some frameworks are highly-prescriptive and have a narrow scope – cardholder and account data for PCI DSS, for example.

SOC 2, on the other hand is more principled-based and doesn’t mandate specific controls but rather a Trust Services Criteria.

ISO 27001 is another popular choice: it’s a risk-based framework, although also has a set of example controls in the standard that many people chose to adopt.

NIST Cybersecurity Framework and its functions (Identify, Protect, Detect, Respond and Recover) can aid communication with business stakeholders but it has its limitations too.

Your particular industry may have other specialised sets of requirements, like NERC CIP for electric power grid in North America. The list goes on.

Many organisations are subject to multiple regulation and legislation simultaneously, having to adopt multiple frameworks and compliance regimes. If not managed appropriately, this can be labour-intensive to maintain and demonstrate compliance. It helps to recognise that often, although worded differently, controls from different frameworks aim to achieve the same objective, so it pays to maintain cross-framework control mapping to streamline your compliance program.

While achieving compliance with a security framework is often a necessary step in establishing a baseline level of security, it’s often not sufficient to mitigate modern threats.

Compliance frameworks were developed with a specific objective in mind – to reduce risk. And they can get you part of the way there, just not all the way. An organisation can be compliant but still insecure. Security leaders should go beyond compliance and move towards actively identifying and managing risks, focusing on the overall security posture and risk reduction to survive and thrive in the digital world.

Working as an Interim Head of Enterprise Architecture

Reference Architectures; Why, What and How, Architecting Forum

While working as a consultant, I had an opportunity to serve as an Interim Head of Enterprise Architecture for one of the banks in the Middle East. The objective was to set up an Enterprise Architecture function at the company and demonstrate its benefits. It was a rare chance to build a capability from the ground up and I wanted to share some of my learnings in this blog. I hope this will help people looking for their next opportunity.

More

Agile security at scale

Scaled Agile Framework (SAFe) provides a way for the entire organisation to work in an agile way, not only software engineers. Security professionals, lawyers, compliance specialists and procurement teams are encouraged to engage in sprints (or ‘iterations’) too. You don’t have to write code to participate in a retrospective.

I recently had an opportunity to apply some of the Agile practices in my latest cyber security projects while going through formal Leading SAFe training at work.

Many ideas are not new, especially if you worked with Scrum previously, but they don’t have to be in order to be effective. The framework serves more as a collection of principles and a menu of techniques that can be used to transform large organisations that have ‘always done things that way’.

More

Professional certifications

Over the years I’ve had the opportunity to acquire multiple professional certifications in cloud security, project management, industrial control systems security, data privacy, architecture and more.

Passing an exam, of course, doesn’t make you an expert: a credential itself doesn’t always guarantee skill. However, I found the process of studying for one rewarding in itself.

It helps structure your existing knowledge and learn a few new things that you could’ve otherwise missed along the way. Combining your prior practical skills with some of the good practices at the heart of these certification paths also allows for continuous improvement.

I write about how to pass some of these exams on this site, so feel free to get in touch if you would like to discuss my preparation strategies and exam tips.

Supply chain security

Asset management is often regarded as the foundation of a security programme. You can’t protect something that you don’t know you have. This extends beyond internal systems to your organisation’s partners. Depending on the line of business, supply chains can get increasingly complex. They include vendors, manufacturers, retailers and distributors in multiple geographies and regulatory regimes. Securing such a network is no easy task and should start with visibility and careful risk management.

More