I’m thrilled to join an exclusive cybersecurity investment community – Cyber Club London . CCL is a group of cybersecurity experts and leaders who have access to new and innovative early-stage startups, the opportunity to invest in them privately, and use their expertise and connections to help these startups succeed.
The community was established to provide a platform where cybersecurity leaders, executives, startups, and venture capitalists can share knowledge and work together to invest in promising early-stage companies. This closely aligns to my goals of contributing to the community and helping ventures thrive in the cyber space, serving as a Board Advisor and Non-Executive Director.
I am excited to be recognised as one of the Top 10 Cybersecurity Leaders in Australia driving innovation and demonstrating business value. Although relatively new to Australia, I had the opportunity to use my global experience to address key cybersecurity challenges within the Financial Services sector.
A massive thank you to my team – it’s a privilege to lead such high performing and dedicated individuals and be able to build a cutting-edge cyber capability. Congratulations to all the award winners!
How can security support the business? To answer this question in financial terms, I outline two sides of the story. On one hand, CISOs can demonstrate positive impact on the EBITDA through elevating security capabilities. On the other hand, we can list potential downsides of poor security practices from both revenue and cost perspectives.
It’s not about carrots and sticks, it’s about seeing the full picture of opportunity and risk.
It’s widely understood that cybersecurity should support the business – it’s a common theme of this blog. However, it’s often difficult to achieve true alignment without understanding the business context, priorities and challenges and being able to communicate in the language of business stakeholders.
I decided to enrol to the Master of Business Administration (Executive) degree to broaden my knowledge and enhance my strategic thinking to better serve organisations. Developing my skills in finance, leadership, strategy and innovation will help equip me to better understand current challenges and make a positive, lasting impact. The Australian Graduate School of Management (AGSM) program at the University of New South Wales will help me learn about the latest business practices and how to effectively apply them to add value to the business.
I have a strong technical background and analytical skills and I look to build on this foundation to enhance my contribution to the C-Suite. Throughout my career I’ve worked in consulting, corporate and startup organisations; my understanding of challenges and opportunities of both large corporations and nimble startups globally will bring a unique perspective to the AGSM community. I can also leverage my extensive professional network around the world to support fellow Executive MBA candidates and alumni.
I’ll be writing about my experience and learning in this blog, so stay tuned for more updates on how cybersecurity practices can be aligned to wider business strategy and objectives.
I recently completed a six week secondment, working in an Aboriginal community organisation on the Far West Coast of South Australia. I had the privilege to listen, learn and understand some of the challenges faced by Indigenous communities across Australia and apply my skills to contribute to their long-term success.
Transferring my knowledge and skills to these communities was a very enriching experience both personally and professionally and something I would like to continue being involved with in the future.
In this blog I would like to summarise my experience participating in this Jawun secondment.
I previously wrote about building security culture in the organisation, in this blog, I look at the security team itself and share some tips for CISOs to develop a culture of performance for their teams.
The CISO role can be stressful at times, so it’s important to have the right support network around you. The cyber security industry is still relatively small and some great communities have emerged around professional certification bodies and special interest groups.
Wherever you are in the world, it’s likely there will be a security meetup around you. And if there isn’t you should definitely start one! These social gatherings don’t have to be face-to-face – online and fully remote options also exist.
Over the years I’ve been fortunate to be a member of some outstanding security leadership communities. It’s very rewarding to be able to share your experience and also learn from your peers. Feel free to reach out if you’d like an introduction.
I had an opportunity to follow the Lean Silver Belt pathway of Cardiff University’s Lean Competency System and work with a coach to deliver measurable business process improvement in the workplace. This resulted in significant cost savings for the business and was supported by the official accreditation.
A lot of it is to do with the mindset: spotting inefficiencies, eliminating waste and continuous improvement are at the core of the approach. It’s also about applying these concepts and techniques to real world challenges.
I’m often asked what security control framework is the best. Spoiler alert – I don’t think there is one! No single framework is a silver bullet – they all have pros and cons. Some frameworks are highly-prescriptive and have a narrow scope – cardholder and account data for PCI DSS, for example.
SOC 2, on the other hand is more principled-based and doesn’t mandate specific controls but rather a Trust Services Criteria.
ISO 27001 is another popular choice: it’s a risk-based framework, although also has a set of example controls in the standard that many people chose to adopt.
NIST Cybersecurity Framework and its functions (Identify, Protect, Detect, Respond and Recover) can aid communication with business stakeholders but it has its limitations too.
Your particular industry may have other specialised sets of requirements, like NERC CIP for electric power grid in North America. The list goes on.
Many organisations are subject to multiple regulation and legislation simultaneously, having to adopt multiple frameworks and compliance regimes. If not managed appropriately, this can be labour-intensive to maintain and demonstrate compliance. It helps to recognise that often, although worded differently, controls from different frameworks aim to achieve the same objective, so it pays to maintain cross-framework control mapping to streamline your compliance program.
While achieving compliance with a security framework is often a necessary step in establishing a baseline level of security, it’s often not sufficient to mitigate modern threats.
Compliance frameworks were developed with a specific objective in mind – to reduce risk. And they can get you part of the way there, just not all the way. An organisation can be compliant but still insecure. Security leaders should go beyond compliance and move towards actively identifying and managing risks, focusing on the overall security posture and risk reduction to survive and thrive in the digital world.
Reference Architectures; Why, What and How, Architecting Forum
While working as a consultant, I had an opportunity to serve as an Interim Head of Enterprise Architecture for one of the banks in the Middle East. The objective was to set up an Enterprise Architecture function at the company and demonstrate its benefits. It was a rare chance to build a capability from the ground up and I wanted to share some of my learnings in this blog. I hope this will help people looking for their next opportunity.
Cyber Security Leadership 