A practical approach
Cyber security strategy and execution is one of the top priorities for a CISO. It helps articulate the value of security, provide clarity on short and long term goals and outline a cyber security uplift roadmap.
In this blog I recommend a proven step-by-step guide for developing a cyber strategy.
As technology becomes increasingly integrated into our daily lives, the importance of cyber security cannot be overstated. Cyber attacks are becoming more sophisticated, and the costs associated with them are rising. This is why it is crucial for businesses and organisations to have a robust cyber security strategy in place.
Recently, I had the opportunity to deliver a guest lecture at the University of New South Wales as part of the Cybersecurity Management and Governance course.
I discussed the importance of having a clear understanding of cyber security threats. I emphasised that cyber threats are constantly evolving, and businesses need to stay vigilant and adapt their security measures accordingly. This means that cyber security is not a one-time fix; it requires continuous effort.
I also spoke about current challenges and opportunities in the field and what skills and ways of thinking are particularly useful. It was a fantastic experience, and I appreciated the chance to share my insights with a group of future cyber security professionals.
Picture an easy Sunday morning. It’s sunny and quiet with only birds chirping outside. You make yourself a cup of coffee and sit on the sofa to catch-up on what’s happening in the world. You open your favourite news site and here it is – first story of the day in large font.
Breaking news: massive data breach! It’s your company in the headline.
This is the modern reality, cyber attacks are becoming increasingly common and it’s no longer a matter of if but when.
How do you manage this PR nightmare? What do you tell the media? Can you regain the trust of your customers and partners?
These are not the questions you want to be thinking about in the middle of a crisis. The real story begins way before that. It starts with responsible data management practices and securing people’s information.
I am excited to be recognised as one of the Top 10 Cybersecurity Leaders in Australia driving innovation and demonstrating business value. Although relatively new to Australia, I had the opportunity to use my global experience to address key cybersecurity challenges within the Financial Services sector.
A massive thank you to my team – it’s a privilege to lead such high performing and dedicated individuals and be able to build a cutting-edge cyber capability. Congratulations to all the award winners!
How can security support the business? To answer this question in financial terms, I outline two sides of the story. On one hand, CISOs can demonstrate positive impact on the EBITDA through elevating security capabilities. On the other hand, we can list potential downsides of poor security practices from both revenue and cost perspectives.
It’s not about carrots and sticks, it’s about seeing the full picture of opportunity and risk.
I previously wrote about building security culture in the organisation, in this blog, I look at the security team itself and share some tips for CISOs to develop a culture of performance for their teams.
The CISO role can be stressful at times, so it’s important to have the right support network around you. The cyber security industry is still relatively small and some great communities have emerged around professional certification bodies and special interest groups.
Wherever you are in the world, it’s likely there will be a security meetup around you. And if there isn’t you should definitely start one! These social gatherings don’t have to be face-to-face – online and fully remote options also exist.
Over the years I’ve been fortunate to be a member of some outstanding security leadership communities. It’s very rewarding to be able to share your experience and also learn from your peers. Feel free to reach out if you’d like an introduction.
Asset management is often regarded as the foundation of a security programme. You can’t protect something that you don’t know you have. This extends beyond internal systems to your organisation’s partners. Depending on the line of business, supply chains can get increasingly complex. They include vendors, manufacturers, retailers and distributors in multiple geographies and regulatory regimes. Securing such a network is no easy task and should start with visibility and careful risk management.
I previously wrote about the complexity of communication and the multi-faceted nature of the CISO role. Combining these perspectives, I would like to give an overview of what a communication strategy might look like for a security leader.
Knowing your existing assets, threats and countermeasures is a necessary step in establishing a starting point to begin prioritising cyber risk management activities. Indeed, when driving the improvement of the security posture in an organisation, security leaders often begin with getting a view of the effectiveness of security controls.
A common approach is to perform a security assessment that involves interviewing stakeholders and reviewing policies in line with a security framework (e.g. NIST CSF).
A report is then produced presenting the current state and highlighting the gaps. It can then be used to gain wider leadership support for a remediation programme, justifying the investment for security uplift initiatives. I wrote a number of these reports myself while working as a consultant and also internally in the first few weeks of being a CISO.
These reports have a lot of merits but they also have limitations. They are, by definition, point-in-time: the document is out of date the day after it’s produced, or even sooner. The threat landscape has already shifted, state of assets and controls changed and business context and priorities are no longer the same.
Cyber Security Leadership 