Tag Archives: Cyber

Inclusion and accessibility: shaping culture and driving business outcomes

I’m grateful to have had an opportunity to continue to learn and contribute to the important discussion on building the culture of diversity, inclusion and accessibility in cyber security.

I like being on panels like this because it gives me an opportunity to share my views and continue to educate myself not only through research but also though lived experiences.

I believe shaping the inclusive culture begins with creating awareness about the barriers to diversity and inclusion. Accessibility is an important consideration. Testing new systems and processes with people with accessibility needs is key to discovering where issues may exist.

The best way to make security more accessible is to engage with the people who interact with it. Treating usability and accessibility together with other security requirements rather than a separate item is useful to ensure it gets built-in from the start.

Systems thinking in cyber security

Cyber security leaders deal with complex problems all the time, but only a few are well equipped to deal with such challenges effectively. Systems thinking is a discipline that can help CISOs improve their ability to see the bigger picture and move beyond simplistic linear cause-effect relationships and point-in-time snapshots.

Systems thinking is a mindset that encourages you to see interdependencies, processes and patterns of complex systems. Complex systems contain multiple interacting feedback loops and it is this feature that make them so challenging to understand, diagnose and improve.

In this blog I outline some examples of complex systems, recommend tools to begin to understand and influence them and demonstrate how these techniques can be applied to improve digital safety and security.

More

Navigating the ISO 27001:2022 transition

ISO/IEC 27001:2022 Summary of key changes

ISO 27001 is a widely adopted international standard that sets out systematic and adaptable approach to managing information security. It enables organisations to establish a culture of continuous improvement, staying ahead of emerging threats, and ensuring business resilience in the face of evolving cybersecurity challenges.

A new version of this standard – ISO 27001:2022 – was published on 24 October 2022. I recently led the transition to this version and wanted to share my key takeaways.

More

Implementing cyber security strategy

Illustrative example: cyber roadmap

CISOs and security leaders are often called upon to develop a security strategy. It’s an important step to understand what your current state is, in what direction you’re going and the roadmap to get there. It’s also an opportunity to demonstrate how cyber security activities and programs align to business objectives.

There is more to the CISO role than just setting the direction, however. It’s also about execution. As a security leader, it’s key to take ownership of the strategy and deliver on its promise. It’s useful, therefore, to be able to track progress against your objectives and demonstrate to the executive leadership team and the Board the impact the security team is making in enabling the business.

More

Cyber security operating model

Designing a target operating model for an organisation is a complex activity. It is important, therefore, to keep it simple initially. At a very high, level, I suggest CISOs start with three key capabilities:

  • Governance, Risk and Compliance
  • Security Architecture
  • Security Operations

These can then be decomposed further, tailoring to the needs of your particular organisation. Understand how each domain interacts with and supports the others, capturing key outcomes and dependencies for each function.

Key security capabilities are supported by Leadership and Governance streams, including Security Strategy, Business Alignment, Integration, Oversight, Optimization, Finance, Security Culture, Program Management, Stakeholder Management and Reporting.

Business as usual activities required to keep the lights on are often neglected when capability uplift is prioritized. For this reason, I placed it in the centre of the diagram, emphasising the ongoing importance of providing consistent security service to your organisation.

The NIST Cybersecurity Framework functions at the intersections of domains aim to illustrate the collaborative nature of the security teams. It’s important to go beyond silos , ensuring frequent interaction with the business as well as within the security department.

Scuba diving and cyber security

During one of my dives I pondered if there are any parallels we can draw between scuba diving and cyber security. They may seem like vastly different activities, but they share many important similarities. Both are dealing with unknown and often rapidly changing environments, where careful preparation, attention to detail and a focus are critical for success. I list some themes in this blog, feel free leave a comment to add your own.

More

I’ve been named as one of top 10 Cybersecurity Leaders in Australia

I am excited to be recognised as one of the Top 10 Cybersecurity Leaders in Australia driving innovation and demonstrating business value. Although relatively new to Australia, I had the opportunity to use my global experience to address key cybersecurity challenges within the Financial Services sector.

A massive thank you to my team – it’s a privilege to lead such high performing and dedicated individuals and be able to build a cutting-edge cyber capability. Congratulations to all the award winners!

Financial benefits of cyber security

How can security support the business? To answer this question in financial terms, I outline two sides of the story. On one hand, CISOs can demonstrate positive impact on the EBITDA through elevating security capabilities. On the other hand, we can list potential downsides of poor security practices from both revenue and cost perspectives.

It’s not about carrots and sticks, it’s about seeing the full picture of opportunity and risk.

More

Continuous control monitoring

NISTIR 7756 Contextual Description of the CAESARS System

Knowing your existing assets, threats and countermeasures is a necessary step in establishing a starting point to begin prioritising cyber risk management activities. Indeed, when driving the improvement of the security posture in an organisation, security leaders often begin with getting a view of the effectiveness of security controls.

A common approach is to perform a security assessment that involves interviewing stakeholders and reviewing policies in line with a security framework (e.g. NIST CSF).

A report is then produced presenting the current state and highlighting the gaps. It can then be used to gain wider leadership support for a remediation programme, justifying the investment for security uplift initiatives. I wrote a number of these reports myself while working as a consultant and also internally in the first few weeks of being a CISO.

These reports have a lot of merits but they also have limitations. They are, by definition, point-in-time: the document is out of date the day after it’s produced, or even sooner. The threat landscape has already shifted, state of assets and controls changed and business context and priorities are no longer the same.

More