A practical approach
I’m thrilled to share that I’ve recently earned the GIAC Strategic Planning, Policy, and Leadership (GSTRT) certification- a milestone that validates my ability to architect and sustain cybersecurity programs with a sharp focus on business value and executive alignment.
Cyber security is a relentless race to keep pace with evolving threats, where staying ahead isn’t always possible. Advancing cyber maturity demands more than just reactive measures—it requires proactive strategies, cultural alignment, and a deep understanding of emerging risks.
I had an opportunity to share my thoughts on staying informed about threats, defining cyber maturity, and aligning security metrics with business goals with Corinium’s Maddie Abe ahead of my appearance as a speaker at the upcoming CISO Sydney next month.
Cyber security leaders deal with complex problems all the time, but only a few are well equipped to deal with such challenges effectively. Systems thinking is a discipline that can help CISOs improve their ability to see the bigger picture and move beyond simplistic linear cause-effect relationships and point-in-time snapshots.
Systems thinking is a mindset that encourages you to see interdependencies, processes and patterns of complex systems. Complex systems contain multiple interacting feedback loops and it is this feature that make them so challenging to understand, diagnose and improve.
In this blog I outline some examples of complex systems, recommend tools to begin to understand and influence them and demonstrate how these techniques can be applied to improve digital safety and security.
Not every conversation a CISO is having with the Board should be about asking for a budget increase or FTE uplift. On the contrary, with the squeeze on security budgets, it can be an opportunity to demonstrate how you do more with less.
To demonstrate business value and achieve desired impact, a CISO’s cyber security strategy should go beyond cyber capability uplift and risk reduction and also improve cost performance.
Security leaders don’t have unlimited resources. Significant security transformation, however, can be achieved leveraging existing investment and security resource levels.
CISOs and security leaders are often called upon to develop a security strategy. It’s an important step to understand what your current state is, in what direction you’re going and the roadmap to get there. It’s also an opportunity to demonstrate how cyber security activities and programs align to business objectives.
There is more to the CISO role than just setting the direction, however. It’s also about execution. As a security leader, it’s key to take ownership of the strategy and deliver on its promise. It’s useful, therefore, to be able to track progress against your objectives and demonstrate to the executive leadership team and the Board the impact the security team is making in enabling the business.
Cyber security strategy and execution is one of the top priorities for a CISO. It helps articulate the value of security, provide clarity on short and long term goals and outline a cyber security uplift roadmap.
In this blog I recommend a proven step-by-step guide for developing a cyber strategy.
How can security support the business? To answer this question in financial terms, I outline two sides of the story. On one hand, CISOs can demonstrate positive impact on the EBITDA through elevating security capabilities. On the other hand, we can list potential downsides of poor security practices from both revenue and cost perspectives.
It’s not about carrots and sticks, it’s about seeing the full picture of opportunity and risk.
I previously wrote about building security culture in the organisation, in this blog, I look at the security team itself and share some tips for CISOs to develop a culture of performance for their teams.
I previously wrote about the complexity of communication and the multi-faceted nature of the CISO role. Combining these perspectives, I would like to give an overview of what a communication strategy might look like for a security leader.
While in quarantine after arriving in Australia, I had a chance to catch-up on some learning.
I completed two specialisation tracks on Coursera offered by Macquarie Business School as part of their Global MBA programme. The courses covered a variety topics, including negotiations, change management, storytelling, board engagement, innovation, strategic management, sustainability, supply chains and more.
Cyber Security Leadership 