Preventing Attacks Through Risk Management & Governance – Kevin Powers, Padraic O’Reilly – BSW #241
As a CISO tasked to present to the Board or other executives, communicating cybersecurity in business context is critical to success. Hear from Kevin Powers, who has taught hundreds of CISOs in his executive education courses how to level-up their presentation skills, metrics, and executive approach. Learn also from Padriac O'Rielly, CPO & Co-Founder of CyberSaint, about how some of the most cutting-edge security leaders are providing actionable, risk-based insights in Boardrooms and beyond to better build resiliency in the digital age.
This segment is sponsored by CyberSaint.
Visit https://securityweekly.com/cybersaint to learn more about them!
Padraic O’Reilly is Founder and Chief Innovation Officer at CyberSaint, where he leads product innovation and development. His experience as a Harvard-trained economist, risk management consultant, and deep cybersecurity expertise supports his current activity which spans working directly with public and private organizations to assess, measure, remediate, and communicate cyber risk. Working closely with large, highly regulated enterprise teams and CISOs, Padraic is dedicated to driving tangible value through linking cyber risks to control posture, innovating with CRQ models and AI, and enhancing cyber to business communication.
An expert in AI and financial modeling, Padraic works with global enterprises to research and deploy risk quantification, analysis, and communication strategies from board to SEC reporting. Padraic has been featured in publications and broadcasting stations such as CNN, the Wall Street Journal, Forbes, Fortune, the New York Times, and Bloomberg.
Kevin is the founder and director of the Master of Science in Cybersecurity Policy and Governance Program at Boston College, and an Assistant Professor of the Practice at Boston College Law School and in Boston College’s Carroll School of Management’s Business Law and Society Department. Along with his teaching at Boston College, Kevin is a Research Affiliate at the MIT Sloan School of Management, and he has taught courses at the U.S. Naval Academy, where he was also the Deputy General Counsel to the Superintendent. Kevin regularly provides expert commentary regarding cybersecurity and national security concerns for varying local, national, and international media outlets.
In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.
Throughout 2022, CRA's Business Intelligence Unit will be releasing research reports on the top topics across the security industry. Our first report will be on Third-Party Risk and the Supply Chain. To participate in the survey, please visit https://securityweekly.com/thirdpartyrisk. The results will be shared at our Third-Party Risk eSummit in January.
4 Things Boards Should Know, 4 in 10 Orgs Don’t Have a CISO, & Creating Culture – BSW #241
In the Leadership & Communications section for this week: Four Things Your CISO Wants Your Board to Know, 4 in 10 Organizations Do Not Employ a CISO, Creating a Culture of Cybersecurity, & more!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Matt Alderman
- What Did Your Board of Directors Know, and When Did They Know It?In the SolarWinds lawsuit, the more significant issue is really not that the Board allegedly knew about the risks; it’s that they reportedly knew and then did nothing to prevent or mitigate it. In 2021, the role of the Board has shifted to limiting the damage of these attacks and ensuring those risks are accounted for by their organization. What the Board needs from its CISO is clear communication on what projects you have in place and how they relate to existing and potential threats.
- Four Things Your CISO Wants Your Board to KnowHere are four things your CISO wants your board to know. 1. In Order to Adequately Protect an Organization, Your Cybersecurity Budget Should be More Than 1% of Your Overall IT Spend 2. It’s Impossible to Provide Metrics on how Many Advanced Persistent Threats You’ve Blocked in the Past Month 3. Building a Culture of Cybersecurity as a Top-down Strategy is Imperative 4. Align Your Cybersecurity Strategy to an Acceptable Framework that Demonstrates Maturity Over Time
- 4 in 10 Organizations Do Not Employ a CISO: ReportOrganizations across the world have experienced swift changes in their business operations during the new normal. In particular, the adoption of the distributed work environment became a challenge for many companies, resulting in the rise of cyberattack risks. Several enterprises have increased their cybersecurity budgets to deal with new cybersecurity challenges. As the struggle of mitigating cyberthreats seems to surge, some organizations are wary about hiring security professionals. A recent analysis from cybersecurity solutions provider Navisite revealed that over 45% of organizations don’t employ a Chief Information Security Officer (CISO). Of this group, 58% think their company should hire a CISO.
- The CIO’s role in strengthening information securityIf you're a CIO charged with maximizing security outcomes, while at the same time ensuring projects are implemented and everything "just works," focus on strengthening your relationships with those who can help you. Security is about buy-in, and it's especially important for those who don't fully understand it.
- 5 New Rules for Leading a Hybrid TeamHere’s how leaders can build great teams, even when those teams aren’t together in-person all the time. 1. Make work purpose driven. 2. Trust your people more than feels comfortable. 3. Learn in the small moments. Send people — and yourself — nudges. 4. Provide clarity. Be more decisive than feels comfortable. 5. Include everyone. Take a long hard look in the mirror.
- Creating a culture of cybersecurityThink about cybersecurity not as an IT issue, but as a senior executive and leadership issue. Cybersecurity and cyber protection are often thought of as reactive measures, but organizations need to start seeing cyber protection as a way of planning. Similar to financial planning, cybersecurity should be incorporated as a part of everyday business. It's not an add-on; it should be embedded in the organization, or "embedded endurance strategy".
