CEOs – Do You Know Where That Cyber Risk Report Came From? – Jerry Layden, Kevin Powers – BSW #263
Boards and CEOs are asking what their cyber risk posture is, and they aren't getting clear answers. Reports produced from assessments oftentimes are built on stale data rather than real-time compliance and risk data. How should C-levels be thinking about cybersecurity posture reporting, and how can they manage cyber risk in real-time as opposed to point-in-time? This segment is sponsored by CyberSaint. Visit https://securityweekly.com/cybersaint to learn more about them!
Kevin is the founder and director of the Master of Science in Cybersecurity Policy and Governance Program at Boston College, and an Assistant Professor of the Practice at Boston College Law School and in Boston College’s Carroll School of Management’s Business Law and Society Department. Along with his teaching at Boston College, Kevin is a Research Affiliate at the MIT Sloan School of Management, and he has taught courses at the U.S. Naval Academy, where he was also the Deputy General Counsel to the Superintendent. Kevin regularly provides expert commentary regarding cybersecurity and national security concerns for varying local, national, and international media outlets.
As CEO of CyberSaint, I lead a team focused on transforming how organizations understand and manage cyber risk. We’re building a real-time, data-driven platform that connects security to business impact, helping enterprises move beyond compliance to measurable risk reduction and operational resilience.
My focus is on aligning cybersecurity with business outcomes, enabling executives to make confident, financially grounded decisions about risk, investment, and growth.
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Security Weekly listeners, save $100 on your RSA Conference 2022 Full Conference Pass! RSA Conference will be live in San Francisco June 6th-9th, 2022. Security Weekly will be there in full force, delivering real-time, live coverage and interviewing some of the event’s top speakers and sponsors. To register using our discount code, please visit https://securityweekly.com/rsac2022 and use the code 52UCYBER. We hope to see you there!
CISO MindMap 2022, Top CISO Strategies, & The Missing Link in Cybersecurity – BSW #263
In the leadership and communications section, CISO MindMap 2022: What do InfoSec Professionals really do?, CISO Shares Top Strategies to Communicate Security's Value to the Biz, Security leaders chart new post-CISO career paths, and more!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Matt Alderman
- CISO MindMap 2022: What do InfoSec Professionals really do?Recommendations for 2022–2023: 1. Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data. 2. Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams. 3. Train staff on business acumen, value creation, influencing and human experience to serve business better. I can’t emphasize this enough. 4. Take an inventory of open source software (both direct and indirect use) and make it part of your vulnerability management program. 5. Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps. 6. Maintain a risk register.
- World’s Largest Cybersecurity Benchmarking Study Finds that Top Executives Believe their Organizations are Not Prepared for New Era of RiskGround-breaking analysis reveals industry metrics and best-performing cybersecurity strategies: 1. Take cybersecurity maturity to the highest level 2. Ensure cybersecurity budgets are adequate 3. Build a rigorous risk-based approach 4. Make cybersecurity people centric 5. Secure the supply chain 6. Draw on latest technologies but avoid product proliferation 7. Prioritize protection of links between information and operating technologies 8. Harness intelligent automation 9. Improve security controls for expanded attack surfaces 10. Do more to measure performance
- Equifax’s Jamil Farshchi: Security shouldn’t be a trade secretEquifax CISO Jamil Farshchi has pulled back the curtains on cybersecurity operations, saying that he believes “transparency to all stakeholders to the deepest degree reasonable” makes for a more secure company.
- CISO Shares Top Strategies to Communicate Security’s Value to the Biz5 Key Tips for Communicating Security Effectiveness: 1. Know your audience 2. Don't start with metrics 3. Be quantitative 4. Remember that security is a team effort 5. Pair empowerment with accountability
- The missing link in the cybersecurity marketI’d like to offer a different approach to solving the market failure, so organizations can enjoy the benefits of both worlds – mitigating cyberthreats through a range of products without drastic integration and maintenance efforts. Vertical innovation should continue to protect new technologies and neutralize new threats; however, at the same time, entrepreneurs and venture capitalists need to encourage horizontal innovation. Horizontal innovation sprouts “horizontal products,” weaving together capabilities from different categories and segments into an effective defensive front. At the core of horizontal innovation lies smart integration, orchestration and automation capabilities powered by AI algorithms.
- Security leaders chart new post-CISO career pathsCISOs themselves, however, have some pathways mapped out: - 47% of survey respondents said they want to become board members; - 44%, chief security officers (a role that includes physical as well as information security); - 18%, entrepreneurs/consultants; - 16%, chief risk officers; - 12%, CIOs; - 8%, private equity officers; - 3%, CEOs; and - 2%, developers of new tools at a security firm. Some 5% said “other,” while 3% said they preferred not to answer. Only 9% wanted to retire.
- 5 Interview Questions That Screen for Success in Hybrid WorkplacesSuppose you're hiring for a new hybrid role. In that case, it's important to remember that you'll be screening a diverse mix of candidates, some of which are familiar with working independently and some which might be entirely new to the idea of in-office work. To hire for success, consider asking the following questions. 1. What makes you want to work in a hybrid work environment? 2. If you have worked in a remote or hybrid role before, what were the challenges you faced and how did you overcome them? 3. What's your ideal schedule in a hybrid role -- how often would you like to work at home and be in the office? 4. How essential is teamwork and collaboration to you, and how do you expect to make this work while working remotely? 5. How comfortable are you with learning new technology?
