bsw205

Business Security Weekly Episode #205 – February 08, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Evolution of the CISO Role – 03:00 PM-03:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Description

Ben Carr, Global Chief Information Security Officer at Qualys, steps in last minute to talk about his transition from Aristocrat to Qualys and the evolution of the CISO role.

Guest(s)

Ben Carr

Ben Carr –

CISO at Qualys

Ben Carr, is the Chief Information Security Officer at Qualys. Ben is an information security and risk executive and thought leader with more than 25 years of results driven experience in developing and executing long-term security strategies. He is focused on solving security issues that address current business objectives while balancing today’s operational risks. Ben has demonstrated global leadership and experience, through executive leadership roles of advanced technology, high risk, and rapid growth initiatives at companies such as Aristocrat, Tenable, Visa and Nokia. While at Aristocrat Ben built a world class global Cybersecurity program from the ground up as part of a digital transformation. As a senior Cybersecurity executive at Visa, Ben was responsible for developing and leading Visa’s global Attack Surface Management team and capability. Prior to his role at Visa he led all security programs for Nokia corporate IT as the Global Head of IT Security. He has a strong technical background, product development experience, and operational awareness centered around a data centric and risk based approach. Ben is on the Board of Director for IT-ISAC, and has served on Advisory boards for Mimecast, Qualys, Accuvant, and Sentinel One. Ben has also served on philanthropic advisory boards for PKU support and awareness.

Hosts

MattAlderman

Matt Alderman –

Executive Director at CyberRisk Alliance

PaulAsadoorian

Paul Asadoorian –

Founder at Security Weekly

2. 9 Steps, the Big 8, & 7 Super Bowl Rings! – 03:30 PM-04:00 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

In the leadership and communications section, 9 Steps for Effective Cybersecurity Risk Management, The Big 8: How to heighten cybersecurity governance, 7 Super Bowl rings for Tom Brady, and more!

Hosts

MattAlderman

Matt Alderman –

Executive Director at CyberRisk Alliance

  1. 9 Steps for Effective Cybersecurity Risk Management – To ensure effective cybersecurity risk management, follow this checklist:

    1. Understand the organization’s security landscape
    2. Identify the gaps
    3. Create a team
    4. Assign responsibilities
    5. Train and upskill employees
    6. Implement cyber awareness across departments
    7. Implement a risk management framework
    8. Develop risk assessment programs
    9. Create and maintain a sound incident response and business continuity plan

    However, don’t take all the advice from their next blog, THE NEXT CYBERSECURITY RISK MANAGEMENT MODEL POST THE COVID-19 CRISIS, https://blog.eccouncil.org/the-next-cybersecurity-risk-management-model-post-the-covid-19-crisis/.

  2. The Big 8: How to heighten cybersecurity governance – Below are eight steps organizations can implement to heighten cybersecurity governance:

    1. Recognize that the worst-case scenario has escalated
    2. Empower the CISO to directly report to the CEO
    3. Conduct reviews of internal cybersecurity policy
    4. Confirm your processes and controls are bulletproof
    5. Stay up to date on regulations
    6. Allocate at least 10 percent of your IT budget to cybersecurity
    7. Develop and regularly update a comprehensive incident response strategy
    8. Communicate with customers and suppliers

  3. Security and privacy laws, regulations, and compliance: The complete guide – This handy directory provides summaries and links to the full text of each security or privacy law and regulation.
  4. 3 ways to speak the board’s language around cyber risk – Framing the cyber risk conversation in ways that resonate with the board will help close the chasm between cyber risk and enterprise objectives. Here are three tips for communicating cyber risk to the board.

    1. Understand the board’s responsibility
    2. Present data in a familiar format
    3. Know your benchmarks

  5. How to translate threats and risk to C-suite – When communicating with the C-suite or shareholders, CISOs have to speak equal parts security and bottom line. How security experts derive business value from risk and threat-based analysis can be done by using the “three P’s”: prediction, prevention and proaction. In doing so, security leaders are able to unpack a business risk to their C-suite and board.
    Here are two ways CISOs can cut to the chase:

    1. In a quarterly report, reserve a single slide for the business risks accumulated during that period in a graphic.
    2. Choose relevant information to share, not the full cyber threat intelligence report.

  6. 12 security career-killers (and how to avoid them) – Here are 12 common traits that security leaders say will keep you from advancing your cybersecurity career – and how you can avoid such a fate:

    1. Believing security is the end goal
    2. Getting stuck
    3. Acting like the smartest one in the room
    4. Being too timid
    5. Losing your cool
    6. Talking tech
    7. Sticking to yourself
    8. Failing to build other skills
    9. Staying still
    10. Staying in security
    11. Mistaking vulnerabilities for risks
    12. Being tactical, but not strategic

PaulAsadoorian

Paul Asadoorian –

Founder at Security Weekly