bsw265

Business Security Weekly Episode #265 – June 13, 2022

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Boards & Cybersecurity, The New CISO Role, & Reskilling – 03:00 PM-03:30 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Description

In the Leadership and Communications section, Being concerned is not enough – What boards should know and do about cybersecurity, In the Case of Cybersecurity, the Best Defense is Education, Reskilling workers can help meet the cybersecurity staffing challenge, and more!

Hosts

BillBrenner

Bill Brenner

@BillBrenner70

VP, Content Strategy at CyberRisk Alliance

JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

Chief Operating Officer at Envision Technologies

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

  1. Being concerned is not enough – What boards should know and do about cybersecurity – Cybercrime is a growing threat that will require C-level attention in organizations across the globe. We offer four steps boards can take toward establishing fit-for-purpose cybersecurity capabilities:

    1. Engage an objective expert view on the status quo of the organization’s cybersecurity maturity. Ideally, this assessment should ensure the necessary level of granularity while still providing readily understandable insights and priorities for the C-level audience (e.g., ADL’s Cybersecurity Matrix).
    2. Ensure regular oversight of the organization’s key indicators for cybersecurity performance, both leading and lagging, providing assurance that the controls in place are offering the right level of protection.
    3. Review fact-based and unvarnished updates on a regular basis. This not only facilitates progress tracking but also ensures that resources are allocated in the most effective way for reaching the intended maturity level.
    4. Enable the required governance and funding to reach the organization’s target state, based on a dedicated action plan, while ensuring identified vulnerabilities are immediately addressed. By following these steps, boards can measure, manage, and command cybersecurity performance toward a sustainable reduction of risk.

  2. Time to Look at the Role of the CISO Differently – The role of the CISO is becoming a true leadership role and what is required to get things moving is political acumen, managerial experience and personal gravitas, over raw technology skills.
  3. Staying Positive and On-Track in Uncertain Times – Leaders have had a very tough two years, trying to reassure and focus employees in the face of constant uncertainty, often struggling with their own stress and burnout as they address the rising mental health challenges of their employees. How can they stay centered, providing a clear and upbeat message to their teams while having to pivot frequently as conditions change? Here are three practical strategies for leaders to take care of themselves, all centering around understanding and managing one’s own mind: Beware of your ego; choose courage over comfort; and practice caring transparency.
  4. In the Case of Cybersecurity, the Best Defense is Education – Teach your staff, install best-in-class edge protection, spam filtering, end-point protection, anti-virus, dark-web scanning, and backup. Overall, don’t overlook the most important step: Promote awareness and create a strong anti-cyber culture in your office.
  5. How to Spot — and Develop — High-Potential Talent in Your Organization – Organizations typically look to past performance to identify future leaders. But an employee’s track record doesn’t tell you who might excel at things they haven’t done before, nor does it identify early-career high potentials or people who haven’t had equitable access to mentoring, sponsorship, development, and advancement opportunities. The authors have developed a model for predicting leadership potential that’s grounded not in achievements but in three observable, measurable behaviors: cognitive quotient, drive quotient, and emotional quotient. They outline the telltale behaviors in each area, and explain how managers can coach employees to develop and refine their skills.
  6. Reskilling workers can help meet the cybersecurity staffing challenge – Developing a reskilling program in four phases:

    Phase 1: Foundation. Each unit created a three-year business growth projection for the top five digital skills, called new service offerings (NSOs). The units also created talent plans to meet the anticipated business growth projections for each NSO. This resulted in 36 new offerings, with the top five skills needed for each.
    Phase 2: Skills Forecasting. We planned for both long-term (five years out) and short-term (quarterly) skills needs. We used a variety of external and internal inputs for this forecasting model, including revenues, employee skill data, past allocations, and market trends.
    Phase 3: Program Implementation. This enabled reskilling as an alternative talent pipeline. More than 90% of these reskilled employees have been deployed to projects using their new skills.
    Phase 4: Scaling. We encouraged people to learn about cybersecurity and create awareness of the reskilling program. Employees are induced to participate by giving them concrete financial and career incentives. Career incentives include skill tags. These skill tags quantify what they have learned in a way that is recognized in the market. For instance, “Cybersecurity expert” is a tag employees can earn to indicate their skill set and work on new projects internally and with clients.

  7. Nominations for SC Media’s 2022 Women in IT Security now open – To submit nominations, please enter all information into the entry form. Entries will close June 24, at which time the editorial team and members of the SC Media advisory board will begin the difficult task of reviewing all nominations and selecting honorees to be unveiled in September.

2. Defining Cyber Risk & Is the Market Ready for Integrated Cyber Risk Management? – 03:30 PM-04:00 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Don’t forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Description

Defining Cyber Risk With Bryan Ware

This year, RSAC is happening amidst the backdrop of major geopolitical tensions with cyber impacts; a continued, lingering pandemic and a potential economic downturn that cyber adversaries can and have leveraged to their benefit; and increasing technological innovation. All of this points toward ever-evolving cyber risk.

What are some of the key considerations that executives – both ones with cyber expertise and ones without – should keep in mind as they look to not only define cyber risk but also reduce it and ensure operational resiliency?

In this segment, we’ll hear thoughts from Bryan Ware, the new CEO of LookingGlass Cyber Solutions, former CEO of Next5, a business intelligence and advisory firm, and the first presidentially appointed Assistant Director of Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS).
This segment is sponsored by LookingGlass Cyber. Visit https://securityweekly.com/lookingglass to learn more about them!

Is the Market Ready for Integrated Cyber Risk Management?

Cyber risk management is now a dynamic practice for security teams and leadership. It requires up-to-date risk intelligence across many factors – external, internal, third parties, cloud posture – to inform the right decisions and enable cyber risk quantification and risk modeling to be more dynamic. Victor will discuss what drove him to leave security leadership and start a company to solve the problems he experienced with cyber risk management and how the market is responding.

Segment Resources:
https://fortifydata.com/request-an-assessment

This segment is sponsored by FortifyData. Visit https://securityweekly.com/fortifydata to learn more about them!

Guest(s)

Bryan Ware

Bryan Ware – CEO at LookingGlass Cyber Solutions

As Chief Executive Officer at LookingGlass, Bryan provides guidance, direction, and vision to help the company meet its mission, support its customers, and expand impact.

Bryan is highly regarded as a technology leader and innovator, having started companies, patented technologies, raised venture capital and private equity, and recently served as America’s lead cybersecurity executive at CISA.

Prior to joining LookingGlass, Bryan was the Founder and CEO of Next5, a technology-focused business intelligence company, ensuring US leadership in critical and emerging technologies including AI, quantum, space, bio, and more.

Bryan served as the first presidentially appointed Assistant Director of Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS), leading the 1,000-person, $1.25 billion organization through a period of intense volatility and aggressive interference from nation-state adversaries. At CISA, he developed the agency’s first five-year strategy to modernize its sensor and computing infrastructure, transform the way the agency delivers services, and scale to protect U.S. critical infrastructure. Prior to his operational role at CISA, Bryan was an Assistant Secretary at DHS, serving as the Secretary’s advisor on cybersecurity and emerging technology matters, and leading strategic initiatives across the U.S. government and its allies.

Victor Gamra

Victor Gamra – CEO and Founder at FortifyData

@fortifydata

Victor Gamra, CISSP, CISM, PCIP is the Founder and CEO of FortifyData. Prior to building a trusted Cyber Risk Intelligence company, Victor was the CISO for a Credit Reporting Agency in Atlanta and saw the opportunity fill a gap in the market with a platform that uses live data for accurate cyber risk exposure representation that reduced false positives and misattributions. Victor has previously spoken at cybersecurity events, training programs and industry specific virtual events.

Hosts

BillBrenner

Bill Brenner

@BillBrenner70

VP, Content Strategy at CyberRisk Alliance

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance