Cyber Money Ball – BSW #240

If the best leaders are like gardeners, what characteristics can we learn from the green thumbs around us that we can translate into the workplace to see our employees bloom? 1. They Know 2. They Feel 3. They Protect 4. They Celebrate

In science the key question is “Is it true?” In management the key question is “Does it work?” But context is critical: Just because an idea works in a particular case does not mean it is a universal truth. If you set a stretch goal, make sure that the organization has some stretch in it, or it will break. To execute a strategy, you need a dashboard covering a wide range of performance indicators. If you treat those indicators as your strategic goals, be very sure that what you are asking for is what you want, because it is what you will get. Your business needs a value proposition for employees as much as it needs one for customers. In developing one, think hard about what “talent” means for you and do not forget that the real challenge is building an organization that enables average people to deliver an above-average performance. Develop good leaders, but do not neglect the skills of management, for no-one can perform if they do not have the right resources in the right place at the right time. Reduce bureaucracy to a minimum, but make sure you have enough structure to distribute decision rights in a rational way and enough process to enable people to know how the organization will work. To deal with external unpredictability, you need internal predictability. Ambitions, targets, talent, leadership, and culture are all important. But in each case, make sure that you’re using them rather than letting them use you.

There are three actions that CISOs must take to gain the credibility and confidence of their peers and stakeholders. The study confirms that if these actions are not taken in today's cyber world, it's an uphill battle: 1. Develop and manage key stakeholders. 2. Understand the business. 3. Be able to demonstrate value.

A simple security strategy is standardization augmented by innovation. Here’s what that looks like: 1. Consistency with industry best practices 2. Standardized design processes 3. A real-time feedback loop 4. Persistent employee education

Stakeholders and CISOs tend to have different perspectives on estimating the risk of a potential cybersecurity incident. Understanding the psychological aspects can help bridge the gap. When estimating potential risks, we often rely on our intuitive sense of danger. We tend to be too optimistic or overconfident. We might also be subject to confirmation bias or have a false sense of control that could skew our perspective. Although our brains are not necessarily optimized to assess the risk of cybersecurity incidents, we can do a couple of things to improve our chances. First, cybersecurity could learn from its older sister, physical security, as Matt Blaze suggested in an iconic paper published in 2004. The fundamental idea of the paper is that almost all systems can be broken given enough time.

A lot of conflicting information exists about cybersecurity. So, what shouldn't you believe? 1. Attackers Stand to Gain Nothing From Hacking My System 2. Using a Great Security Solution Is Enough 3. Implementing Cybersecurity Is Too Expensive 4. Cyber Threats Are Only External 5. I’m Safe Because I Have a Security Expert on My Team

Formal risk assessment methodologies can help take guesswork out of evaluating IT risks if applied appropriately. Here is real-world feedback on using COBIT, OCTAVE, FAIR, NIST RMF, and TARA. The Risk Management Framework (RMF) from the National Institute of Standards and Technology (NIST) provides a comprehensive, repeatable, and measurable seven-step process organizations can use to manage information security and privacy risk. It links to a suite of NIST standards and guidelines to support the implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA). The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), developed by the Computer Emergency Readiness Team (CERT) at Carnegie Mellon University, is a framework for identifying and managing information security risks. It defines a comprehensive evaluation method that allows organizations to identify the information assets that are important to their goals, the threats to those assets, and the vulnerabilities that might expose those assets to the threats. Control Objectives for Information and related Technology (COBIT), from ISACA, is a framework for IT management and governance. It is designed to be business focused and defines a set of generic processes for the management of IT. Each process is defined together with process inputs and outputs, key activities, objectives, performance measures and an elementary maturity model. Threat Assessment and Remediation Analysis (TARA) is an engineering methodology used to identify and assess cybersecurity vulnerabilities and deploy countermeasures to mitigate them, according to MITRE, a not-for-profit organization that works on research and development in technology domains including cybersecurity. Factor Analysis of Information Risk (FAIR) is a taxonomy of the factors that contribute to risk and how they affect each other. Developed by Jack Jones, former CISO of Nationwide Mutual Insurance, the framework is mainly concerned with establishing accurate probabilities for the frequency and magnitude of data loss events.