BSW #280 – Jeff Pollard

Senior executives are taking risk management more seriously, PwC found. But many are still concerned about business resilience: - Corporations around the globe are taking steps to prioritize cybersecurity with support from senior executives and board members, according to a study from PwC. However, many of those executives expect to see increased threats, according to the 2023 Global Digital Trust Insights study from PwC. - Two-thirds of executives see cyber criminal activity as the company’s leading threat. And almost half of security and IT executives expect to see a further increase in ransomware attacks in 2023, while 2 in 5 expect to see more serious attacks in the cloud, according to the study. - The study shows more than half of chief risk officers or COOs are very concerned or extremely concerned about the ability of their companies to withstand a supply chain attack.

The days of managing from the shadows are long gone for the CISO. As technology needs, reach, and partnerships of businesses evolve rapidly, the CISO can no longer remain unseen. Today’s CISO is more than an advisor to the C-suite with 88% of boards of directors viewing cybersecurity as a business risk. The role for the CISO has expanded to encompass advising the entire business and employees on how they can help ensure data security starting now.

While the impact of those and other cybersecurity risks is undeniable, too many organizations fail to build their cybersecurity strategies and tactics around the concept—and realities—of risk. Why? - Compliance blurs organizational vision for cybersecurity - Defining and measuring organizational risk - Get outside help to assess your cyber risk - Assess risk with the vision of the possible

Uber has been in news for several data breaches that it has endured over the years since 2014. However, something different has happened this time, not only for Uber, but for the whole of the cybersecurity industry, which raises serious concerns amongst cybersecurity professionals and the questions that are being asked at the moment — 1. Can CISO’s or other security professionals be held responsible and be personally liable for data breaches or the handling of these inappropriately? 2. Are we going to see mass CISO resignations if the CISOs are not ready for the new regime yet, or until they have further clarity on protections that may be offered to them? 3. How will the role of a CISO evolve? Is this case going to help to raise the profile of a CISO (‘Chief’ ISO) in a true ‘executive’ sense within the organisation? 4. The CISO job is tough as it is, now the role will also come with an added baggage of personal liability. Will this reflect in CISO’s compensation package, along with additional legal protection and indemnities? 5. The CISO role has been very broadly defined based on the size of the organisation they are working for. Is this going to affect how the CISO role is defined in the future along with accountabilities? 6. If a CISO can be used as a ‘scapegoat’ as apparently be the case here, will the CISOs put their own interests before their employer’s, i.e. CISO’s becoming more risk averse, potentially adversely impacting an organisation’s growth and progression?

More and more executives are realizing that the successful leader must be a good coach. But what do good coaches do? The authors cover five areas: Care for your teammates, Organize them into their “sweet spot,” Align them around the organization’s purpose and values, Challenge them to reach their full potential, and Help them reach their goals.

Here’s a list of cybersecurity audiobooks that are worthy of your time: 1. Cybersecurity: The Insights You Need from Harvard Business Review 2. Cybersecurity Program Development for Business: The Essential Planning Guide 3. If It’s Smart, It’s Vulnerable 4. Project Zero Trust: A Story About a Strategy for Aligning Security and the Business 5. The Art of Deception: Controlling the Human Element of Security 6. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage 7. We Have Root: Even More Advice from Schneier on Security