Cybersecurity is IT’s Job, Why CISOs Fail, & Create a Culture of Security – BSW #258

With any company, team, or project — leadership has three distinct phases. The trick is getting to the right one and staying there as long as you can. The good news is that once you come to terms with which leadership phase you’re in, it isn’t terribly difficult to right your own ship. Phase 1 You’re new to this particular leadership role. You’ve been appointed the leader, by yourself or by someone else, but you haven’t established leadership credibility. Mistakes and bad decisions will stick to you like glue. How you deal with the fallout is what establishes that credibility that moves you to the next phase. Phase 2 You’ve earned your stripes as a leader. Now you have the luxury to make a ton of bad decisions and mistakes in the name of progress. You’re pretty much Teflon. If you lead everyone off a cliff, they will blame the cliff. Phase 3 You’ve been in the leadership role too long, and your credibility as a leader has started to wane. This phase usually arrives after major turnover in the ranks, big changes to the business, or the unchecked build-up of those troublesome mistakes and bad decisions.

Crafting a powerful vision is often considered the sine qua non of great leadership, but it’s only the first step. How can leaders translate that vision into reality — a process that can take years — while the rapidly changing context distracts with the need for daily adaptation? The authors, both advisors to large firms which have undergone significant transformations, suggest three approaches: 1) Structuring strategic planning processes around the vision, rather than letting it be an afterthought; 2) Focusing experimentation on questions relevant to the long-term vision; and 3) Investing in training programs to help staff embrace the skills and mindset needed to executive on the vision.

Cybersecurity is a modern tech-savvy buzzword that often makes non-IT peoples’ eyes glaze over. This mindset is very risky, and cybersecurity should not be taken lightly. The truth is that cybersecurity, while highly technical at the developer level, uses the same principles and concepts as many other business-related legal risks. Directors for both public and private companies should be asking the right questions and taking steps to protect the business – and themselves – from cyberattacks.

The role of Chief Information Security Officer (CISO) is new. It’s just 25 years since Steve Katz became the world’s first known CISO. There is no universally accepted definition of the role, its methods or its responsibilities; and CISOs are left to find or forge their own paths. Some fail to choose or find the right path.

VP of Security Keith Slotter and his team have tapped 600 employees across the organization as part of a Security Champions program. The result is a strengthened security presence and an employee population engaged in security.

Here are some ways to convince an insurer that you're worth the risk -- and keep costs as low as possible: - What you need to qualify: The first step is assessing your three estates: your company's enterprise network, your public cloud assets, and your remote operations. - How to keep your insurance: In reality, you have to apply greater rigor to keeping your insurance than when you qualified for it. It's imperative to establish a rhythm of communication and assessment with your carriers between renewals, for example, to determine the impact on indemnity as you invest in cybersecurity tools. - Lowering your premiums: Start with an all-hands-on-deck approach to mitigate higher cyber insurance premiums and keep your insurers happy. Show that your CEO is involved in tabletop exercises and that your board is engaged. Demonstrate that you have continuity in trained staff.