Firing Your Entire Cybersecurity Team? Really? Board Doesn’t Care About Buzzwords! – BSW #278

With cybersecurity as a board-level issue, many CISOs face the same level of inquiry and scrutiny as a CFO or CEO. Cyber is no longer an abstract concept that can be assessed with the question “Are we secure?” and a brief “Yes.” Successful CISOs are leaders, communicators, and managers. All CISOs must be prepared to convey their organization’s progress to ensure business continuity, make informed decisions, and improve cybersecurity incident response plans.

We live in an IT world surrounded by buzzwords that are largely marketing gimmicks. Zero Trust, for example, is a concept no one actually understands and is slapped onto everything, including derivatives like Zero Trust networks (ZTN) and Zero Trust network access (ZTNA). Then there’s Secure Access Service Edge (SASE), Security Service Edge (SSE) and everything that falls under these frameworks such as Cloud Access Security Broker (CASB), Secure Web Gateway (SWG). If you’ve ever presented to a board of directors, then you’ll know that they don’t care about any of this. The only time the board encounters any industry jargon is when they read about it in the Financial Times or Wall Street Journal. I was asked about a buzzword once in my career and it was in 1999: “OK, Paul, what are we doing about Y2K?”

In preparation for SEC requirements, IT security managers should verify the preparation and corporate approval of: Risk Report - At least IT technical risks, but ideally includes general business risks as well. - List: - Specific risks - Likelihood of each risk without controls in place - Controls and policies that address specific risks - LIkelihood of each risk with controls and policies in place Policies - Policies should cover categories of risk and will often be entitled for the type of controls such as: - Data theft: encryption and data monitoring policies - Unauthorized access: access, password, and incident response policies - Zero-day vulnerability: Vulnerability detection and remediation policy - Policies should define minimum standards for controls to meet to mitigate risks. Controls - Controls should be implemented to meet or exceed policy requirements - For companies without existing policies, policies can be written that describe current IT standards in place (assuming they are sufficient).

Most of the long-running debate over “leaders” vs. “managers” focuses on nouns when it should focus on verbs. Everyone needs both “leading” and “managing” in their work, and the best executives balance the two. Over the last 15 years, the author asked a thousand executives about the difference between leading and managing, recording their responses. The distinction remains interesting and important, but it’s healthier as a balance that every individual tries to strike instead of as two distinct skillsets or roles within an organization.

The cybersecurity workforce shortage and related skills gap stubbornly persists. Here are five ways to attract talent now: 1. Make job postings more attractive to diverse candidates 2. Attract security-minded software engineers looking for opportunities 3. Find talent by offering incentives to collaborate with the security team 4. Invest in employee certification programs 5. Draw out gender diversity by getting girls interested early

What on earth were they thinking? That's what we – and other security experts – were wondering when content giant Patreon recently dismissed its entire internal cybersecurity team in exchange for outsourced services.