Sacrificial CISO, Ask the Right Questions, and Handle Criticism Gracefully – BSW #286

There are many different types of CISO, with many different backgrounds and reporting in to many different business lines. One thing they have in common is their wide, strategic view they have of the business - or at least, it should be.

By the end of your 100 days run, aim to report on the following questions:

• What is our current capability maturity?
• What is the biggest threat to the organization?
• What part of the security posture requires the most urgent attention?
• What resources are required to address threats that will cause the organization most harm?
• How does the executive team want effectiveness of cyber investment reported?
• What is the organization’s risk if nothing changes?

CISOs differ on which is the more catastrophic cost to the business: business disruption or data exposure. Regardless, preparation is key. Here are some of the top ways that CISOs can guard against rising ransomware.

• Prepare to defend and recover
• Use a privileged access strategy
• Leverage comprehensive, integrated threat detection and response capabilities

Half-baked observations because fully-baked commentary is boring and unhelpful:

???? Your Actions are Magnified ???? Adapt Processes for Scale ???? Don’t Try to Own The Details ???? Find The Signal, Ignore The Noise ????️Narrowcasting > Broadcasting ????️ Know Your Influencers ???? Credibility is the Ultimate Currency ???? Don’t Mimic Someone Else’s Leadership Style ⚽️ Team is everything

In a fiercely complex and challenging world, C-suite and other senior leaders — and those coaching them — need to understand how their inner life is influencing their actions in the outside world. Instead, many corporate leaders focus on doing more than deep thinking, leaving what’s going on internally a vast unexplored territory that they haven’t valued much. That includes what they’re feeling, where they’re feeling triggered, and how early experiences in their lives influence the choices they’re making in the present. To develop on leadership skills like prioritization, decision-making, accountability, and more, the author describes how he’s coached leaders to think through more personal questions designed to better understand their motivations and impulses: Why are you the person and leader you are? Who are you capable of becoming? What’s standing in your way? This underlying premise is that you can’t transform a company without also transforming yourself.

How do you kickstart that program? Here are five steps that I’ve found effective for getting risk analysis off the ground.

1. Determine enterprise-specific assets
2. Value the assets
3. Determine relevant threats, assess vulnerability, and identify exposures
4. Define risk
5. Implement and monitor safeguards (controls)

Criticism may make you feel misunderstood or unappreciated, but it is important to be able to respond to criticism in a productive way.

6 Ways to Respond to Destructive Criticism 1. Be direct and address the issue  2. Recognize the context 3. Don’t take it to heart 4. Brush it off with a laugh 5. Pep-talk yourself  6. Avoid destructively critical people

6 Ways to Respond to Constructive Criticism 1. Thank the intention 2. Evaluate the input 3. Avoid anger & cultivate calm 4. Give them a notice 5. Turn destructive into constructive 6. Enlist accountability to help you change