Home

Security & GRC

Security & GRC
Hiring for Cybersecurity RolesHiring for Cybersecurity Roles

Headlines claim a cybersecurity talent shortage: What’s your experience? Benchmark against your peers.

0 views
0 comments
0 upvotes
Related Tags
What is the most important advice you can give the next generation of security professionals and CISOs?

Top Answer: Context is important. The path that one takes to being a CISO is very relevant and there are generally two paths. One path is to come up through the technical ranks. You understand technology at a certain level and you grow into management before ending up as a CISO. And the other path is to get your MBA. Among the MBAs that end up as CISOs, you’ll often find that they have never done security work hands-on, but they’ve gotten into that role because it has become far more business-centric than what it once was. I'm not saying either path is better or worse. They just come with different perspectives. I've met peers that couldn't break into something if I did it for them, but they're CISOs. And then I've met CISOs that come from a technical background and couldn’t talk to a board of directors if their career depended on it. A good balance of both technical skill and business acumen is what a CISO needs to succeed. You have to earn the respect of your cybersecurity rank and file, but you also have to be able to translate technology talk for the board and C-suite. You have to speak their language and that doesn't come naturally; it’s something you have to learn. Some CISOs see themselves as pure business people and will never have the respect of their actual cybersecurity ranks. But that's a mistake, because in the face of a real emergency, those people won’t be that effective. So my advice is: don't limit yourself in terms of your perspective. It's great to have the business perspective, and it's great to have the technical perspective, but this role is unique in that you need both.

What is the best annual security conference for CISOs?

Top Answer:

53 views
0 comments
1 upvotes
Related Tags
What led you to get involved in multiple CISO communities?

Top Answer: I like sharing whatever I can to add value. But to me, it's a bidirectional activity. No matter how many years you've been in this industry, there's always something to learn. There's always a different perspective to absorb and I find that bidirectional exchange to be critical, even in terms of my day-to-day operations.  One of the coolest things that drives me to get involved in different organizations is the sector specializations that appeal to specific populations. For instance, in New York, you find a more financial sector type of perspective. Down here in North Carolina, there's more of a healthcare perspective. On the west coast of the US, you're probably going to find more of an entrepreneurial perspective. Each one of those presents an awesome dynamic to bring together and learn from.

End-User Security TrainingEnd-User Security Training

As sophisticated as cybersecurity tools become, end users still need to be aware of cybersecurity risks. Benchmark your end-user training against your peers.

How would you describe cybersecurity regulation in the US as of today?

Top Answer: Sthe issue with the regulations that exisit is the auditing is nearly non existent for them. So no one follows them, making them worthless.

Are cybersecurity regulations going towards a Sarbanes Oxley model?  

Top Answer: What exactly do you mean by a Sarbanes Oxley model?

452 views
1 comments
Related Tags
If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

Top Answer: Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.

What advice would you give aspiring CISOs who want to accelerate their career?

Top Answer: In the public sector, you can expect that your employee base will listen to whatever you say, because that's part of the DNA when you’re in government. If a security professional or executive says, “Don't click here,” then people won't because they know there are repercussions. That dynamic doesn't exist in the private sector. In that context, when you tell people, “Don't click here,” some will quickly say, “Why not?” So you have to learn how to tactfully navigate that difference.  But regardless of the context, having an overall balance between technical prowess and business acumen is critical. You need technical skill to perform strong, protective work and you need business acumen to deal with the C-suite and the board. If you don’t yet have that balance, you need to fill the gap so that you can be as close to the middle as possible. You can do both, but you have to put in that extra effort. You need to have the respect of your technical team members and if you're purely business-minded, you'll never get it. They'll know that you didn't come up through the ranks. I have no problem spending a weekend writing code if that's going to help my team. Much of the cybersecurity industry has become about buying and implementing products without a technical understanding of how they operate.

47 views
4 comments
0 upvotes
Related Tags
RansomwareRansomware

What is the current state of ransomware attacks? What level of defense and preparedness do companies have from their backup support?

Does a military background make you well-prepared for cybersecurity?

Top Answer: There is a component to leadership that is cultivated in you in the military. You get your combat boots and rifle, and then they give you a step-by-step course on how to lead a team. That transitions well into the civilian space where everybody's trying to figure that out. But what doesn’t necessarily translate well is being able to approximate how long it might take to do something properly. That leadership gives you an uncanny ability to prepare and plan. It could take four or five months to get something done in the public sector or in defense, where you make slow incremental progress, but in the commercial space, the same thing can be done in a fraction of the time for a fraction of the cost. It's a very different dichotomy in that sense. That leadership has served me incredibly well.

81 views
3 comments
0 upvotes
Related Tags
Why is burnout common in cybersecurity?

Top Answer: A lot of people don't recognize that you can’t constantly wear the cape and expect to keep the status quo. It's unattainable. Having a military background, I recognized a long time ago that there are only so many people I can save. I can do my best and it might still not be good enough, which is a fact of life. But you try to sweat in peace so you don't bleed in war. In cybersecurity, we're not permitting people to sweat right now because of the load that is placed on that individual the second they sign up for the job. I was privileged to do the remediation for a very large nation-state-level attack in Montreal in 2016. The CISO was handed his hat immediately because they were such a high-profile organization and the effect was global in dynamic. No matter how much money had been invested in their cybersecurity, both in terms of technology and resources, it still didn't matter. The CISO did as much as he could but was still left hanging in the wind. The team was left to pick up the pieces and carry on. Another CISO was dropped in and they ran things the same way their predecessor had done, as if nothing ever happened.  I’m coaching a number of CISOs in a group where we can share candidly, and I often hear from a lot of my female peers that there is an institutional bias thrust on them right away. At the same time, the pressure is gender-neutral in the sense that wherever you come from, there is this onus on you to put on the cape and go save the world. And you can't take a day off, so it sucks for everyone in a lot of ways. We have had powerful technology at hand, but I also know that I can't save the world and I'm not here to do that. There are certain pieces of the puzzle that you just cannot fix, so why put in the effort to try? Just mitigate as much as you can, until you get to a place where you know that you’ve done all you could. If you've done your best, you’ve reduced the liability as much as possible because you are trying to do the right thing. When something does happen, and it will, you are better prepared than you were 8 months ago when you initially took on the role, which is often the case.

73 views
3 comments
0 upvotes
Related Tags