December 20, 2023

00:41:05

Episode 235 Deep Dive: Dan Elliott | Understanding Cyber Risk Management: Strategies for Effective Communication

Episode 235 Deep Dive: Dan Elliott | Understanding Cyber Risk Management: Strategies for Effective Communication
KBKAST
Episode 235 Deep Dive: Dan Elliott | Understanding Cyber Risk Management: Strategies for Effective Communication

Dec 20 2023 | 00:41:05

/

Show Notes

In this episode, we are joined by Dan Elliott (Principal for Cyber Security Risk Consulting – Zurich Resilience Solutions) as we delve into the critical topic of aligning cyber leaders with business objectives. We explore the challenges of communicating cyber risks effectively, dissect the need for a common language in cybersecurity, and discuss the evolving role of CISOs as business enablers. Join us as we tackle the intricacies of cyber risk management, the importance of understanding business goals, and the quest for a universal language in the cyber world.

Dan Elliott is the Principal for Cyber Security Risk Consulting at Zurich Resilience Solutions (ZRS) Canada and is responsible for supporting ZRS’s clients in making risk-based cybersecurity decisions to improve their overall organizational resilience. Dan has over 15 years of experience in national security and risk management and brings a unique perspective to cyber risk, having spent six years as an Intelligence Officer with the Canadian Security Intelligence Service (CSIS). Prior to that, he spent nearly a decade in law enforcement and intelligence, investigating multinational criminal organisations both online and in person. He evaluates cyber risk with the knowledge of international threat actors and the potential impact they pose to businesses and critical infrastructure, helping organizations improve their overall risk posture.

Dan is also trained in multiple cyber risk management frameworks and holds specialized expertise in stakeholder management and strategic program design. He speaks internationally about the communication challenges that exist between traditional technical professionals and business leaders. He is a regional board member of the Risk and Insurance Management Society (RIMS), a Risk Fellow (RF) and is a Certified Risk Management Professional (CRMP and CRM). Dan is a contributing member of the Cybersecurity Advisors Network (CyAN), a volunteer member with ISACA and is accredited as Certified in Risk and Information Systems Controls (CRISC).

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: There really isn't a way to say, yes, we are secure. If you're saying that in full confidence, you either have a better budget than I did in the government or you're lying to yourself because you really don't know what's out there. So as a security professional, you really have to be confident in your own skin to explain to your boss or the board or both that I am not sure if we're secure, but I'm confident that we're resilient enough to get back up. [00:00:32] Speaker B: This is KVCAT as a primary target. [00:00:36] Speaker A: For ransomware campaigns, security and testing and. [00:00:40] Speaker B: Performance risk and compliance. We can actually automate that, take that data and use it. Joining me today is Dan Elliott, principal cybersecurity risk advisory from Zurich. And today we're discussing how to better communicate cyber risk. So, Dan, thanks for joining and welcome. [00:00:58] Speaker A: Thanks very much for having me, KB. [00:01:00] Speaker C: Pleasure to be here. [00:01:01] Speaker B: So communication is obviously something that's near and dear to me, but we want to now focus it on cyber risk. So maybe let's start there. I want to hear your view on cyber risk. And what does this mean to you specifically? [00:01:15] Speaker A: Yeah, so cyber risk to me covers. [00:01:18] Speaker C: More than just financial loss. [00:01:20] Speaker A: So it's financial, operational and more importantly, in a lot of cases, reputational loss from some threat or vulnerability within the entire digital environment. [00:01:31] Speaker C: And in the way I deal with. [00:01:32] Speaker A: It within an organization, whether it be. [00:01:35] Speaker C: A company, an NGo, a government entity. [00:01:38] Speaker A: So it's looked at as a strategic. [00:01:41] Speaker C: Risk because it has potential for catastrophic. [00:01:45] Speaker A: Losses and it's very difficult to measure. [00:01:48] Speaker C: But it encompasses beyond just their in house technical environment. [00:01:53] Speaker B: Yeah, this is really interesting, and I think this is where I want to get into it a little bit more simply because do you think so what's coming to your mind as you're explaining that is with executives or people that you're talking to, do you think conceptually, people understand cyber risk, just pure and simple? [00:02:11] Speaker A: No. I think that it is a very. [00:02:13] Speaker C: Challenging concept in term, and part of. [00:02:16] Speaker A: It is due to the technical nature of it and the assumption and the. [00:02:21] Speaker C: Belief that because it's very technical, there's. [00:02:23] Speaker A: No way I can clearly understand it. [00:02:25] Speaker C: If I'm not from a technical background. And the other side of it is that within the media and within, if we speak the media en masse and also publications, there's this push of numbers and the notion that everybody's going to. [00:02:42] Speaker A: Get hit and there are huge losses. [00:02:45] Speaker C: And it becomes this thing that is. [00:02:47] Speaker A: So large and so immense and yet. [00:02:49] Speaker C: So poorly understood that a lot of. [00:02:53] Speaker A: People just leave it alone, and they don't want to consider it in the same category as their other strategic business. [00:02:59] Speaker C: Risks, because they understand those. They've taken years and decades to measure and manage them. [00:03:05] Speaker B: But don't you think we make it technical, though maybe not on purpose, like convolute everything that we're sort of saying? [00:03:11] Speaker A: Yeah, I think that that is clearly the problem, and I think everybody has to own a bit of the justification for that, the reasons for that. [00:03:21] Speaker C: There's some cognitive dissonance on the part of nontechnical executives that may have the view that I don't understand it today, so I never will understand it. There's a bit on the other side of that authority bias, where if I. [00:03:36] Speaker A: Use acronyms in highly technical terms, then I am the smartest person in the. [00:03:41] Speaker C: Room in this discussion, and therefore, I'm not going to lose my job, and. [00:03:46] Speaker A: I'm always going to have a place in this discussion, in this piece of importance. [00:03:50] Speaker C: The challenge also falls that people will. [00:03:54] Speaker A: Always default to the nature of language. [00:03:56] Speaker C: That they find most comfortable. So when you bring a person who came up traditionally technical into a boardroom setting, they feel comfortable in those technical terms, the acronyms, the way in which they've spoke their entire professional lives, and now they're dropping that on the laps of people who came up with a. [00:04:18] Speaker A: Different language where they didn't speak in those terms, and they don't understand those acronyms. [00:04:23] Speaker B: But who cares if you're not the smartest person in the room? Why are so many people driven by that? I don't even think like that. I don't sit there and go, I'm the smartest person in the room. And I hear that exact thing that you were saying, dan, right across the world. Why is that a thing? Who cares if someone's smarter or not? Doesn't matter, does it? [00:04:42] Speaker C: I think it is part of that ego drive, maybe. [00:04:46] Speaker A: And it's my supposition, based on my. [00:04:50] Speaker C: Experience, that part of it is driven by a fear of inadequacy in another professional area. So there are some people who've come up with very strong technical background and are very knowledgeable in their area, and they've taken on an area of strategic leadership where they have to understand the finances and the business side of the organization, an area that they don't feel comfortable and confident in, and it makes. [00:05:20] Speaker A: Them feel less than in an area of their job. [00:05:23] Speaker C: So feeling overconfident in another area of their job helps to balance that out. It's not to say that all technical leaders are taking that stance, but that. [00:05:33] Speaker A: Is definitely a part of it that is out there. [00:05:36] Speaker C: And there's another side of it that. [00:05:38] Speaker A: We default to our area of comfort. [00:05:41] Speaker C: And if your area of comfort is. [00:05:44] Speaker A: That technical language that you've spent years. [00:05:46] Speaker C: Getting really good at, then you may. [00:05:49] Speaker A: Not even be doing it on purpose. [00:05:50] Speaker B: I like to think it's maybe the latter. One of the things that I want to ask you about then, on that point is your whole premise in security, though, is to get the business to understand more about security, not to sort of inflate your ego about, oh, I'm the smartest person. So that's your job, though, to not be so technical in order to understand what the business wants. Do you think people lose sight of their goal? [00:06:17] Speaker C: So I think that may be part. [00:06:21] Speaker A: Of it, but it's also that being the goal. Is the goal to understand what the business wants, or is the goal to secure the organization? [00:06:30] Speaker C: And if a technical leader, if a. [00:06:32] Speaker A: CISO, it director, whatever your role may. [00:06:35] Speaker C: Be, if you haven't aligned that goal with the business, then you may be missing the mark for sure. I think the first thing that should. [00:06:44] Speaker A: Be happening when you get into that. [00:06:45] Speaker C: Senior role is discussing with the C suite, with the board, with the heads of business units, what the goal is. [00:06:53] Speaker A: And supporting the business in achieving those goals. And that will make it easier to. [00:06:58] Speaker C: Communicate with them using language that is familiar with them, using concepts that is familiar to them, and will also help. [00:07:06] Speaker A: You build those familiar relationships. [00:07:08] Speaker C: So you don't feel it as necessary. [00:07:10] Speaker A: To use technical terms because you are more comfortable. [00:07:14] Speaker B: So it goes back to the whole cyber risk conversation, better communicating that, having that alignment. And I'm guessing this is where the fall down is on not having the alignment, which is why people may not understand the cyber risk. Is that a fair assumption? [00:07:28] Speaker A: I think that the alignment is a big piece of it and not having. [00:07:32] Speaker C: The language to be able to get across the other side of that expanse. [00:07:38] Speaker A: So even if you're aligned with the. [00:07:40] Speaker C: Business, if you don't realize that there's. [00:07:45] Speaker A: A lexicon on the other side that. [00:07:47] Speaker C: You'Re not speaking that would benefit you. [00:07:51] Speaker A: Then even if you're aligned with the business, you may not be able to. [00:07:54] Speaker C: Cross that space to get what you. [00:07:57] Speaker A: Really need or to really support the. [00:07:59] Speaker C: Business in the best way possible. [00:08:00] Speaker B: But then would you think perhaps that person's in the wrong role? So, like, for example, if I'm having an operation, I'm talking to the doctor, the surgeon. Yes. They're going to talk technical stuff, but then they're going to relay it in a way, as a patient that I would understand, like, hey, we need to randomly amputate your leg. They're going to use all these other terms that I don't know because I'm not a doctor, I don't work in the medical field. But then they also explain it to you in a way that you at a high level can understand what's happening, but we haven't really gotten there in cybersecurity. So is this a maturation thing? Is it the people are in the wrong roles? Is it the people pumping up their own ego? Will we ever get to a state that we are talking the same language? Or do you think there will always be this ongoing battle? [00:08:47] Speaker A: I do think we'll get there. [00:08:49] Speaker C: I do believe that it's a maturation. [00:08:53] Speaker A: Piece within the industry. [00:08:54] Speaker C: I think it is difficult to get. [00:08:57] Speaker A: There when the turnover for cisos and heads of cybersecurity is still so quick. [00:09:04] Speaker C: By comparison to other C level executives. And that does make it challenging. There's still a large proponent of C. [00:09:13] Speaker A: Level executives that think that the CISO. [00:09:15] Speaker C: Is not in the C suite, and as such, is the person in that. [00:09:20] Speaker A: CISO role going to make the full effort to learn all the language and all that they need to do to. [00:09:27] Speaker C: Excel at that C suite level? [00:09:29] Speaker A: I would hope that we get to. [00:09:31] Speaker C: A point where it becomes commonplace for cisos who come above that technical level. [00:09:39] Speaker A: To a strategic level of management or. [00:09:42] Speaker C: Strategic level of executive role to take. [00:09:45] Speaker A: On true risk management education and leadership education. So they understand how to evaluate financials. [00:09:54] Speaker C: How to measure the operating efficiency of. [00:09:57] Speaker A: A business, how to communicate risk in a business sense rather than from a technical control sense. And that way you can learn some. [00:10:06] Speaker C: Of the parallels between what you're doing. [00:10:09] Speaker A: And the controls you're putting in place and what exists throughout the rest of the business. [00:10:13] Speaker B: So why do you think people don't believe a CISO is in the C suite? Like CISO is like the very first word is chief. So what's with that? [00:10:23] Speaker C: Well, that's probably a discussion above my pay grade. The reality is that it is a very difficult nut to crack to get inside the C suite. [00:10:36] Speaker A: I think that we have to get to a generation where cisos are acting. [00:10:40] Speaker C: As if where cisos en masse are. [00:10:44] Speaker A: Speaking the same language as everybody else. [00:10:46] Speaker C: In the C suite with this added technical expertise rather than the very strong. [00:10:52] Speaker A: Technical expertise, and then some added strategic. [00:10:56] Speaker C: Business management or strategic risk acumen on top of it. And I think that will really help paving the way in. [00:11:05] Speaker A: In some of the organizations that I've. [00:11:07] Speaker C: Worked with, that CFO or CIO or. [00:11:11] Speaker A: Other C level executive that acts as. [00:11:13] Speaker C: A buffer is there because maybe that. [00:11:17] Speaker A: CISO or that it director is newer or doesn't have the same level of. [00:11:24] Speaker C: Business knowledge that the CIO does, or. [00:11:27] Speaker A: The CTO or the CFO or whoever they're reporting to. [00:11:31] Speaker C: It's a very traditional space. So I think it will take a lot of time to get a large. [00:11:38] Speaker A: Number of cisos reporting directly to a. [00:11:42] Speaker C: CEO or sitting within the C suite writ large. I think in the meantime, we as. [00:11:49] Speaker A: A group need to be taking on that space and taking on all of. [00:11:53] Speaker C: The ownership of that role, regardless of who we're reporting to. [00:11:57] Speaker B: Okay, so there's a couple of things in there I want to just press on a little bit more. So you mentioned CISO and friends coming more out of the control level and more to the strategic level. So how can people go about doing that? How do you sort of go? Well, I'm actually thinking maybe not strategically. How do you get to the point where you are thinking more on that strategic level? [00:12:17] Speaker A: Well, I think it begins with collaboration. First, if you're not having regular meetings. [00:12:22] Speaker C: With other business unit leaders and with the leaders of risk and finance within the organization, you're not going to understand. [00:12:32] Speaker A: What are the things that keep them. [00:12:34] Speaker C: Up, what are the goals, what are. [00:12:36] Speaker A: Their KPIs, what are they trying to. [00:12:38] Speaker C: Achieve in order to win and to really operate effectively at that level, your. [00:12:45] Speaker A: Job is to help the organization win. I was speaking to one recently retired. [00:12:52] Speaker C: Ciso, who told me a story that. [00:12:54] Speaker A: He went to his CEO and told. [00:12:57] Speaker C: Him, I'm your most effective marketing department and I'm your most cost effective. And he said, the reason is that. [00:13:04] Speaker A: When one of our competitors gets hit. [00:13:07] Speaker C: Gets breached, if their products come off. [00:13:10] Speaker A: The shelves, we're there for our customers. [00:13:13] Speaker C: And the amount of money you spend. [00:13:15] Speaker A: To convince one of their customers to. [00:13:18] Speaker C: Switch to our products versus us being. [00:13:22] Speaker A: The only ones on the shelves, it guarantees that we're being picked up. And it was this switch in thinking. [00:13:28] Speaker C: And I give him full credit, that. [00:13:31] Speaker A: Was an ingenious way to look at. [00:13:33] Speaker C: It, but it was taking it out of the pure security aspect and starting to look at your role as a business enabler from a different lens, from the lens of how am I helping the marketing department, how am I helping. [00:13:49] Speaker A: Distribution and operations and all these other. [00:13:51] Speaker C: Areas of the business, and that starts to take you out of a pure security controls level. [00:13:57] Speaker B: Yeah, that is really interesting. And I mean, it's a great point. Makes sense. And that's the other problem. People need to think about how a CEO thinks. It is about top line revenue. It is about reducing risk. Those are the types of things that ceos care about. That's their job, that's why they're in the role. So I think you make great points. I do think it's a maturation thing. I am aware that security just used to be an independent silo, and people just think, well, I just pour money into it and I don't really see a return. I do think it's changing. And you mentioned before, Dan, is going to take time. So how much time do you think? So do you think if I bring you back on the show in ten years time, which I believe I'll be doing this show in ten years, will we see a massive. [00:14:38] Speaker A: I'll still be here to join you in ten years, so why not? [00:14:41] Speaker B: Well, I'm just curious. I'm trying to get like a barometer on. Even in, I don't know, maybe the last twelve months I've seen a shift in Australia, probably because of the breaches, unfortunately. Yeah, it was an awful thing that happened. But sometimes there is a bit of a silver lining, people. There's a wake up call. So do you think that even in two years, what you're talking about today know not be so foreign to a lot of people? [00:15:03] Speaker C: I think it's getting better. I've been to conferences all over the. [00:15:08] Speaker A: World speaking about this to both risk leaders, C suite executives, and it and cybersecurity leaders. [00:15:16] Speaker C: And people are there listening, trying to gain this understanding. [00:15:22] Speaker A: So there's a clear understanding across multiple. [00:15:25] Speaker C: Industries that there's a gap and there's. [00:15:29] Speaker A: A desire to close that gap. So I truly hope that in less than ten years time we'll get there. [00:15:37] Speaker C: But there are some leaps and bounds. [00:15:38] Speaker A: That need to be taken. [00:15:42] Speaker C: I love analogies, I like statistics less. [00:15:46] Speaker A: But there was one statistic that I. [00:15:48] Speaker C: Did find interesting that really struck me. [00:15:51] Speaker A: From a C suite survey that was. [00:15:54] Speaker C: Done in 2022, where more than a third of the executives that were interviewed. [00:15:59] Speaker A: And these are nontechnical, so non CISO. [00:16:02] Speaker C: So your traditional c suite, more than a third of them that were interviewed. [00:16:07] Speaker A: Described basic cybersecurity terms as too complicated and confusing. And the three that were listed in the survey were malware, phishing and ransomware. And if you ask a group of it professionals and cisos, are these terms technical? The vast majority would say no. So we still have to get to. [00:16:27] Speaker C: That point where. [00:16:30] Speaker A: We are accepting that. [00:16:32] Speaker C: Not everybody sees our standard language as their standard language. I went to the same. I was at a risk conference last. [00:16:40] Speaker A: Month, and I asked RISC executives if the concept of risk capacity and risk. [00:16:46] Speaker C: Appetite is technical, and the room almost unanimously said no. But speaking to it professionals, the vast. [00:16:56] Speaker A: Majority of them that I speak to aren't able to accurately define those concepts. [00:17:01] Speaker B: Yeah, you're so true. I remember years ago, he just ran into a conversation, and I was like, look, keep it high level. This guy immediately started talking about, like, fiber optic cables, and I'm just like, whoa. That is not what I was having. Thinking in my mind. But look, it happens. This is why we have these conversations. So you have been at a lot of conferences. I have noticed that. On LinkedIn. I follow you on LinkedIn. I like your stuff. So I want you to talk to me a little bit more about your analogy about a Rosetta stone and what it is. And what does this mean for you? You're using this in your conferences. I want to hear a little bit more. [00:17:35] Speaker C: Sure. [00:17:36] Speaker A: This is kind of my soapbox that. [00:17:39] Speaker C: I love standing on. The Rosetta stone concept is stolen, I. [00:17:45] Speaker A: Guess, from the original Rosetta stone, which. [00:17:47] Speaker C: Was literally a stone tablet that allowed. [00:17:51] Speaker A: Us to understand a language that we couldn't speak. [00:17:54] Speaker C: So there was a time when we could not read. Well, we. I still can't. [00:17:59] Speaker A: But when really smart archaeologists could not. [00:18:02] Speaker C: Read hieroglyphics, and it was just a. [00:18:05] Speaker A: Language that was lost, it was a. [00:18:07] Speaker C: Written language, we could. [00:18:08] Speaker A: And until a stone tablet was found that carried the same message in three languages, one of which we did understand, allowed us to clearly understand the others. And this is the concept that I. [00:18:22] Speaker C: Look at between business risk and cyber risk, is that if you only speak. [00:18:29] Speaker A: One of the languages, then you're going to always have difficulty explaining it to somebody who only speaks the other half. So you need to look at the. [00:18:38] Speaker C: Two together and start to find a. [00:18:41] Speaker A: Common lexicon so that you can marry those together and explain yourself in the other person's language, or at least explain the concept in a clearer language. [00:18:52] Speaker B: I love that, and I think that's very relevant. So you mentioned before common lexicons. So is there anything sort of examples that you can give that you found with the nature of the work that you're doing, your experience that you think, well, we found common ground here by this type of vernacular or words or phraseology or terms or anything specific. [00:19:08] Speaker A: So there are a few that I. [00:19:11] Speaker C: Love to work on that I start with. [00:19:14] Speaker A: Are things like zero day vulnerabilities? Because we consider that to be rather. [00:19:20] Speaker C: Easy and to explain to somebody on the business side, to say, well, a. [00:19:25] Speaker A: Zero day vulnerability is a vulnerability that. [00:19:28] Speaker C: Somebody hasn't found a patch yet for. [00:19:30] Speaker A: And you're using other technical language that. [00:19:33] Speaker C: You think may think is less technical to explain it. [00:19:37] Speaker A: But in the risk world, in the. [00:19:39] Speaker C: Business world, that's an unforeseen catastrophic event. [00:19:43] Speaker A: And it's as simple as that. [00:19:45] Speaker C: And anybody who works in traditional business risk, or as a financial executive, will. [00:19:52] Speaker A: Understand what that means. [00:19:54] Speaker C: In concept, same as a siM, we use Sims as a way to be. [00:20:00] Speaker A: Able to track logs and to record information and see security alerts. [00:20:06] Speaker C: People on the risk side use RMIs. [00:20:10] Speaker A: Risk management information systems to do the same thing, to track risks and pull in logs from their financial feeds. So there are commonalities, and once you start to pull them together, you can do that. [00:20:23] Speaker C: In the meantime, what I always recommend people do is use analogies, use very simple, common language that's built on an. [00:20:33] Speaker A: Analogous concept that may be funny, maybe emotional, but paints a picture for the. [00:20:39] Speaker C: Other person in a way that it. [00:20:41] Speaker A: Will stick, even if they don't know what that technical concept means. [00:20:46] Speaker B: I love analogies as well. I use them far too often. Is there any analogy that you have used in the past that you're willing to share that has resonated with someone that is not a security person? [00:20:56] Speaker C: For sure. [00:20:57] Speaker A: There are two that I love to. [00:20:59] Speaker C: Use and one I would love to. [00:21:01] Speaker A: Give credit for, but I can't remember who the CISO was who told me. [00:21:05] Speaker C: It, so feel free to reach out. [00:21:06] Speaker A: To me if it was you. [00:21:08] Speaker C: But I had a CISO describe cyber. [00:21:11] Speaker A: Risk to me and cyber resilience to. [00:21:13] Speaker C: Me in this way. He said, I'm the driver of our vehicle, and all of our technology within. [00:21:20] Speaker A: Our organization is that vehicle. And my job is not to prevent every ding and every scratch. And if the organization wants to prevent every ding and every scratch, then they have to wrap their car in bubble. [00:21:34] Speaker C: Wrap, which would be very costly and ineffective to move quickly. [00:21:39] Speaker A: So conversely, I'm there to prevent head on collisions. [00:21:43] Speaker C: So when I talk to the board. [00:21:45] Speaker A: I start off with that concept with. [00:21:47] Speaker C: Them and explain that if you're driving a race car, you're going to get scratched up and you're going to get dinged, but what you want to avoid. [00:21:54] Speaker A: Is a head on collision that stops you in your tracks. And all of the controls that I. [00:21:59] Speaker C: Put in are not to prevent scratches. [00:22:03] Speaker A: And dings, small incidents. They're there to allow us to control the vehicle, feel confident in the way. [00:22:09] Speaker C: We'Re driving, and be safe from those head on collisions. [00:22:13] Speaker A: So I like that as a global. [00:22:15] Speaker C: Concept for explaining the idea that are we secure? [00:22:20] Speaker A: Is not a fair question to ask of a CISO. The better question is, are we resilient, and how are we building up our organization, cyber resilient? [00:22:30] Speaker C: The other one I love to use, which discusses. [00:22:33] Speaker A: I get questions often about the first. [00:22:36] Speaker C: Thing an organization should do when they're looking at their cybersecurity program from the business side. [00:22:43] Speaker A: And the example I use, or the. [00:22:45] Speaker C: Analogy I use, I say that most. [00:22:48] Speaker A: Organizations are akin to hikers in the woods. And if you don't know the state. [00:22:53] Speaker C: Of your cybersecurity program, you're wandering around. [00:22:56] Speaker A: In the woods with a blindfold on. And if you suddenly hear a bear. [00:23:00] Speaker C: You will run, but you don't know. [00:23:02] Speaker A: If you're going to be running toward the bear or away from the bear. [00:23:06] Speaker C: You don't know if the sounds you're. [00:23:07] Speaker A: Hearing are other hikers wandering in the. [00:23:09] Speaker C: Woods, and you don't know how fast you need to go. [00:23:13] Speaker A: And likely what's going to happen is you're going to underspend or overspend energy. [00:23:18] Speaker C: To get away from that bear. [00:23:19] Speaker A: And you won't know until one of two things happens. The bear takes a chunk out of. [00:23:23] Speaker C: You or you take the blindfold off. [00:23:25] Speaker A: So if you take the blindfold off and you measure and understand your cyber. [00:23:29] Speaker C: Program, you know how fast you have to run to effectively get away from the bear, be faster than the slowest moving people in the pack. [00:23:39] Speaker B: I love that. And as you were using that analogy, I was just thinking of bear. So I appreciate you. I appreciate you sharing that, because these are. Things are important. Maybe people are using these analogies. The first one, I know you said you stole it from someone else. We're not sure who it is. Please come forward if it's you. But these are the things, when you give examples like this, that people can actually start using part of their vernacular and starting to get in the mindset of using analogies. And you make a great point before Dan, around people saying, well, are we secure? That's a long, complicated answer. It's not a yes or a no. But then I don't blame people for asking that because they don't know any better. But then, unfortunately, security professionals can have a habit of making people feel silly if they're asking that type of question. Have you seen a bit of that? [00:24:24] Speaker A: I have. I think it's a very difficult position. [00:24:27] Speaker C: To be put in, because, as I've. [00:24:29] Speaker A: Spoken to most security professionals on the. [00:24:33] Speaker C: Side, they all agree that the only answers are, no, we're not, or I hope we are. [00:24:39] Speaker A: There really isn't a way to say, yes, we are secure. And if you're saying that in full. [00:24:44] Speaker C: Confidence, you either have a better budget than I did in the government, or you're lying to yourself because you really don't know what's out there. [00:24:53] Speaker A: So as a security professional, you really have to be confident in your own skin to explain to your boss or. [00:25:00] Speaker C: The board or both that I am not sure if we're secure, but I'm. [00:25:06] Speaker A: Confident that we're resilient enough to get back up. [00:25:09] Speaker B: So you mentioned before about getting the alignment. So I want to sort of maybe talk a little bit more on this and maybe get some theories from you on how people can better do this. With cyber leaders, risk managers can build a stronger bridge, or even a bridge at all between them in order to get that alignment, because then that alignment aligns with strategic business goals. So, going back to my theory before, and I've spoken to someone on the show off, very early days at times, security people have this theory that they're just there to practice security. It's like, well, actually, no, your job is to protect the business. So you need to get on the same page or get on the bridge or build a bridge to understand the business. And this is the part, I think it is getting better over the last decade or so that I've been in this space. There's still a long way to go. So do you have any other sort of advice for people that maybe are not even on, haven't even thought about a bridge. How do people sort of get there? How do they build it? [00:26:06] Speaker A: There are some short term ways and longer term ways. People love things that they can do today or tomorrow. So I'll start with the short term items, I think. [00:26:17] Speaker C: And the first one is sit down. [00:26:19] Speaker A: For a coffee with somebody at the head of one of the business units. [00:26:23] Speaker C: Or your head of marketing or CFO. [00:26:26] Speaker A: If you're in a position to do. [00:26:28] Speaker C: So, but meet with somebody on the business side and ask them. [00:26:32] Speaker A: My favorite question to always start off with is, what is the thing that if you got a call about at. [00:26:38] Speaker C: 02:00 a.m. On a Sunday, it would. [00:26:40] Speaker A: Get you out of bed and to the office? [00:26:43] Speaker C: Because that's what they're afraid of. [00:26:44] Speaker A: That's what they're most concerned about in the organization. [00:26:47] Speaker C: And those are the risks the kris. [00:26:51] Speaker A: That you can help them drive. And if you can support them in. [00:26:55] Speaker C: Those ways, you'll find ways to help. [00:26:58] Speaker A: Build bridges to their unit and their sections. [00:27:01] Speaker C: You'll probably also find financial support from them. And I think that those will become. [00:27:07] Speaker A: Unofficial meetings at first. [00:27:09] Speaker C: And then you have to get to. [00:27:10] Speaker A: A point where you're doing regular cyber risk briefings with those leaders and with other areas of the business to find. [00:27:18] Speaker C: Common ground, find ways in which you can support them in meeting their key goals for this quarter and ways that. [00:27:24] Speaker A: You are helping them reduce risk or can help them reduce risk. [00:27:29] Speaker C: They might not realize that just by. [00:27:31] Speaker A: Nature of having access to the Internet, they are costing the business money. Your team, your sock, is having to work to mitigate some of the activities going on. And if they don't understand how you're supporting them and how you're reducing risk. [00:27:49] Speaker C: For their department or their business unit. [00:27:52] Speaker A: It'S going to be difficult to align. So I think unofficial, then official briefings and discussions happen. [00:27:58] Speaker C: And then you need to get in line with some business centric risk metrics. [00:28:03] Speaker A: Your risk metrics have to be on the organizational's risk register. And if you haven't seen it, you. [00:28:12] Speaker C: Should find out who holds it. And you need to find a way to align with that and to get. [00:28:18] Speaker A: Your risks aligned with those top five. [00:28:22] Speaker C: Risks that the business is already focusing money and effort on. I mean, I look know you ask. [00:28:30] Speaker A: A chief marketing officer what their role is. [00:28:34] Speaker C: Their role is to help the organization make money efficiently. Your role as a CISO is to. [00:28:42] Speaker A: Protect the organization so that it can make money efficiently. You may see yourself and others may see you as the brakes of the car. [00:28:52] Speaker C: But I remember when I did tactical. [00:28:55] Speaker A: I'm going to jump into another analogy. When I learned tactical driving years ago in my government days, I had an instructor who told me the most important things in any vehicle. [00:29:06] Speaker C: It's not the engine, it's not the tires, it's the driver and the brakes. [00:29:10] Speaker A: The driver has to have enough skill. [00:29:12] Speaker C: To do the work, but the brakes are key, and the brakes serve two purposes. [00:29:17] Speaker A: One, they give the driver confidence that. [00:29:20] Speaker C: In an emergency, you can stop and you can avoid catastrophe. [00:29:25] Speaker A: But also it gives the driver confidence that they can control moving quickly in tight spaces. [00:29:31] Speaker C: It gives it maneuverability and agility. And if we start looking at our cyber programs as helping the organization move. [00:29:39] Speaker A: Faster in an agile manner, we can see how we're working in a business. [00:29:45] Speaker C: Centric focus, not as the stop brakes. [00:29:50] Speaker A: Area, not just preventing catastrophe, but giving the organization confidence to move quickly. I think that those business centric risks are another key one. [00:30:01] Speaker C: And if I had to lean on a third, my third go to is always going to be tabletop exercises. I think getting the nontechnical executives into a room together to discuss an aspect of how they would deal with a really bad day is the fastest way to get them to understand the role. [00:30:24] Speaker A: They have to play. [00:30:25] Speaker C: How quickly it becomes more than an IT problem when marketing has to figure. [00:30:32] Speaker A: Out what to do with customers and HR has to figure out what to. [00:30:36] Speaker C: Do if it was an internal user or not. [00:30:39] Speaker A: When you have to bring in legal. [00:30:41] Speaker C: And you have to bring in communications. [00:30:43] Speaker A: Or pr, when you have to decide who's going to tell that one employee. [00:30:48] Speaker C: That you know will tweet, I don't. [00:30:50] Speaker A: Have to go to work today because. [00:30:51] Speaker C: Our computers are down. You have to decide who's to talk. [00:30:55] Speaker A: And who's not to talk. That's not an IT problem. That's an issue for everybody. [00:31:01] Speaker C: And an exercise like that gets everybody. [00:31:04] Speaker A: Talking and understanding their role. [00:31:07] Speaker C: So those three are probably my quick key aspects that can be done to. [00:31:12] Speaker A: Build those bridges and help build confidence in that collaboration. [00:31:16] Speaker B: There's always that one employee. You are right. So what about more long term strategies? What would be your advice on that front? [00:31:23] Speaker A: So I wouldn't have a role within an insurer if I didn't say that? Cyber insurance conversations are a great bridging. [00:31:31] Speaker C: Point between the technical leadership and business leadership, because it has a financial ramification. [00:31:39] Speaker A: If your organization has a cyber insurance. [00:31:43] Speaker C: Policy, then that means at least once a year, everybody is concerned about cyber risk, even if they don't understand it. And I've gotten on calls before where. [00:31:54] Speaker A: A risk manager or a broker says. [00:31:57] Speaker C: I'm going to let so and so. [00:31:59] Speaker A: Speak because I don't understand this geek speak. It drives me absolutely bananas, because they've given themselves permission to just turn their brains off. It's an opportunity for people who are. [00:32:09] Speaker C: Interested to start to open up discussions about how we can be effective, how. [00:32:15] Speaker A: We can tell a good story, how we can show what we're doing, and how those cyber activities, the risks and the mitigation efforts play into the other business goals. So that's the first time I think that's a gimme. [00:32:30] Speaker C: It's automatically going to be there. [00:32:32] Speaker A: And then another thing I think is regular maturity assessments. [00:32:37] Speaker C: So if you're doing a. I mean. [00:32:39] Speaker A: We do, in North America, we see a lot of NIST assessments done. [00:32:42] Speaker C: That's kind of the big technical, technical. [00:32:45] Speaker A: Non technical assessment that gets done. [00:32:47] Speaker C: And the fault of that is that. [00:32:50] Speaker A: It'S very often in just technical terms. And I think what is very effective. [00:32:55] Speaker C: Is if you take something like a NIST assessment, and then you provide it. [00:33:01] Speaker A: With business concepts in it and the business relationship to each of those areas. [00:33:07] Speaker C: So how are my preventative measures going. [00:33:10] Speaker A: To impact the organization? What is going to happen with business resiliency if we can't get back up? Where's our business continuity going to sit? Where's business interruption on a per day basis if we don't get those systems back up and running? [00:33:24] Speaker C: And if you regularly assess the organization's maturity of the cyber program, you have. [00:33:31] Speaker A: Dual benefits in that you better understand. [00:33:33] Speaker C: Your program, but you also have an. [00:33:35] Speaker A: Opportunity to describe to the business what. [00:33:38] Speaker C: You'Re doing well in business terms, and. [00:33:42] Speaker A: Where there are still risks that somebody needs to own. And that's something that I think, on. [00:33:47] Speaker C: An annualized basis, could really benefit. And if you get good at those three, four, or five things, I think the key goal to reach is getting. [00:33:58] Speaker A: A proper multidisciplinary cyber risk committee standing. [00:34:03] Speaker C: In place that is discussing it, business unit leaders, risk managers, all in one team, discussing how different aspects of technology. [00:34:15] Speaker A: Within the organization are increasing risk, decreasing risk, how we can mitigate it, and who's going to own it. [00:34:24] Speaker C: And I think that one of the areas that could drive those committees in the coming months year is generative AI. When we're talking about things like the use of chat, GPT or bard, or any of those other large language models within an organization, it's a point in time where you could justify a short term cyber risk committee that could turn into a long term committee to discuss. [00:34:54] Speaker A: What the benefits are to the organization and what the risks are to using. [00:34:59] Speaker C: It or not using it. [00:35:00] Speaker A: And that would require people in all. [00:35:03] Speaker C: Areas of the business, because something like. [00:35:05] Speaker A: That is going to be seen as ubiquitous. [00:35:08] Speaker C: It's going to have a place in. [00:35:10] Speaker A: All areas of the organization. [00:35:11] Speaker B: Do you think as well, Dan, that each area within a business, they've all got their little nuanced things? So I've looked at my company's insurance documents, and there's been times when there probably still is like, what does that mean? And then you're getting some person that, again, is talking their own insurance terms. I'm an insurance person, so I need to understand what you mean by that. So I think that each maybe in cyber, we just have more, there's more technicalities in our world, which maybe gives the illusion that it is harder to understand or, yeah, it hasn't been around for long enough. Those are types of things that are coming from your mind when you're speaking, because each little business has their own lexicon and vernacular. But then I guess we're either more familiar with it, like accounting, like basic accounting stuff. But if you're getting into actuarialists and all of that, I would have no idea about the terms and how it works. So do you think that it will just be the time in hopefully sub ten years, but then also just the nature of the work that we do do. It is technical, it is complex. There is a lot of things that can confuse people. Do you think it's that? [00:36:20] Speaker A: I think there's a combination. It's a bit of the two. [00:36:24] Speaker C: I agree. [00:36:25] Speaker A: Every single unit in every area of. [00:36:27] Speaker C: The organization has their own language, has. [00:36:31] Speaker A: Their own set of acronyms coming into the insurance world. And I'm not from the insurance world. I entered into it a year ago. [00:36:38] Speaker C: And I remember the first time I. [00:36:40] Speaker A: Saw a policy binder. And even the term policy binder made. [00:36:45] Speaker C: No sense to me, and I had. [00:36:48] Speaker A: To go through a journey of asking. [00:36:49] Speaker C: Questions and being okay with feeling stupid. [00:36:54] Speaker A: Or the potential of feeling stupid, that. [00:36:56] Speaker C: I didn't know what terms meant. And you build bridges with people so. [00:37:01] Speaker A: That they're willing to share that information with you. People generally want to talk about things in which they're confident. [00:37:08] Speaker C: So if you go to them genuinely. [00:37:11] Speaker A: Wanting to understand what their part of. [00:37:15] Speaker C: The organization does and what they're measured. [00:37:18] Speaker A: On, and you'll find some of the. [00:37:20] Speaker C: Terms pretty quickly, you're going to find a champion in that area that will help support your growth in understanding that. And it's going to take a bunch. [00:37:30] Speaker A: Of different people for it to piece together. Naturally, before we have a formalized system where everybody has to learn a bit of everything else. [00:37:41] Speaker C: But in the interim, you find your. [00:37:44] Speaker A: Champion through a few free coffees, and. [00:37:47] Speaker C: You get to know people and what drives them, and I think that will help. [00:37:51] Speaker A: I don't think there's ever going to. [00:37:53] Speaker C: Be an expectation where a CISo is going to have to be able to. [00:37:58] Speaker A: Read actuarial tables, or even when a CISO is going to have to understand everything in the policy binder. That's why there's a chief risk officer, and the chief risk officer often even has somebody who specializes in insurance. [00:38:12] Speaker C: So there are concepts that are in. [00:38:14] Speaker A: That policy binder that the chief risk officer may not understand. [00:38:18] Speaker C: You have specialists, but if you can. [00:38:20] Speaker A: Understand more than half of it, you've. [00:38:22] Speaker C: Already made it that way. [00:38:24] Speaker A: You're starting to understand conceptually what's going. [00:38:26] Speaker C: On in that business unit, so you can help them. [00:38:29] Speaker B: Well, I guess there's going to be a lot of little bridges, just bridge to the chief risk officer and the bridge to the sizo. And those are the things that you're absolutely right, the specialists. If you're at a senior level, you can't know everything to the nth degree. That's why you have a team and you call upon them to bring them in to explain the concepts. You can't be across all of that. So I think this was really important for people to understand that you can ask those questions, not feel stupid. I ask people all the time, what do they mean? A really good friend of mine works in investment banking. What does that mean? I'm not afraid of feeling stupid because I'm not an investment banker. So maybe it's just getting into that mindset of being curious and asking questions when you don't know something. [00:39:06] Speaker C: I think that's key. [00:39:08] Speaker A: I come from the intelligence community, so asking questions is in my dna. The first thing I want to do is I want to ask people questions, get to know what drives them, what their interests are, what they're doing, what. [00:39:21] Speaker C: They'Re working on, and be inquisitive. And I think that's part of being a lifelong learner. [00:39:27] Speaker A: And the really successful C suite executives. [00:39:31] Speaker C: That I've met and that I know all have that in common, whether they're technical or nontechnical, they're constantly learning. [00:39:39] Speaker A: They're constantly trying to grow. [00:39:41] Speaker C: And if you're trying to learn and grow through books and through courses and. [00:39:47] Speaker A: Classes and certifications, you'll get very good at certain niches. But if you also try to grow through conversations with executive colleagues, you're going. [00:39:59] Speaker C: To get the shortcut to all of. [00:40:02] Speaker A: The knowledge that they've done over all of their training and certifications and books, and you'll get that topsoil level that you need to be able to speak like them and fit in without having to do all of the background. [00:40:25] Speaker D: This is KBCast, the voice of cyber. [00:40:29] Speaker B: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. [00:40:37] Speaker D: This episode is brought to you by Mercksec, your smarter route to security talent. Mercksec's executive search has helped enterprise organizations find the right people from around the world since two their on demand talent acquisition team helps startups and midsize businesses scale faster and more efficiently. Find out [email protected] today.

Other Episodes