[00:00:00] Speaker A: I'm a big fan of the data governance concept. Sometimes I think that it's important obviously to invest in cybersecurity controls, but what about the foundations? Oftentimes we kind of patch the top of the pyramid and we forget about what's happening at the foundation. I think somebody once said before trying to change the world, get browse in order. I think that is absolutely applicable to the cyber world these days.
[00:00:31] Speaker B: This is katiecast as a primary target for ransomware campaigns, security and testing and performance.
[00:00:40] Speaker C: We can actually automate that, take that data and use it.
Joining me today is Avano Bongiovanni, general manager from ozcert. And today we're discussing how to get the most from maturity based and risk based approaches in the cybersecurity arena. So, Alvano, thanks for joining and welcome.
[00:00:58] Speaker A: Thanks for having me, Carissa.
[00:01:00] Speaker C: Okay, so I want to start at a high level and then we can sort of get into the details. Let's like set the scene. So what would be your approach to getting the most from maturity based and risk based approaches to cybersecurity? Because I mean, look, I've interviewed so many people on the show, everyone has different versions. So I'm keen to hear yours.
[00:01:18] Speaker A: That's a bit of a hot topic at the moment in the GRC space, right? It's something that people have been discussing for a while and probably also with a bit of a dichotomic type of approach, if I can use that term, in the sense that there's a tendency to kind of compare and contrast them, say, well, either you do maturity based or you do risk based. The reality is probably that to get the most of these approaches, you need to actually complement them. So my suggestions would be not just get and get stuck into a maturity based approach, but at the same time not think that a risk based approach, which is probably something that is a little bit more recent in the cybersecurity space, and don't think that just risk based can really help you with doing things you get the most when you manage to kind of balance them. Now there is also a bit of a conversation that probably needs to be had around maturity size and budget of organizations at a starting point. Probably when a company doesn't really have much in the space of documented process to control cyber risks, probably a maturity based approach makes a lot of sense because without really worrying too much about what you are protecting, you can go through this quite basic checklist type of perspective where it's almost like, it's almost like a recipe, right? You can Get a sense that you're on the right track if you tick all of the boxes of the maturity based model. So from a starting perspective, when companies don't really have anything in place, I think that is a good approach. Obviously as an organization gets a little bit more sophisticated, for example, their maturity and their cyber resilience goes up, then possibly a risk based approach makes sense. Especially when we talk about larger entities that have a lot of cyber risks, that have a lot of potential vulnerabilities, that have complex infrastructures, human factor being a big thing there, then probably a risk based approach is a more realistic and can potentially be more bang for buck. Again, the big question there is being able to complement them. How do you do so how do you really make sure you get the most of both approaches? Which in my opinion is really what should be the focus for organizations really regardless of their size and their industry. Now it's also important to say that there is industries where an approach rather than another is kind of mandated. So government actually asks organizations to adopt a maturity based approach. But again, overall there's a lot of choice and there's a lot of freedom for organizations to decide what best is and what is the most fit for purpose approach for them.
[00:04:11] Speaker C: Okay, so there's a couple of things in there which is interesting. So I want to go back to you said people are comparing them. So they're comparing them because they've got differences of opinions on how things should be done or they don't understand the difference between the two. What would you say that comes down to in your experience?
[00:04:27] Speaker A: I do believe that it's little bit of a mix of all other reasons you gave before. I want to say that people don't really understand them because they're both actually quite, quite intuitive. So I do feel like in the GRC space in particular there is a good understanding of what does it mean to adopt a maturity based approach or what does it mean to adopt a risk based approach. Probably when you talk to organizations it's natural, especially in the cyber world, considering that it is very difficult for us to establish what best practice looks like to go and ask peers, hey, what are you doing in this space? And, and if you want to look and boil everything down to two big umbrella approaches that's actually maturity and risk based. Also, it's important to consider that possibly organizations don't or haven't really managed to combine the two, complement the two together. Because you know, let's also be honest, it can be a significant investment that you have that you have to do as an organization. And we all know that in the world of cyber risk management, we're talking about loss prevention. Now, from a business perspective, that is not a great area to be playing with because you know, companies are about growth, are about increase of share price or about of increase of markets as well. You want to invest money towards growth and as do you want to invest the least amount of money in loss prevention. So considering also the budgetary constraints that cyber and the risk people in general have to face, there has been a tendency to say, well, we either do this or do that. Now, the value of a maturity based approach is quite significant when as I said before, you don't really know what best practice looks like because it's almost like it takes the thinking away a little bit. Right. You have your baseline assessment, you look at how you're faring, you set up the different controls. It's not always a matter of quantity, as in the more controls and the more sophisticated the controls, the more mature you are, but oftentimes it is. So from an implementation perspective, it's a relatively straightforward process that you have to follow. Obviously you're still going to need to take time and resources in making sure that you get those controls, those prescribed controls. Right. It doesn't really require the same level of assessment that a risk based approach requires. So they do tend to differentiate quite a bit from that perspective, but that doesn't mean that you cannot do them both.
[00:07:04] Speaker C: Do you think people are very black and white towards this? So like you said before, do this or do that, whereas you were saying earlier that you can sort of harmonize them and they can complement one another.
[00:07:13] Speaker A: Yeah, I think people tend to be a little bit black and white when it comes not just to cyber risk, but it comes to risk in general. Okay. Because obviously it is a little bit like, well, either you're covering for your risk or you're not. Then obviously there's different degrees in which you can mitigate either the likelihood or the consequences of your, of your cyber risks. But it's a little bit like, well, either you do it or you don't. The other piece that makes people a little bit black or white is that it is very difficult to obtain solid evidence to make assessments when it comes, for example, to a risk based approach. A risk based approach is just as good as the quality of the inputs that you utilize to assess your likelihood, to assess your consequences, or if you're adopting a more quantitative model to really come up with the numbers that make your model function. And at the end spit for you an understanding of whether, hey, you are investing enough B, you are reducing your risk by an adequate amount. So it is certainly more, I would say still more an art than science. We're getting there. There's a lot of, a lot more conversations in this space. And look, even the fact that we're having these type of conversations, I mean it's something that probably 10, 15, 20 years ago we wouldn't really worry too much about. I mean back then cyber risk was probably just, just it risk more, more in general these days, obviously it has entered boardroom conversations. It has become something that together with your workplace open safety risks, your order operational risks, your financial risks, board members and executives and organizations have to take into account.
[00:09:02] Speaker C: Okay, so you made a great point around, you know, the quality of the inputs that are there because things get missed. So give me, can you give me an example of something? I mean, it doesn't have. It could be a real basic one like even like driving or something like that. Just to paint the picture of, by the inputs and things not having all the details, how things could easily be missed 100%.
[00:09:21] Speaker A: Look, we know that in the cyberspace consequences, obviously when you adopt a risk approach, you need two variables. You need to take into account two variables, right? Likelihood of an event to occur, say of, of a cyber attack to event rate be successful and the expected consequences. And usually obviously you tend to calculate those consequences in monetary terms. Okay, it could be the fines that you get if you are compelled by abiding by some specific legislation. It could be the business downtime, unfortunately in some cases this could be also physical damage to people as a result, for example, of a cyber attack. And unfortunately, in the last couple of years we've seen instances like that. So the consequence side of things, I'm not saying that it's easy to quantify, but it's certainly easier because if you think, for example, okay, well how much would it cost our organization if we add say a two hour business downtime? You can, you can kind of estimate all of that and come up with, you know, some numbers that give you an understanding. And if you cannot, you can actually, if you really want to be sophisticated, utilize tools such as Monte Carlo simulations that actually pretty much calculate all of the possible scenarios and give you a rough idea of where your monetary consequences should be with the likelihood. That's where we really struggle because we mainly assess likelihood of something happening based on factors such as has it happened to us before, yes or no, as it happened to somebody else in our Industry, yes or no, are there, I would say, systemic dynamics currently occurring that could increase the likelihood for something happening. I'll give you the, you know, very, very simple example that we've been using for a while. The Russia, Ukraine conflict has increased the likelihood for cyber attacks to Australian organizations because of all the geopolitical implications associated to that. Now, as you can really understand, it is still, I would say, a rough estimate. And again, that impacts the quality of the inputs that, that you have in the physical world. We used to talk about black swans, which are those events that despite all of our efforts in trying to predict the likelihood of an adverse event or estimate its consequences, they're kind of. Nobody could expect them, nobody could really think that that would eventuate. Now black swans are becoming more frequent with increasing complexity of the social technical systems on which we rely on. I don't want to use a kind of mouthful type of term, but it is really the mixture of technology, complex technology with human actions that create that overall complexity that increases the chances for unexpected events to occur. So obviously all of this, all of this picture really gives an understanding of the fact that it is difficult to, to assess likely the consequences of cyber risks attached with cyber risks.
[00:12:30] Speaker C: Okay, so there's one thing I want to focus on. You said likelihood, so I agree. So I've worked in a GRC role before, historically, and sometimes when you go into these risk meetings and depends on who you're talking to, Tech risk has a very different version of risk than business risk, for example, as you would know. So sometimes when you're getting into the likelihood stage, there seems to be very difference of opinions, as I just mentioned, where business risk with disease likely is very different to what tech risk would think is likely. So how do people sort of find the equilibrium? So, for example, like you mentioned before about the Russia, Ukraine, historically that may never been as likely, but now it's, you know, a little bit more prolific, it's happening more. So people have changed that, you know, changing their mindset. But some people may think, well, this could be a huge risk, the likelihood may not happen, but therefore they're discrediting other risks that perhaps that aren't as have, doesn't have as much of an impact, but they're a little bit more frequent. So how do you sort of piece all of this together? Because there's so many variables to this as well.
[00:13:28] Speaker A: Yeah, look, I think there's probably two answers to your question. The first one is the fact that we got to acknowledge that there is a significant component of subjectivity when we assess things such as likelihood and consequences. Again, even think, think of something as simple as a GRC specialist working in an organization that has been affected by a cyber attack that has gone through all of the pain that that entails moving into another organization, obviously that. And then having to do a similar type of assessment in the, in the pre event stage. Right. So that person obviously is going to take with themselves a significant amount of, I wouldn't say bias, but a significant amount of experience and knowledge that will shape the way in which they assess the likelihood of a specific event. I mean, if I've seen it before, I'm probably more prone to think, well, this could actually happen again in another organization. So there is certainly that level of subjectivity. The second bit, and again, I'm not going to get into personal biases because we would probably open Pandora's box and we would need a couple more podcasts just to unpack all of that. And besides, I'm not an expert in human psychology, but the way to kind of make sense of all of it is to try and stay as objective as possible. How do you do that? A. You cannot rely on a single piece of evidence. You need to get as many sources as possible. Now I know that if a CFO heard me, that would immediately translate into costs and expenditure, which could be, for example, don't just go and do, or base your assessment on whatever your single vendor is telling you, but try and get as many sources as possible. But again, it is important to kind of rely on solid evidence. The problem, as I said at the beginning, is that it is very difficult to get solid evidence around events that are very difficult to predict. So as, as an individual, I think GRC specialists in particular, and risk people in general, you really need to be inquisitive. You really need to be someone that wants to go down and dig deeper and really don't stop at the symptoms, but really look at the root causes of, of events. Really never stop trying to learn as much as possible. So, you know, listen to, to podcasts like, like this. Get yourself some, some solid, solid evidence from multiple sources and then you can ma. You can base your judgment on that. Now, perfect judgment does not exist in cyber risk, unfortunately. What we can do is to try and get as close as possible to the best amount of evidence to make our decisions and base our assessments.
[00:16:24] Speaker C: So then on that note, you said try to get as many sources as you can. So how many sources you were talking. I know you said it's hard to obtain, but is there like an ideal number to get more of a well rounded sort of approach. Like what does that look like?
[00:16:37] Speaker A: I don't think it's something, I mean, I can't really attach a number to something like that because it really depends on the circumstances. And again, Carissa, we need to be realistic. At the end of the day, if we had unlimited resources, you could probably take a long time to prepare your preliminary inputs on the concept of establishing the context. For those of you that are familiar with ISO, that's really getting data, getting information internally to the organization. Because a lot of your assessment is driven by things such as the budget, the overall risk appetite of the organization and the staffing and things such as the organizational chart as well. Right. And outside the organizations, which is where you get your threat intelligence feeds, you get your advisories and you also look at Tito, macroeconomic and other broader systemic factors to look into it. At the end of the day it's a project, okay? So in most cases you have a limited time, a limited budget, you're going to have a deadline, especially if you know you're doing all of this because of compliance reasons. So it's important to also be realistic. You can't go on and on forever. But the important thing at the granular level is never stop having a critical perspective on the evidence that you're looking at. And that's why I think, you know, a lot of people that work in the risk space have this bit of a, of a researcher type of approach to things and even consultants that help, that there is that kind of ability to consume vast amounts of information in a relatively short time. But obviously using that in a pragmatic, realistic way so you don't keep going on and on and on.
[00:18:21] Speaker C: Okay, so you said before in terms of the variables, you want to get multiple sources to get different, different views on how things look, to get more of a, I guess an objective approach. But then isn't a double edged sword because you're dealing with so many then variables and sources and that. And like you said, you can't keep going on and on. But as you, as you're introducing more sources, which I get the intention for, but then isn't it like, well this is going to go on for longer because now I started with 20 sources and now I've got 70 and it just, it can start to go on and on and on. So how do you find that balance between not overdoing it but then also you're not undercooking it?
[00:18:53] Speaker A: Yeah, I believe it is probably not not just a matter of numbers. I mean, you could probably reduce it to the number of sources. If they are good quality sources, then you actually don't need to keep going on and on. It's needless to say that sometimes budgets drives all of that. So if you, if you treat a cyber risk assessment exercise as a project, you're going to have roughly a dedicated budget, which is important to establish up front. And obviously you're going to need to, you can't keep buying reports from outside because it's going to cost you money. The other bit that is important to remember is that this is not solo exercise. That is why it is very important for cyber risk teams to work with other constituencies in the organization, be that risk owners, be that the risk department in itself being that it being that hr to really create the right containers for the production of solid inputs and solid evidence. And again, I don't think that is tasking an individual to go do the research, put together a risk register, assess your likelihood and consequences, produce a heat map and then reporting back on that. I mean, I know that unfortunately the reality in terms of, you know, budgetary constraints often makes organizations do. So that is, that is certainly not the best approach. The best approach in this is a collegiate approach or collaborative approach where a lot of subject matter expertise is brought into the conversations. And look, I think the issue is probably not so much the lack of subject matter expertise, it's more like creating the right containers. So having that person that does an oversight of the whole process or the whole project, if you want to call it that way, that knows when to mobilize the different subject matter experts, that knows when it's time to go offline and produce, that knows how to collect feedback, that knows how to communicate the different stages of the process. I mean, ISO 27000, which is probably the best practice when it comes to risk management. And again, ISO 27001 is, is literally ISO31000. That is the risk management, physical risk management as well type of standard. So it kind of 27000 applies the, the, the risk model and the risk process that is originally from 31,000. The standup is very clear on the need for constant communication with all of the different stakeholders. Now you probably can argue that that is going to increase the time spent in the exercise, but unless you have that internal buy in and unless you take some time to get everybody's inputs and the different voices, the risk is really to not do a good job in the end.
[00:21:57] Speaker C: Okay, so one thing that was interesting. You said if you can get a good quality source, then that's enough. So what would you define? Like, how do you define a good quality source? Like, can you give an example? Just curious to understand.
[00:22:07] Speaker A: It's very difficult to define what best practice looks like in the space. It probably boils down to common sense as well. Reputable sources tend, I would say, tend to be to be trusted because of the fact that they've done those exercises a number of times. Their bread and butter is really looking into producing reliable information and evidence for people to make decisions. Because at the end of the day, we're still talking about decision making one on one. So I would probably say reliable, reputable sources. It doesn't have to be the most expensive vendor in the market. That's not what I'm trying to say. What I'm trying to say is that relying on brands that do it professionally that have been around for a while, it's important relying on people's expertise. As I said before, there's this really. It's really difficult to invent yourself in this space if you haven't done it much before.
It is important to kind of get people that do have, that have gone through the process in the past. Now the downside of that is that they could actually bring some bias. So it's also important to balance the subject matter expertise with also an outsider's perspective when it comes to risks. Because things that might be taken for granted and might look obvious to someone might actually be very, very different reality when things happen. And again, also try to look at the people that produce rigorous information as a profession. So, you know, academic reports, research in the different areas, research in the different spaces. Obviously numbers help a lot because they allow people to quantify phenomena. So relying on statistics as. As long as they are, you know, they've been built using solid methods. And look, these days, really, any organization at the end of their reports includes, or most of them at least include a quick note on how a piece of research was conducted, what was the sample size, what were the questions that were asked, and so on. So all of those are all signals that probably you're looking at the right place.
[00:24:25] Speaker C: So you said something before, Ivano, around be realistic. Do you think people out there just aren't realistic? Though?
[00:24:32] Speaker A: It really depends. I've seen organizations spend heaps of money to protect assets that were not worth the spend. Like, I'm not saying it's a, it's of the judgment call. It is numbers, right? If you draw down the line and you quantify the value of those assets for the organization. Then you ask yourself, well, why are you investing so much in all these? Is there somewhere else that, where you could actually potentially be investing? And you also have the opposite side of things, Right? Some organizations that are not really investing in controls to protect the so called crown jewels or they're thinking that data or assets in general that they have are not crown jewels when they in fact are. One of the difficult things here is the lack of visibility that a lot of organizations have over their assets. And again, I'm talking about data predominantly. It's not the physical world anymore where when you're protecting your house, you exactly know the valuable objects you have in your house, you know how much you spend for your tv, you know how much you spend for your, I don't know, jewelry, you know exactly what you have. So obviously a traditional defensive depth approach can certainly be sufficient in the digital world is not like that. A, because it is incredibly difficult to quantify the value of data, incredibly difficult to modify the value of data, and B, because as I said, the organizations are so complex, so interconnected that they often don't know where the data is. So going back to your question on not being realistic, sometimes it's difficult because again, there is no visibility around what you're trying to protect in the first place. And I'm a big fan of the data governance concept. Sometimes I think that it's important obviously to invest in cybersecurity controls. But what about the foundations? What about knowing exactly where is your pii, who has access to it? Or even non PII data, commercial, in confidence information? Again, where is it? Who has access to it in your organization, under what conditions, what are they doing with that data? Oftentimes we kind of patch the top of the pyramid and we forget about what's happening at the foundation. Probably being realistic means. Okay, well let's take a step back before trying. I think somebody once said before trying to change the word get brows in order, I think that is absolutely applicable to the cyber world these days.
[00:27:10] Speaker C: Okay. I want to move slightly to decision making. So do you think people, you know, they do all this risk assessment, they've got the reports, they've done it, but then people just can't make a decision in terms of all of the, the people that are involved. Right. Because it's not necessarily just one person making a decision. So how does that sort of look then? Like how do people. Because then I, I mean I've been in these conversations in, in rooms of 15 different people and we can't agree on anything because someone thinks this, someone's trying to protect their project, Another guy doesn't know what's going on. Like how does that sort of sit then? Because that's then getting into managing expectations. And you know, you're there from a security function, you're there to make sure the business still operates and not slow them down. But obviously you got to manage risk and all of these things. That's where it gets really difficult.
[00:27:55] Speaker A: Yeah, it is and probably goes beyond the cyber, the cyber realm as well. I mean, there's a lot of tricky conversations happening at the organizational level. And it's not just cyber. As I say, sometimes it's finance, sometimes it's workplace, sometimes, sometimes it's hr. With the cyber world, obviously we are relatively new, I would say, to this type of conversations. So, you know, until some years ago, it would have been very difficult to predict that a role such as the CISO was created and guess what? That person now reports to a CIO or even more so to a CEO directly and that person goes and talks to the board. So I think we are getting there. We were very new. We should have forget that as an industry, as a professional, as a transversal, we're very new in organizations. So the communication side of things I believe sometimes is always there. So I believe that it's actually very, very important to have people help us know how to articulate ourselves, know how to get that essential buy in. Because at the end of the day, when you have risk conversations, it doesn't really matter if the owner of the whole process is the size or the CRO. If you have a CRO. The important bit is that everybody else in the room, everybody else in that container that you have created up front knows that at the end of the day there's going to be someone making a decision, regardless of all of the evidence that is brought into play. I think as long as that decision making process is crystal clear since the very beginning, and as long as everybody knows that, hey, in case of contradiction or a case of stalemate, this person will make the final call, I think things can actually work very well. The struggle, the struggle that cyber professionals in organizations have always and are still having is this fight for relevance.
That's why we used to talk about the fact that, hey, we're perceived as just being the office of no, because we're all about security risks. And if we're in doubt, we're just going to shut things down or we're not going to approve A process or an application to be installed or whatever that is. I think we need to kind of be also a little bit self conscious of where we're coming in and work on, get that Xanti buy in. That is fundamental.
[00:30:28] Speaker C: So the other major question I have for you is risk acceptance. So, for example, we've done all the risk process deliberated for days. We've come to a conclusion. Then the person, the service owner, the general manager, whoever it is, just accepts it. Now I've been in those rooms before when someone has accepted it and they do not know what they are accepting because they needed their project to run on time because they wanted to get their bonus for the year. And that is a real example. How do you then have these conversations with people who are, who are responsible for that particular service or whatever it is? Because they're, they're owning it, but they still say, great, thanks for all that stuff, Ivano, your team's done a great job. But I'm still going to accept it anyway. And they don't really understand what they are accepting. How does that conversation go?
[00:31:11] Speaker A: Yeah, that's a very, that's a very good question. And look, I think it goes back to a little bit of what I said before. Now first of all, I would not want to get myself into a position where I simply follow a process and then I let the decision come out almost like mathematically from the process. So if the CEO, if I am afraid that the CEO is going to say no, and I know that that's the right decision to make in terms of, for example, investing a specific control, I want to have the conversation well advanced than the production of inputs and the production of evidence and so on and so forth. Because obviously you don't want to, you know, you don't really want to just go down the rabbit hole of say, oh my God, I've done all of this work. And at the end the result is something that I'm actually personally not really confident with. So establishing a trusted relationship with the decision makers, whoever they are, okay. In the organization is something that has to be done relentlessly. That's, that's a daily job. They're not, there's not something that you sell and forget. You can't think that people are going to hold you in high regard forever. You're going to need to kind of work on that. There's, there's no escape. I mean, honestly, if somebody could tell me how to do that in an efficient way, I would love to hear it. To me, it's Just that constant conversation, being that the informal meetings, be down, coffee machine type of conversation, all that, you really need to kind of build that trust and relationship. And then look, I mean even, even decision makers, I understand when, when you bring up the fact that sometime business goals conflict with, are in conflict with the risk and risk evaluations. But again, you know, especially at high leadership levels, you would expect that we're having good leaders, we have good decision makers that realize that, you know, in some cases, no, unfortunately is the only answer. And that's also, and that's the first bit. The other bit is also, you know, risk acceptance in itself is not a bad thing. I'm not trying to push the conversations around, you need to invest in all types of risks. But obviously the question then is a step before, are we clear about what our risk appetite is? Have we agreed on what our risk appetite should be? Because then obviously if you have that clear in mind, even as a siso, and then you produce your evidence that show you that, hey, you know what, this particular type of risk doesn't really exceed our risk appetite, then yourself have to be okay with making the decision that in this case we're going to accept the risk. We know that you cannot possibly cover against all risks. It's a prioritization exercise. It is something again that probably in the cyber world we're not traditionally very used to do. That is why I'm a big fan of working with the risk people, working with the risk department, working with all of that. And there's actually mutual benefits in that because risk management as a discipline itself, I actually have a feeling that before the kind of explosion of cyber as an area was going through a little bit of a crisis, right? So you know, we've seen companies cut in the risk management space. We've seen the investments somehow go down. Obviously that depends on the industries, right? If you're talking about asset intensive industries, I'm talking about the likes of mining, aviation and so on and so forth. Obviously it's there. They hadn't really touched things as much. But you know, one of the first things that you cut when, when you are an organization, if you have to cut is probably, is probably covered in four losses because of the nature of the discipline itself. Now cyber has actually brought the conversation on risks much more prominently. Right. So you look at for example, Salki, obviously the idea is to have an all hazard approach. It's not just cyber risk. We still have to cover for safety, we still have to cover for finance, we still have to cover for all Other risks. But now cyber is up there as well. So all of a sudden I do have a feeling that there has been a revamping of the importance of risk departments within organizations. I think that there's potentially a powerful alliance. And what we should also understand in the cyber world is that risk professionals in organizations are the ones that can really help us articulate our narrative for non cyber business people. Because they've done it, they've done it for years. Again, there is this interesting parallel you can build between the physical security and the physical safety world and the cyber world. The trajectory is incredibly similar. We just came to the same steps much later because of how novel our discipline is.
[00:36:04] Speaker C: So Ivano, where do you think if you had to sort of boil it down to like the main issues that people struggle with? And I know we've sort of, we've gone on a little bit about multiple different things, but would you say it comes down to that narrative, that storytelling, you know, showing people in a way that makes sense, like you're saying, comparing it to like physical risk. Because again, sometimes cyber and tech and all these sort of things are hard because people can't see it necessarily, but they can see physical things, for example. And that's why we always in this space defer and use analogies from, you know, locking your house and all those sort of things. But what would be the main things from your perspective that people would, would struggle with?
[00:36:39] Speaker A: Would you say the, the storytelling component is there? I, I agree with you. There is probably a lack of, and again, I'm generalizing, I mean, I met sales that you would just listen to them for hours because they exactly know how to, how to articulate themselves. They know how to speak business or it's really, I'm not trying to tell everybody, but there are situations in which you do feel like the storytelling side of things is a little bit missing. The communication side of things is a little bit missing. But at the other end, that's not sufficient in itself. At the other end, we still have to be able to produce solid evidence because, you know, I mean, you can't go to your CEO or a CFO and with a business case for an investment in a security control, there is just purely shiny stuff and there's no substance into it. We need to complement the two, the communication side of things, but also the substance side of things. Probably that also speaks to the type of skills that we want our cyber decision makers to have. We probably need to work a little bit on becoming a bit more T shaped type of Professionals, traditionally cyber leaders come from, you know, deeply technical expertise, which is absolutely important. I would say it's absolutely fundamental. So having that kind of subject matter expertise, but then also shaping the top part of your T, which is all of those transversal skills such as communication, such as soft skills, even if we know we shouldn't call them soft skills, such as, hey, understanding how finance works and why the CEO might actually say no. Being interested in the broader picture of the, of the business. I always, I always, when I speak to cyber audiences, I always tell them, do not forget that you are a drop in the ocean from an organizational perspective. I, I always mention the 10% of 10%. Again, it's, it's a super rough estimation, but usually the size of a cybersecurity department, whenever realization is 10% of the 10% and the first 10% is the size of the IT department, which is 10% of the whole organizational size. Right, so we're talking about one person out of 100. Now, obviously, give or take, this is not absolutely perfect statistics. It depends on organizational size. It doesn't really matter. What matters is that the takeaway is we are a minority within the organization. So obviously it is very difficult for a minority to go on the roof of the building and start screaming at everybody, hey, just do as we say. Because we know we are, from that perspective, in a bit of a disadvantaged position. That's why I stress the fact that we need to build the transversal skill sets that help us be more effective at communicating, more effective at understanding what our position with our business is. And guess what? In most cases, businesses are not about cybersecurity. They're about, you know, selling products, they're about selling services, about all of those things. So be realistic about that and also be good at producing the right evidence that gives substance to our arguments.
[00:39:56] Speaker C: So, Abani, do you have any sort of closing comments or final thoughts you'd like to leave our audience with today?
[00:40:01] Speaker A: Yeah, look, I think it probably, you probably understood that I'm quite passionate about the topic. I think it's a, it's an incredible, exciting space to work in and in the learning that you can achieve. I have conversations, daily conversations with people that blow my mind in terms of what they see and what they've done, the trajectory they've gone through. So just maintain that willingness to learn, that curiosity, that excitement about your doing. The moment you feel like you're losing the excitement, that's probably the time to step back and reflect. And we know it very well that burnout is a significant problem in our profession, especially for sizes because of the amount of responsibility and the amount of stress that they need to go through. So I have heard this over and over and I absolutely second it when there are try to listen to the weak signals. If the examiner is there, is the willingness to get things done in the right way is there perfect. Just keep going. Just keep learning. Maintain the curiosity. If you feel like there's, you know, there's, there's little warnings here and there about how much you love what you're doing, about the struggle you're having, that's probably important. Not probably, it's important to then step back and reflect, okay, do I have to take some time off? Do I have to search for some support and so on and so forth. Baseline. It's a great profession, it's a great industry to be working in. And and again we, we need to kind of keep going because, because you know, it's undeniable that the progress that we had, that's been mind blowing as well.
[00:41:40] Speaker B: This is KBCast, the voice of Cyber.
[00:41:44] Speaker C: Thanks for tuning in for more industry leading news and thought provoking articles, visit KBI Media to get access today.
[00:41:52] Speaker B: This episode is brought to you by mercset. Your Smarter Route to Security Talent Merksec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out
[email protected] today.
