[00:00:00] Speaker A: Threat intelligence, it becomes a business capability, not a report. It becomes a well tuned crystal ball of what could possibly happen if you use it properly. Not just the crystal ball that shows everything happening in the world.
[00:00:17] Speaker B: This is katiecast as a primary target.
[00:00:21] Speaker A: For ransomware campaigns, security and testing and performance and scalability, risk and compliance. We can actually automate that, take that.
[00:00:28] Speaker C: Data and use it.
Joining me now is Joe Colzipoli, field sizer at Cosive. And today we're discussing the boardroom view of cyber threat intelligence and speaking the language of risk. So, Joe, thanks for joining me and welcome.
[00:00:44] Speaker A: Oh, thanks for having me. I'm excited to talk about the boardroom view of cyber threat intelligence and how to translate signals and intelligence into decisions leaders can act on.
[00:00:54] Speaker C: Okay, let's start there. Now, maybe I want to get a little bit more understanding for yourself, Joe, on the boardroom's view of, of risk and how do you see it?
[00:01:02] Speaker A: So when you sit in the boardroom, when you're talking to the board, risk doesn't look like patches, firewalls or threat actor names. ATPs, it looks like, will this stop us from serving our customers? Will this cost us revenue or reputation? Will regulators come knocking? Boards want clarity on how a cyber risk could impact their enterprise value, whether that's revenue, trust, compliance or strategy. They care about how long a service might be down, how many customers could be affected and what the range of loss looks like. In short, they see risk in terms of business outcomes, not security activity.
[00:01:41] Speaker C: Do you think people just get bored of hearing about we've blocked X amount of threats or their eyes glaze over? Like at the end of the day, when you're in a board position, you're not a cyber person. So, like, whilst cyber security people care about that, majority of these people in this room don't. Yes, the risk element of it for sure. But do you think people just go on and on about all these other technical details that these people in the room don't care about?
[00:02:02] Speaker A: Definitely. And that's where soft skills come in to be able to translate that into their language. So we all hear this now. Talk the same language as a business or talk the same language as what layer you're talking to. Because if you talk at the wrong layer, at the wrong language, you get sent down to the layer you should be at and then that doesn't give you outcomes.
So you can do a flashbang dashboard and show all these widgets and have all these numbers on it, but if it doesn't actually translate to anything that the board can understand because you might be there to explain it for that 10 minutes you have. But then when they go away back to their desk and they're like, what was the size they're talking about again? What was. How are they going to understand that still? Right? So it needs to be, yes, you can't lose them at the moment, but you also can't lose them half an hour later when they're back at their desk looking at, doing a review of the meeting.
[00:02:59] Speaker C: So the cyber dude or woman rolls into the boardroom, says, hey, this month we bought we blocked 40 billion threats. Just making a number up. Do they then go to say, hey, and this is what this means in terms of translation? Do you think people stop at the and this is what I mean by this, or do you think people are just very focused on, hey, we do all this cool stuff, we blocked all this stuff, then forget about the byproduct of doing that.
[00:03:22] Speaker A: So I think the good, the good ones will actually say the outcome first by the 4 billion threats we blocked, not we blocked 4 billion threats by XYZ widget, XYZ tool. And this saved us X amount of dollars or increased our productivity of our analysts by, you know, 20%. So they should lead with that and then say the how. But the why is the most important.
And sometimes you don't even need to say the how. And they probably don't even want to hear it. But we do have some semi technical people now in, especially in the coming generations, they're not going to be all grumpy old board members, right? They're actually going to be in the field or around the field at least. And it's been on the news a lot. So you just got to read the room, right? But the good ones will lead with the outcome and the why. And then if it comes to it, talk about the how.
[00:04:20] Speaker C: So when you say good ones, would you say, given your tenure in the game, would you say most people that are at that level who are in the boardroom talking to these people, they are the good ones? Or would you say like it's kind of 50, 50, there's some good ones. And look, we're not saying the other people are bad, we're just saying maybe their social skills could be improved.
[00:04:40] Speaker A: I'm not saying they're bad at all. They've kind of maybe come up through the ranks, starting as a SOC analyst, going in the wee, staying in the weeds, leveling up to be an architect, leveling up to be a manager, leveling up to be then eventually, maybe a sizer.
[00:04:53] Speaker D: Right.
[00:04:54] Speaker A: So they've kept their technical chops and I've got my technical chops and I've got a mixed range of technical chops. Not all in cyber. I've done infrastructure and cloud as well.
So it's been able to then. And I think it's a skill that you can't teach. Just probably takes practice. There's lots of books and courses, obviously, but it just seeing that when you actually hit a nerve and make an impact by the language you talk, not just what you do and what the tools have done, it's about translating that to the field. So when I say the good ones and they're not necessarily the bad ones, they just. That's just what they know. So it's about maybe mentoring them and yeah, I would say 50 50. And it's getting better. There has been a lot of talk and, you know, on social media and in the field, at events, at, you know, soft skills are becoming one of the most important tools. And that definitely had that switch definitely flipped during COVID when we were all online.
I think soft skills became a big skill to have because you're just talking over video in those, you know, couple of years and even now, right, everyone's hybrid still. Most people are still hybrid. So soft skills is, you know, at the forefront now and one of the most important skills to have.
[00:06:08] Speaker C: So have you ever been in a boardroom where some cyber person said something, not thinking, and it's completely triggered the board? Like, whether they're stressed, they're alarmed, they're confused. Have you ever seen that in terms of someone said something bringing forward their technical chops to your point, and then completely just lost people? Yes. But they felt, wow, I have no idea what this guy's talking about. And what he's saying sounds really scary once or twice.
[00:06:37] Speaker A: And it was intentional.
That one time I did say there was an intent to do that. They were trying to do the fud, the fear of, you know, unknown. But yeah, it's rare because what they think is and what they know is a heart attack moment.
[00:06:54] Speaker D: Right.
[00:06:54] Speaker A: A big alert moment, like a big thing that's happened. The board's kind of gone, okay, what does that mean for us? Type thing. So, yes, I've seen on one or two occasions where they have actually alerted the board to take action. And that was because it was a PE in the industry that the issue occurred with. So it wasn't just, oh, this happened to Optus or this happened to Medibank, and it wasn't Relevant to them. It was something very relevant to them. And that actually caused even some of the board members to call their peers and ask actually for more details.
[00:07:29] Speaker D: Right.
[00:07:29] Speaker A: It wasn't named because you can't obviously name other peers, but they kind of put the pieces together.
[00:07:35] Speaker C: So I want to talk about assurance now when I ask you that question. So, for example, if you go to a doctor, I'm not a doctor, say, hey, my arm hurts, I mean, I don't know, working out a lot. What do you think it is then? Obviously at times, doctor, use their technical terminology, which we as patients don't understand, then they'll say, okay, well, now you got to go to see these things, and I'm seeing this sort of thing on your X ray and they're going to take this medication that's super long and all these sort of things. But they give you that extra layer of assurance. Yes, they talk in their vernacular, but then they sort of tell you, okay, well, what does that mean to you as the patient in terms of the discourse in which they operate in.
So talk me through about how do people out there give that assurance towards like, yes, they have to talk about certain terms to be able to communicate that this person knows what they're talking about, of course. But they also have to remember to switch it to another gear to be like, okay, well, how does this impact you? What does this mean for you as a board member, all those sort of things to provide that assurance?
[00:08:35] Speaker A: Well, again, it's talking about the why. And so the why would be we've saved X amount of dollars or we prevented X risk or we reduced the risk. So you talk about the Y. And in that there might be some technical terms that you do have to say because you can't actually help it sometimes.
[00:08:54] Speaker D: Right.
[00:08:55] Speaker A: A firewall's a firewall. You can't say a big shiny box that says yes or no.
[00:08:59] Speaker D: Right.
[00:08:59] Speaker A: You need to say what it is.
[00:09:01] Speaker D: Right.
[00:09:02] Speaker A: But then you need to explain that because we've done this. That's what happened. So that's because we need to do this, because this isn't. This is in the budget. Because if we don't do this, then if you look at company, X could happen to us as well, and then look at what happened to their reputation, and that's what they'll care about, obviously, because that impacts the stock market and that impacts everything. So, yes, you need to act like that, that good doctor that doesn't jump to conclusions either, because there are some doctors that jump to conclusions and you go in There with a migraine and they say, oh, it could be a brain tumor. Like, some doctors will do that and some will have more EQ and say, well, let's do a scan. Have you taken, have you tried Nurofen? Have you tried X? Have you tried Y? But let's do a scan because, you know, we want to catch it early, and if we catch it early, then you. Everything's going to be okay. All right, so that's what you kind of need to say. Like, if you do this, we catch it early and then everything will be okay. But it's not, as you know, with Cyber, it's never 100% secure and it's never 100%. That's it, it's finished, stopped. We can go home, don't worry about it. It's always evolving, and especially with AI threats. Yep. I had to say AI, it's ever spinning wheel.
[00:10:16] Speaker C: So, Joe, just moving on, maybe 2 millimeters, you say speaking the language of risk.
Now I want to get into this a little bit more because, you know, a lot of people are sort of saying we're going to speak the language of the board and the risk and, you know, all the sort of stuff we've already discussed here today. But what then would you deem as the language of risk in terms of, is there specific words, is there a specific tone that people have to use?
[00:10:43] Speaker A: Yeah, like to me, when, when I hear that and how I think about it is it just ties technical risk because we're in a technical field, so ties technical risk, technical issues back to the business. So that means talking about dollars, hours, customers affected.
It means being clear about what we know, what we assume and how confident we are. So, and most importantly, you know, every risk should be a statement that ends with what decision do we need to make, who owns it and by when? That's the language of risk outcomes, not acronyms.
[00:11:18] Speaker C: I've also heard that some cyber folks now over the course of my interviews over the years, people have sort of said a lot of these cyber people don't really know how their business makes money. Right. And by doing that means you can reverse engineer it by, okay, we make money by selling pool equipment or whatever. It may be something super basic. Right. That's how they generate the revenue. And then of course, you've got to protect it. But there's people like yourself come on the show that says people in these cyber divisions don't actually really know. So it's really hard for them to talk about things and contextualize things like the Dollars and this sort of stuff. Have you seen that in terms of a gap?
[00:11:55] Speaker A: Yes. And going back to an earlier point, they're, well, astute and bit more, maybe experience, maybe more of a mixed experience in the field will know just to do their research. It's just basic research. Even when you're applying for a job, you, okay, what does this company do? What's their, how do they make money, what, what would they see as their risks, who are their peers in the industry, etc. So it's about just doing that basic research and then when you're writing your reports, when you're doing your boardroom reports. Board reports, you want to tie everything back to that, to the core of the business, the vision of the business. Yeah.
[00:12:30] Speaker D: Right.
[00:12:30] Speaker A: So you want to tie impacts to what outcomes to what's most important to the business. So if they're a pool cleaning company, then you're not going to talk to them about, I don't know, share prices for investment banking or something?
[00:12:41] Speaker D: Right?
[00:12:42] Speaker A: You're going to talk to them about, okay, well, the outcome is going to. If we get impacted by our cyber, you know, breach, then that could mean our retail is down, our shops are down. So then that means we can't sell stock or if our distribution center gets attacked, somehow our inventory system gets attacked, then how are we going to be able to service the stores that sell our stock? Not. Oh, but what's going to happen if it moves, you know, it could move 10 cents to our share price. For investment bankers type thing, you got to relate and you got to tie it back to the business and to their vision statement and to their mission statement too.
[00:13:21] Speaker C: So would you say, given what you're saying, what I'm hearing is that at times people lack context. Context being, hey, like you don't need to go on about stuff in the financial services because we're in the retail sector. So yes, whilst that's important, we should be across it and it's an adjacent thing to us, but it doesn't really impact us in terms of context. To convey messages to board members, for example.
[00:13:42] Speaker A: Yes, exactly. And that comes back to what I do at Cosive. Right. So there's a trillion threat intelligence feeds coming into everyone's theme and soc. So my job is to, when we talk, when I talk to the C suite or to cyber executives, it's about, okay, what we can do is we can find. Tune your threat intelligence platform to only have the feeds that are relevant to you and to your industry, your vertical, not banking. When you're in retail or vice versa.
[00:14:12] Speaker D: Right.
[00:14:13] Speaker A: So context is again, back to that soft skill as well. Just reading the room, having the context in your report, in what you say, on what level you're talking to, whether it's board, whether it's soc analyst, that, oh yeah, that that alert isn't important when it could be.
[00:14:31] Speaker D: Right.
[00:14:31] Speaker A: So yeah.
[00:14:32] Speaker C: Do you think as well that at times people just try to boil the ocean with all of the risks? So it's like, yes, okay, like at the end of the day I could go out, get hit by a car. As we've all heard that saying, I could go out, you know, a random alligator where I live in Florida attacks me. That can happen. Probably rare though. Right.
So the thing is, do you think at times cybersecurity practitioners just have this thing for just trying to say everything, cover all bases, all of the things, when it's like we actually have to roll this up a little bit more, understand what's realistically going to happen. And yes, all of the things could happen.
But there is a, there's a scale of and there's a spectrum. But do you think people, I've just seen people get in the habit of just trying to tell you every single thing and then as a result, people are overwhelmed by hearing 50 different thousand sort of routes to potential risks.
[00:15:19] Speaker A: Definitely. And that goes back to one of my earlier points about they try to use fear to get their budget, to get their point across, to get approvals.
So they think if they put every single fear and threat under the sun as their context, that'll get. Oh, people will stand up and listen to them.
[00:15:37] Speaker D: Right.
[00:15:38] Speaker A: Stop and listen to them. When it's not. It needs to be relevant. That's what's going to make the most impact. Because yes, in that 10 seconds, 30 seconds that you're talking to someone about that, then they'll walk away and go, hang on. But that isn't really important to us. Has he even, have they even read the risk, our risk register or risk statement, you know, in the business to say what's important to us, what's our risk appetite? So, yes, definitely. And that probably comes back to the. Yeah, the more old school cyber professionals at the house of no, the department of no mentality where. Well, they have to listen to us because all these things can happen. Look what happened to customer X, look at what happened to customer Y. So definitely that. That's changing, hopefully. And again, there's more. And I talk around that as well as the whole soft skills thing. And that comes back to soft Skills too. Because around soft skills isn't just how you talk. It's about reading the room, it's about having the context and it's about talking the right language at the right layers.
[00:16:39] Speaker C: So just to double click on this a little bit more. Did you say someone does that? No context. Trying to say all the things. Doesn't. Isn't. Wasn't super prepared. Doesn't that get people offside?
So what I mean by that is obviously in a podcast I'm actively listening to you, I'm not on my phone in the background, all that sort of thing. I can tell when someone's in an interview because I'm sitting beside people all the time doing these sort of things that they're not listening because they're not asking like follow up questions. They're not doing certain things that can get the interviewee offside. So don't you think that people just not doing the rudimentary basic research, contextualizing things so it makes sense that gets their somewhat counterparts but they're, you know, higher ups, annoyed to be like, well why are we paying this person? Because they actually made me feel worse after going from the meeting than before because they just didn't make it easier. It's convoluted, it's all over the shop. Like I've seen that a lot as well. So do you think people think about if I don't come into this prepared, headshotting, exactly what I'm going to say. Not just, you know, scattergun, wherever I'm going to get these people to probably not like me and therefore when they don't like me, could get rid of me or they're probably not going to give me any money for the division that I need.
[00:17:51] Speaker A: Or even worse, they're going to bypass security and involve us in projects early on. They're going to come and bring us in late just to say, well hurry up, hurry up, CEOs waiting, sign it off. CFOs already signed it off. Don't block us now. Just read the document and let's go. Right, so that's even worse, right? So yes, you might not be liked, but if you might not be liked for the right reasons because you're giving context and that because of that you slow down a particular project, that's okay, you actually help with the business and that'd be appreciated later. But if you just come in, scattergun, nuclear bombs, come in, whatever, right? Then they're going to be like, oh, Joe again. Yeah, look, is there a way we can just get sign off, he's just going to say no. Like he's going to come and say it's no, you can't do that, it's too risky. And then you might lose your job in the end of that obviously. But worse is he there and you're not listening to. You know, you're not appreciated because you've got the wrong view, you've got the wrong no context. You're seen as someone that doesn't research, doesn't think, thinks thoroughly, isn't willing to step back three steps to say, okay, hang on, let's look at the big picture of this and put the right context in. So all those things you said is true, that you won't be, you might not be liked or you won't be liked, you won't be respected as much. But then also, also what Worse is the whole security department could be bypassed at times because they're just going to say no anyway. Let's just give it to them last minute. We won't involve them early as in part of the project to help us through the project instead of quick sign it off.
[00:19:24] Speaker C: If you're working in AI, machine learning or data science, you're likely already handling sensitive information proving your security and compliance posture. That's where VANTA comes in. Vanta helps AI driven teams fast track compliance, think SOC2ISO 27001 GDPR with minimal disruption to development.
Visit vanta.comforward/kbcast V A N T A.comforward/kbcarst to learn more before CFO. So I want to get in to that side of things because they're the person with the money bag and the money bag is the one that brings in vendors and services and all the people's pay rises and all the good things people like to talk about. So my brother in law is a CFO of a retailer back in the day, so heard his view over the years. So I'm keen to maybe understand they care about primarily speaking how the business burns money and how it makes money. It's their job, they gotta control that so the business doesn't go bankrupt. So how would you say with what you do, what sort of language or what are some of the tactics that you've used to really get this CFO over the line? Because they're a numbers person, right? And sometimes there's overlap in terms of how brains think with security people and CFO sort of people because it's a numbers, but there's still that lack of context because they don't understand hey, why is this apparent firewall company costing us a million bucks a year? I don't even know what it does. But then if you try to explain it to them to the end degree to justify the cost, they're like, okay, I'm bored, I'm lost. Like, even when people ask me really rudimentary things outside of the security space, they're like, oh, you've lost me. And I'm not even getting into some of the intricate details that these people that are buying these products and services have to get get into. So this has been a big one that I'm always very curious about. So I want to understand your thoughts.
[00:21:17] Speaker A: So CFO cares about cost, right? So they do cost benefit analysis. They're accountants, they work out. Okay, how many pennies does this translate to and what does that translate to?
The business as a whole.
So when you're talking about say firewall Renew or a SaaS Cloud product that's got a three year license review renewal coming up, again, it comes back to the why but why is in okay, well this is going to cost us X amount of dollars if this happens. And the chances of this happening is 70% if we implement this. It could, it'll come down to maybe 40%. Yes. It's not 100% because you explain to them that nothing in cyber is 100%. True.
[00:22:03] Speaker D: Right.
[00:22:03] Speaker A: But we're reducing the risk by 30% which could then tie back to later costs or damages. And I'm not a cfo. I don't know all the language that they talk. But you just want to try and at least come to a common ground and common language to say, look, we're going to, by implementing these firewalls, we're going to reduce the risk by 30% of this happening. That'll translate to 30% saving because the productivity is better. There's less overtime that may be needed if there is a breach.
[00:22:35] Speaker D: Right.
[00:22:36] Speaker A: So you could think you can talk in that sense. That would be the best way to do it. But also another avenue I like to take is socialize it. Instead of being all formal, talk to someone in the, in, in accounting, in procurement that, you know, how does a CFO take this? What would their view be of this? You know, how would be the best way to present this to them. And I'm big on the whole socializing before, you know, formalities to, to get those pre approvals to make sure everyone's on the same page before it's all rubber stepped and ready to get approvals from the C suite So I encourage my clients to do that too, if they can. That's a within technique because then you're. You're already speaking the right language. Because every CFA could be different too. One could be very much more accounting focused, One could be a bit more business focused because they might have ambitions to be CEO eventually.
[00:23:26] Speaker D: Right.
[00:23:27] Speaker A: So they need to be more business minded instead of just being an accountant. So you need to again, read the room like other sizes. Some are more technical than others.
[00:23:36] Speaker D: Right.
[00:23:37] Speaker A: So it's about coming back again to the right language at the right layer that everyone can understand. You can get your point across, you can get your approvals, you can get things moving.
[00:23:47] Speaker C: So I want to move on now and discuss sort of how would you intel into risk statements and sort of, what does this look like? Help me. I want to visualize it.
[00:23:58] Speaker A: Yeah, sure.
So 3D TL on its own is just noise, a list of bad things happening in the world. To make it meaningful, I run through a filter. Does this matter to us, our assets and our controls? So again, like I said earlier, there's 50 trillion feeds coming into everyone's seam and society, and you need to make it relevant to them. So then I reframe it as a scenario to the business that the business can understand. So, for example, instead of a new credential sniffing campaign, I'd say if attackers kept hitting our customer portal with stolen logins, we could see account takeovers that disrupt orders and customer trust. So from there, I would show what the exposure looks like in time, money and impact and lay out clear options with cost, benefits and timeframes. That way leaders aren't just reading about threats, they're choosing between paths.
[00:24:54] Speaker C: Got it. Okay, that makes sense. And so do you think as well that you said before around noise, do you think too many people are just focusing on the noise and not thinking about the other stuff? It's like, oh, we're just too busy looking into the threats and responding to them and all the things that everyone's got to do day to day. They're not thinking a little bit beyond that to be like, well, at the end of the day, these threats, intel is here to inform us to make decisions or not make decisions. So do you just think that people just too wrapped up in their day to day rat race doing the things rather than zooming out and thinking strategically, well, why am I doing this and what's the purpose of doing it?
[00:25:31] Speaker A: So obviously as a analyst, that's their job. Whatever's in front of them, they have to act on so you can't blame them. You can't, you know, say that it'll be more the owner of the threat intelligence platform within the business.
[00:25:44] Speaker D: Right.
[00:25:45] Speaker A: They're the ones that should be going, okay, how do we optimize this? What do we need to do to uplift our platform to make it the most relevant to us? So then our analysts aren't spinning wheels all day for 70% of things that don't matter to our business or our industry.
[00:26:02] Speaker D: Right.
[00:26:02] Speaker A: Because it might not just be our business, it could be retailers getting attacked and specific retail is being attacked versus, yeah, the 3 trillion seeds coming in.
[00:26:12] Speaker D: Right.
[00:26:13] Speaker A: So the higher you get, the more strategic they need to be thinking. They can't think about, they used to be analysts five years ago. This is what I would be doing. It's okay, how do we make it better for the business?
Because then how do I go up to my manager and say, well, we need to look at, you know, using CTR program or a MIS platform, or we need to get some consultants to help us optimize our platform and program because, you know, it's hard to be internal to think you need to optimize it because it's all in front of you and it just becomes noise and you're too busy. Because the analysts can't just sit there and go, oh, let me filter that out. Oh, that isn't relevant. They need to look into it first. They need to investigate and then they can make that decision. But that's hours, right? That could be hours before they get to that. And that's just one.
[00:26:58] Speaker D: Right.
[00:26:59] Speaker A: So it's more the threat intelligence owner, platform owner in the business needs to work with their peers in cyber because remember, threat intel is a component of cyber, but it's actually intelligence part of it. So that lets all the other tools that they're using and controls they're using function the most optimal way, or it's the brains of the program, cybersecurity team. I say, so they need to work with the other peers within their cyber team and with Asizo to work on that optimization of their platform because it impacts everyone else.
[00:27:34] Speaker C: So have you seen that when whatever you want to call it, people still have that analyst mentality and as a result, perhaps they're not thinking strategically. Have you seen that in your career?
[00:27:44] Speaker A: Yes, definitely. When you put it in context to them and tell them in a way that you need to, you know, you're not going to be able to get approval for this. Because when you go to your manager, whether it's a sizer, whether it's a cyber security ism, whatever, like a level globe, decisive, they go, oh, here we got, we got a proposal for some consulting to help us with our cyber CTI uplift. They're going to be like, what? Why?
[00:28:13] Speaker D: Right?
[00:28:13] Speaker A: Because they don't then have the context to explain it, like I've just said so because they've been in the weeds for so long as an analyst and they've moved up, they've progressed because they've been hitting their KPIs or whatever it is. But it doesn't mean they've learned to think strategically. And that just, that's a journey in life. That's just what people will work out hopefully eventually. So I there, I kind of coached them to say, well, look, when this proposal is to do this, but this is what you need to kind of say, and I'm happy to come with you with your, in your meeting with your manager to go over the proposal together and help give that context for you. But really you need to be able to say that because you might get pulled, pulled into the size of by the siso to explain. And again, you need to explain in a strategic way to them because then they're the ones that go to the board and ask for it. So yes, I've definitely seen it.
[00:29:06] Speaker C: So Joe, you say show decisions, not dashboards. What do you mean by that?
[00:29:11] Speaker A: So dashboards are great for awareness, but boards don't want to stare at a sea of red, amber and green. They what they need is a choice. So instead of a dashboard, I give them a one pager that says, here's a scenario, here's a potential business impact. Here are three options with the cost, the risk reduction and how quickly each can deliver value. And then here's my recommendation based on those options. That's the difference. You're moving from information to action. You are translating the intelligence of the dashboard into actions, actually actionable outcomes for the board.
[00:29:48] Speaker C: Good. Because how people digest the problem and people sort of respond with what are our options? I mean, if they sort of come back and say, well, there's none, or I haven't thought about it, then that's probably a worse place to be.
So by saying perhaps this scenario, which is what you mentioned before, and hey, this is the thing, this is what we're dealing with. This is what I, in my position, what I know about it and this is what I would recommend, like the options.
And then this is sort of, you know, 1, 2, 3 options. And this would be like my Recommendation towards which option would be best. Do you often find that people go against the recommendation that you've provided, or are they sort of very confident to say, well, hey, Joe, you're the expert?
[00:30:31] Speaker A: Some, not everyone, but some will take more convincing than others. And again, it depends on your reputation. From a previous question, talking about the house of no and always being a no person and a scaremonger type person, then you're not going to be able to. They're not going to treat their recommendation seriously. If you've got a reputation where the context of the business, you explain the context of your technical jargon to business language, I find that more people do. Listen. It is hard to say, here's my recommendation, because then you're putting your head on the chopping block per se, and it's hard to tell clients to do that. But they need to be confident and if they've done their research and all their data is correct and they've thought things through, then you know, they should be confident.
[00:31:18] Speaker D: Right.
[00:31:19] Speaker A: So it comes back to the confidence when you do present it and then confidence in yourself to put your reputation on the line. You're heading the chopping block. So again, I don't have a problem with it if I've had enough time for the client to do that for them. But yeah, it all comes down to confidence and reputation internally. And, yeah, some might need more offline discussions. We'll take this offline, for example, the line. Or again, like I always suggest, socialise at first before you put anything formal in a meeting. Socialise things over a coffee, over a quick chat to say, hey, look, this is what I'm thinking. These are the options I'm thinking about. Do they make sense to your part of the business that we're. That, you know, that I'm going to be talking about with your boss.
[00:32:05] Speaker C: I get what you mean. Around the chopping block, it was just me thinking of the other side on if you're in that position. So if you're advising them, cfo, it's sort of part of the job though, isn't it? So if you're not willing to put a recommendation or stand behind it, then should that person be in that role? Like, I get it, no one wants to feel like, oh, my gosh, we made the wrong decision. I totally get that. But then it's like, do you really want someone who's leading your security practice that isn't confident then in their decision making?
[00:32:33] Speaker A: No, obviously you don't. And some people will stop at. Here are the three options with the cost, risk reduction and how quick, so time value and they'll stop at that and then they'll go, okay, cfo, based on the risk numbers, you make the decision and I'll stand behind you for that.
[00:32:50] Speaker C: So would you say that's the best approach though?
[00:32:53] Speaker A: No.
[00:32:53] Speaker C: And the reason why I say that it's kind of like a mechanic making a decision for a doctor, for a patient. Like, yes, you've given some options but they're not the most informed person on the matter.
[00:33:02] Speaker A: So I would definitely always say, you know, give a recommendation of the three and just have go there with confidence with it because you know everything will be okay too. If you've done all your research, you've got all the data, like I said, you've put everything on paper, even outlining the cost and risk reduction numbers and all those numbers, you'll be able to clearly see what's one of the most logical recommendation. But put your name on it and that gives it credibility and then that gives everyone else confidence.
So I definitely don't recommend that, but I've seen that happen. Where they'll stop at, here's my recommendation, they'll stop before that. They'll just give the data and say, here you go, this is what we've come up with, this is what we've researched most times that won't get past the CFO that way because they'll be like, well, tell me which one.
[00:33:45] Speaker C: Well, I think that's fair because that's like the security person making a decision on CFO's job. Like, you may have some basic understanding, but you, you're not, you're not, you can't make an informed decision.
So is that something that, where the industry needs maturation, like, yes, okay, make the remedy, but I need to stand behind it and actually say, no, this is what we need to do. Because I've got 20 years of experience in the game and I've now worked across all these industries and consulting and gone around the world to advise people like, do you think there's enough of that sort of conviction perhaps from people I've seen mixed.
[00:34:19] Speaker A: Right. Depends on the industry too. If there's, if they're very risk averse, they will be more hesitant to do that, if they're more relaxed in that sense and maybe more knowledgeable themselves, that they'll be more than confident to do it. But it definitely needs to improve and it doesn't mean they're going to accept your recommendation either. They might go, okay, that's your recommendation, thanks. But As a cfo, I think I'm going to go on what the cost is. Right, so then that's another issue. That's a told you so issue. Hopefully not, but you know, it could be a possible told you so issue.
So we can all say, you know, here's my recommendation and this is what we should be doing, but it doesn't mean they will. So that's another conversation too.
[00:34:59] Speaker C: So then, Joe, I'm curious to understand what you mean by considering to me about reporting. Like, what do you mean by report in a cadence that calms?
[00:35:07] Speaker A: Yes. So going back to that fear mongering. So, you know, boards and executives get nervous when reporting is inconsistent or unpredictable. Right. They don't know what they'll hear from you or if every update looks different, they lose confidence. Cadence at calms is about giving them steady rhythm, going with the rhythm of the business, as you say. So weekly operational team, weekly for operational teams, monthly for executives, quarterly for the board. All in the same format, using the same measures, the same trends over time, and importantly, no surprises. If something urgent does come up, they should hear about it right away, not, oh, that's gonna, that's two months away in my update.
[00:35:49] Speaker D: Right.
[00:35:50] Speaker A: They don't want to hear that the first time they're in there. So when reporting is consistent and predictable, leaders feel confident that the cyber risk is under control. And that's your job as the sizer, to give them the confidence and calm and that everything's under control. That's why I'm here.
[00:36:05] Speaker D: Right.
[00:36:06] Speaker A: That's why you've hired me.
[00:36:07] Speaker C: And so would you say that at times that definitely lacks, but it's moving in the right direction?
[00:36:14] Speaker A: Yes. And that comes obviously with feedback. Right. So some, you know, board will have time to be like, well, look, last time you came and saw us, or even the ops manager came and saw us, you gave us a totally different metrics and charts of why, like what happened to the other stuff that you just showed us last month or last quarter? So is that gone now? Are we starting again? Right, so it comes with obviously maturity with feedback. But yes, it definitely is improving and things are always evolving in cyber and in it in tech.
So that's why it is more important to be consistent too. It just calms the waters.
[00:36:55] Speaker C: So Joe, do you have any sort of closing comments you'd like to leave our audience with today?
[00:37:00] Speaker A: So from boardroom to whiteboard, translate signals into scenarios, take risks into outcomes and provide options and own the decisions. And in terms of, you know, threat intelligence, that becomes a business capability, not a report. It becomes a well tuned crystal ball of what could possibly happen if you use it properly. Not just the crystal ball that shows everything happening in the world. So context is number one in whatever we talk about, who we talk to and why we're talking to them, any projects that we're doing, any purchasing that we're recommending or etc. It has to come with the context of the business, with risk in mind and all the other boardroom concerns, time, money and outcomes.
[00:37:53] Speaker B: This is KBCast, the voice of Cyber.
[00:37:57] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles visit KBI Media to get access today.
[00:38:06] Speaker B: This episode is brought to you by Mercset. Your Smarter Route to Security Talent Mercset's Executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand Talent acquisition team helps startups and mid sized businesses scale faster and more efficiently.
Find out
[email protected] today.
