4 Things Boards Should Know, 4 in 10 Orgs Don’t Have a CISO, & Creating Culture – BSW #241
Full episode and show notes
In the Leadership & Communications section for this week: Four Things Your CISO Wants Your Board to Know, 4 in 10 Organizations Do Not Employ a CISO, Creating a Culture of Cybersecurity, & more!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
VP, Product at Living Security
- 1. What Did Your Board of Directors Know, and When Did They Know It?In the SolarWinds lawsuit, the more significant issue is really not that the Board allegedly knew about the risks; it’s that they reportedly knew and then did nothing to prevent or mitigate it. In 2021, the role of the Board has shifted to limiting the damage of these attacks and ensuring those risks are accounted for by their organization. What the Board needs from its CISO is clear communication on what projects you have in place and how they relate to existing and potential threats.
- 2. Four Things Your CISO Wants Your Board to KnowHere are four things your CISO wants your board to know. 1. In Order to Adequately Protect an Organization, Your Cybersecurity Budget Should be More Than 1% of Your Overall IT Spend 2. It’s Impossible to Provide Metrics on how Many Advanced Persistent Threats You’ve Blocked in the Past Month 3. Building a Culture of Cybersecurity as a Top-down Strategy is Imperative 4. Align Your Cybersecurity Strategy to an Acceptable Framework that Demonstrates Maturity Over Time
- 3. 4 in 10 Organizations Do Not Employ a CISO: ReportOrganizations across the world have experienced swift changes in their business operations during the new normal. In particular, the adoption of the distributed work environment became a challenge for many companies, resulting in the rise of cyberattack risks. Several enterprises have increased their cybersecurity budgets to deal with new cybersecurity challenges. As the struggle of mitigating cyberthreats seems to surge, some organizations are wary about hiring security professionals. A recent analysis from cybersecurity solutions provider Navisite revealed that over 45% of organizations don’t employ a Chief Information Security Officer (CISO). Of this group, 58% think their company should hire a CISO.
- 4. The CIO’s role in strengthening information securityIf you're a CIO charged with maximizing security outcomes, while at the same time ensuring projects are implemented and everything "just works," focus on strengthening your relationships with those who can help you. Security is about buy-in, and it's especially important for those who don't fully understand it.
- 5. 5 New Rules for Leading a Hybrid TeamHere’s how leaders can build great teams, even when those teams aren’t together in-person all the time. 1. Make work purpose driven. 2. Trust your people more than feels comfortable. 3. Learn in the small moments. Send people — and yourself — nudges. 4. Provide clarity. Be more decisive than feels comfortable. 5. Include everyone. Take a long hard look in the mirror.
- 6. Creating a culture of cybersecurityThink about cybersecurity not as an IT issue, but as a senior executive and leadership issue. Cybersecurity and cyber protection are often thought of as reactive measures, but organizations need to start seeing cyber protection as a way of planning. Similar to financial planning, cybersecurity should be incorporated as a part of everyday business. It's not an add-on; it should be embedded in the organization, or "embedded endurance strategy".