Boards & Cybersecurity, The New CISO Role, & Reskilling – BSW #265
Full episode and show notes
In the Leadership and Communications section, Being concerned is not enough – What boards should know and do about cybersecurity, In the Case of Cybersecurity, the Best Defense is Education, Reskilling workers can help meet the cybersecurity staffing challenge, and more!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
VP, Product at Living Security
- 1. Being concerned is not enough – What boards should know and do about cybersecurityCybercrime is a growing threat that will require C-level attention in organizations across the globe. We offer four steps boards can take toward establishing fit-for-purpose cybersecurity capabilities: 1. Engage an objective expert view on the status quo of the organization’s cybersecurity maturity. Ideally, this assessment should ensure the necessary level of granularity while still providing readily understandable insights and priorities for the C-level audience (e.g., ADL’s Cybersecurity Matrix). 2. Ensure regular oversight of the organization’s key indicators for cybersecurity performance, both leading and lagging, providing assurance that the controls in place are offering the right level of protection. 3. Review fact-based and unvarnished updates on a regular basis. This not only facilitates progress tracking but also ensures that resources are allocated in the most effective way for reaching the intended maturity level. 4. Enable the required governance and funding to reach the organization’s target state, based on a dedicated action plan, while ensuring identified vulnerabilities are immediately addressed. By following these steps, boards can measure, manage, and command cybersecurity performance toward a sustainable reduction of risk.
- 2. Time to Look at the Role of the CISO DifferentlyThe role of the CISO is becoming a true leadership role and what is required to get things moving is political acumen, managerial experience and personal gravitas, over raw technology skills.
- 3. Staying Positive and On-Track in Uncertain TimesLeaders have had a very tough two years, trying to reassure and focus employees in the face of constant uncertainty, often struggling with their own stress and burnout as they address the rising mental health challenges of their employees. How can they stay centered, providing a clear and upbeat message to their teams while having to pivot frequently as conditions change? Here are three practical strategies for leaders to take care of themselves, all centering around understanding and managing one’s own mind: Beware of your ego; choose courage over comfort; and practice caring transparency.
- 4. In the Case of Cybersecurity, the Best Defense is EducationTeach your staff, install best-in-class edge protection, spam filtering, end-point protection, anti-virus, dark-web scanning, and backup. Overall, don’t overlook the most important step: Promote awareness and create a strong anti-cyber culture in your office.
- 5. How to Spot — and Develop — High-Potential Talent in Your OrganizationOrganizations typically look to past performance to identify future leaders. But an employee’s track record doesn’t tell you who might excel at things they haven’t done before, nor does it identify early-career high potentials or people who haven’t had equitable access to mentoring, sponsorship, development, and advancement opportunities. The authors have developed a model for predicting leadership potential that’s grounded not in achievements but in three observable, measurable behaviors: cognitive quotient, drive quotient, and emotional quotient. They outline the telltale behaviors in each area, and explain how managers can coach employees to develop and refine their skills.
- 6. Reskilling workers can help meet the cybersecurity staffing challengeDeveloping a reskilling program in four phases: Phase 1: Foundation. Each unit created a three-year business growth projection for the top five digital skills, called new service offerings (NSOs). The units also created talent plans to meet the anticipated business growth projections for each NSO. This resulted in 36 new offerings, with the top five skills needed for each. Phase 2: Skills Forecasting. We planned for both long-term (five years out) and short-term (quarterly) skills needs. We used a variety of external and internal inputs for this forecasting model, including revenues, employee skill data, past allocations, and market trends. Phase 3: Program Implementation. This enabled reskilling as an alternative talent pipeline. More than 90% of these reskilled employees have been deployed to projects using their new skills. Phase 4: Scaling. We encouraged people to learn about cybersecurity and create awareness of the reskilling program. Employees are induced to participate by giving them concrete financial and career incentives. Career incentives include skill tags. These skill tags quantify what they have learned in a way that is recognized in the market. For instance, “Cybersecurity expert” is a tag employees can earn to indicate their skill set and work on new projects internally and with clients.
- 7. Nominations for SC Media’s 2022 Women in IT Security now openTo submit nominations, please enter all information into the entry form. Entries will close June 24, at which time the editorial team and members of the SC Media advisory board will begin the difficult task of reviewing all nominations and selecting honorees to be unveiled in September.
VP, Content Strategy at CyberRisk Alliance