Leadership, Careers

Cyber Capable Board, CISO Maturity, & Culture of ‘Yes’ – BSW #268

In the Leadership and Communications segment: How to build a cyber capable board, Who Is Legally Responsible for a Cyber Incident?, Building a security culture of 'Yes', and more!

Full episode and show notes


  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!


Matt Alderman
Matt Alderman
VP, Product at Living Security
  1. 1. How the board can help in the fight against cybersecurity threats - And when it comes to boards themselves, the focus on cybersecurity is helping them grow into more knowledgeable and comprehensively functioning units.
  2. 2. How to build a cyber capable board - These ten practical steps will ensure that your top team is as ready as it can be. 1 Lead from the front 2 Talk to your CISO 3 Ask all the right questions 4 Demand clarity in reporting 5 Get more from your non-execs 6 Play your part in simulations 7 Practise dealing with the media 8 Focus on the human aspects 9 Challenge Risk Transfer Strategies 10 Plan for ransomware
  3. 3. Who Is Legally Responsible for a Cyber Incident? - After a company discovers a cyber attack on its network, the finger-pointing begins. The CEO blames the chief information security officer (CISO). The CISO blames the financial officers for not setting aside enough money for cyber defenses. The chief information officer begins to look for a scapegoat further down the supply chain. Maybe they fire a low-level employee who made a mistake or point to a vulnerability within a third-party vendor’s security system. Or, if the incident took place in the cloud, is the cloud provider or the data owner at fault?
  4. 4. Maturity of the CISO role: Overlooked keys to success 2022 - The following communication tips can assist CISOs in meeting executive-level expectations, and in reconfiguring fraught and uncertain business relationships. Easy-win communication tips for CISOs - When communicating with executives, ensure that communication is clear, concise, non-technical and engaging. - Present comprehensive concepts and avoid diving into details. - Translate technical risk into business risk. - Remember, CEOs and the C-Suite are generally looking to see the bigger picture as it pertains to risk. More strategic communication tips for CISOs - When presenting metrics, be selective. Choose metrics that executives can easily understand and relate to. - When presenting risk, describe it as a business problem. - Show a framework for your thinking – for example, build stories around a few recent cyber security incidents. - Narrate the value of security.
  5. 5. Small Actions Make Great Leaders - Leadership has traditionally been taught as a set of larger actions, such as having a difficult conversation or coaching someone. In reality, leading well is an integrated activity, in which one is doing many things simultaneously. One way to learn to do this better is to think about leadership as a series of small actions that are practiced, then carefully sequenced and interwoven during interactions. For instance, instead of thinking of something as a “difficult conversation,” a leader might aim to disarm, then show appreciation, then appeal to values. Research identifies 25 such actions, and learning to implement them in the right circumstances can help one become a better leader.
  6. 6. 10 Ways To Improve Your Communication - Here’s 10 things to help 1. Listen actively. Confirm. Show you are trying to or do understand. 2. Make sure you are talking to the right audience. 3. Positive body language. Open, Shoulders back, chin up! 4. Double check that email before you press send. 5. Concise. Don’t include words you don’t r?e?a?l?l?y? need to. 6. Make notes. (Good for both your own retention and to show you are listening and engaged). 7. Right type. Email? Video call? Face to face? 8. Pause, slow down. Think before you speak. 9. Have an agenda even if it isn’t a formal one. Don’t let the conversation wander off topic aimlessly. It needs to be productive. 10. Actually communicate! People often assume others more know than they do.
  7. 7. Building a security culture of ‘Yes’ - Security teams must work to remove communication and reporting roadblocks, positively reinforce desired security outcomes and start at "yes" when evaluating new requests and projects. By implementing the following recommendations, security leaders can change corporate perception of security and build a more collaborative culture with their company's workforce. - Communicate strategically to foster collaboration. - Remove communication and reporting roadblocks. - Positively reinforce good behavior. - Adopt a “yes, and…” approach.
Josh Marpet
Josh Marpet
Executive Director at RM-ISAO
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security
prestitial ad