Cyber Capable Board, CISO Maturity, & Culture of ‘Yes’ – BSW #268

And when it comes to boards themselves, the focus on cybersecurity is helping them grow into more knowledgeable and comprehensively functioning units.

These ten practical steps will ensure that your top team is as ready as it can be. 1 Lead from the front 2 Talk to your CISO 3 Ask all the right questions 4 Demand clarity in reporting 5 Get more from your non-execs 6 Play your part in simulations 7 Practise dealing with the media 8 Focus on the human aspects 9 Challenge Risk Transfer Strategies 10 Plan for ransomware

After a company discovers a cyber attack on its network, the finger-pointing begins. The CEO blames the chief information security officer (CISO). The CISO blames the financial officers for not setting aside enough money for cyber defenses. The chief information officer begins to look for a scapegoat further down the supply chain. Maybe they fire a low-level employee who made a mistake or point to a vulnerability within a third-party vendor’s security system. Or, if the incident took place in the cloud, is the cloud provider or the data owner at fault?

The following communication tips can assist CISOs in meeting executive-level expectations, and in reconfiguring fraught and uncertain business relationships. Easy-win communication tips for CISOs - When communicating with executives, ensure that communication is clear, concise, non-technical and engaging. - Present comprehensive concepts and avoid diving into details. - Translate technical risk into business risk. - Remember, CEOs and the C-Suite are generally looking to see the bigger picture as it pertains to risk. More strategic communication tips for CISOs - When presenting metrics, be selective. Choose metrics that executives can easily understand and relate to. - When presenting risk, describe it as a business problem. - Show a framework for your thinking – for example, build stories around a few recent cyber security incidents. - Narrate the value of security.

Leadership has traditionally been taught as a set of larger actions, such as having a difficult conversation or coaching someone. In reality, leading well is an integrated activity, in which one is doing many things simultaneously. One way to learn to do this better is to think about leadership as a series of small actions that are practiced, then carefully sequenced and interwoven during interactions. For instance, instead of thinking of something as a “difficult conversation,” a leader might aim to disarm, then show appreciation, then appeal to values. Research identifies 25 such actions, and learning to implement them in the right circumstances can help one become a better leader.

Here’s 10 things to help 1. Listen actively. Confirm. Show you are trying to or do understand. 2. Make sure you are talking to the right audience. 3. Positive body language. Open, Shoulders back, chin up! 4. Double check that email before you press send. 5. Concise. Don’t include words you don’t r?e?a?l?l?y? need to. 6. Make notes. (Good for both your own retention and to show you are listening and engaged). 7. Right type. Email? Video call? Face to face? 8. Pause, slow down. Think before you speak. 9. Have an agenda even if it isn’t a formal one. Don’t let the conversation wander off topic aimlessly. It needs to be productive. 10. Actually communicate! People often assume others more know than they do.

Security teams must work to remove communication and reporting roadblocks, positively reinforce desired security outcomes and start at "yes" when evaluating new requests and projects. By implementing the following recommendations, security leaders can change corporate perception of security and build a more collaborative culture with their company's workforce. - Communicate strategically to foster collaboration. - Remove communication and reporting roadblocks. - Positively reinforce good behavior. - Adopt a “yes, and…” approach.