This past week I attended the Seattle edition of SecureWorld. The first keynote speaker was Mr. Demetrios Lazarikos (aka Laz) (laz@blue-lava.net) and his talk really hit home to me as a security practitioner and former CISO. He offered some excellent advice regarding the characteristics of a cybersecurity leader, where they should report in the organizational structure, and offered some succinct recommendations to be considered.
So, this is a trip report of sorts but I also thought his comments were "dead on" and I heartily endorse his opinions.
Overall, Laz's speech was one I could understand and equate to due to my time in the trenches and my own experience. Thanks to SecureWorld for inviting Laz to speak!
So, this is a trip report of sorts but I also thought his comments were "dead on" and I heartily endorse his opinions.
Characteristics of Today's Cyber Leader
His key points about today's successful cybersecurity leader included:
- Curious and a life-learner
- Critical thinker
- Patient and able to influence
- Understand the value of the cybersecurity program
- Understand and can articulate the risks to revenue and sales enablement (It's the Money!)
- Works closely with IT audit and regulators
- Is in it for the PASSION
- Never lets a cybersecurity opportunity go to waste -- EVER!
- Tries to remain vendor agnostic
Organizational Reporting
Laz explicitly said the "CISO NEEDS TO REPORT TO THE CEO!"
I heartily agree! The CISO is a very, very key cog in the gears of the organization and without an unencumbered communication to the chief decision-maker, the CISO's hands are tied (which I know from experience).
Talking to the Board of Directors
Laz again offered some terrific advice on ways to report and communicate to the Board of Directors. Because you usually only have 10-15 minutes for your discussion, his suggestions included:
- Ensure the reports are in terms THEY understand. Not technical gobbly-gook.
- Be streamlined
- Quantify risk and loss exposure in dollars - not bits/bytes
- Provide specific recommendations for moving ahead and protecting the enterprise
- Emphasize the risk to revenue and risk to the brand -- not what the best firewall is
Recommendations
In closing, Laz offered some terrific recommendations for consideration by current and future CISOs:
- Incorporate cybersecurity in all areas of your business -- from the individual employee to the CEO; from the mundane janitorial services to the strategic planning
- Be an enabler -- always consider risk to revenue and sales enablement
- Meet and know the CEO --- don't meet them for the first time during a data breach
- Understand and report to the business in "business terminology"
- Collaborate, Collaborate, Collaborate!
### ###