Hi, I loved the no nonsense approaches to communicating the business needs and getting them funded. Thank you for this insightful episode. It isn't only the CISO that needs to communicate what is being done and what is required to achieve the business goals, all of the COs do however, the lack of revenue from improvements will always cause suspicion. Happily, customers are demanding implementation of accreditations, which gives us a platform to show value for money spent.
Good morning Eric. Thank you for continuously educating us. Could you please make some episode for the new SEC rules and how to do some sort of table top exercise and who should be part of this from senior executives. Thanks
Dr.Eric, very good video and brilliant points. 💡Every CEO and the board of directors must attend at least 2 weeks of Cybersecurity executive education workshop. Only then they can be able to make the best decisions in their business with respect to their digital strategy. Once they finish this, then all the team members of CEO also have to attend the same. There is a big difference between "Knowing Cybersecurity versus Thinking Cybersecurity". All the CEOs know what is cybersecurity, but do they think Cybersecurity aspects in every decision making? Indeed, the same approach applies to Quality, Lean, Six Sigma, Data Science. These are business scientific tool kit. Not just a technical kit.
*Set the Risk Posture (what current risks are/aren't tolerable & what's the risk Tolerance level). *Communicate any intolerable risks to the related risk owner and then to the Board, to keep them aware and protect myself. *What & where are the critical assets? then prioritize them. *Spend time with the Chiefs. *as a CISO, do be out of sight & mind from Chiefs, be available & insight for questions/discussions. *Do/Update the Risk register, with risks prioritized, including TOP risks outlined/their Likelihood of occurrence/Impact if it happens/cost to fix it. Then communicate to the board on which ones they direct to treat/reduce. *Say no to what you can't do.
Hi, I loved the no nonsense approaches to communicating the business needs and getting them funded. Thank you for this insightful episode.
It isn't only the CISO that needs to communicate what is being done and what is required to achieve the business goals, all of the COs do however, the lack of revenue from improvements will always cause suspicion. Happily, customers are demanding implementation of accreditations, which gives us a platform to show value for money spent.
Awesome as always! The narrative of the CISO taking all the blame needs to change. This is a great way to start to turn that page.
THX. Very true and important rules for good management after all, not only for CISO.
Good morning Eric. Thank you for continuously educating us. Could you please make some episode for the new SEC rules and how to do some sort of table top exercise and who should be part of this from senior executives. Thanks
Dr.Eric, very good video and brilliant points.
💡Every CEO and the board of directors must attend at least 2 weeks of Cybersecurity executive education workshop. Only then they can be able to make the best decisions in their business with respect to their digital strategy. Once they finish this, then all the team members of CEO also have to attend the same.
There is a big difference between "Knowing Cybersecurity versus Thinking Cybersecurity". All the CEOs know what is cybersecurity, but do they think Cybersecurity aspects in every decision making?
Indeed, the same approach applies to Quality, Lean, Six Sigma, Data Science. These are business scientific tool kit. Not just a technical kit.
*Set the Risk Posture (what current risks are/aren't tolerable & what's the risk Tolerance level).
*Communicate any intolerable risks to the related risk owner and then to the Board, to keep them aware and protect myself.
*What & where are the critical assets? then prioritize them.
*Spend time with the Chiefs.
*as a CISO, do be out of sight & mind from Chiefs, be available & insight for questions/discussions.
*Do/Update the Risk register, with risks prioritized, including TOP risks outlined/their Likelihood of occurrence/Impact if it happens/cost to fix it. Then communicate to the board on which ones they direct to treat/reduce.
*Say no to what you can't do.
Oh my I just found the missing piece for the next level