Bridging the Gap Between Business and Cyber Risk Management

Meera Shankar:
Good morning, everybody. Thank you so much for joining. My name is Meera Shankar. I lead business development and partnerships here at ThreatConnect. And I’m so delighted to introduce you to our guests today, Colin Anderson, global CISO at Dayforce, um, and Damien Apone, global director of governance, risk, and compliance, um, at GPC. So, uh, just a reminder before we get started, this webinar will be recorded and sent out later today. We do have a chat feature, so please put all your questions in the chat, and we will answer them at the end of the presentation. So I just want to, um, give a little bit of an intro as to why we are here today. Um, so as you guys know, we live in a world where cyber threats are just escalating. There are mounting regulatory pressures. Uh, people up and down the food chain are trying to figure out how do we answer kind of let’s consider new questions in the environment about where risks are coming from, what the implications are, how to manage them. Um, boards are asking for more clarity. CISOs are trying to figure out how the heck do we give them clarity? What does clarity mean? Um, and so this session is really just meant to help us all talk about how do we bridge the gap between a business risk and a technical risk. Right? As I’m sure we’re all familiar, it’s two different love languages, and we’re trying to all coexist peacefully. So, um, yeah. So I’m I’m like I said, I’m delighted to have Colin and Damien here today. Um, I wanna just kind of start with the baseline of the evolving role of the CISO. So, Colin, I’m gonna start with you. Um, as I was mentioning, boards just really want more clarity, and they want clarity from someone who understands cybersecurity. Um, but as I’m sure you’ve noticed, there is a challenge. There’s the need for wanting more cyber, and then there’s the, uh, disconnect between understanding what that means. So I’d love to just hear from you, you know, what has been your observation in terms of how the CECO role has shifted, how board expectations have shifted, and kind of what what are you doing or what can CISOs do to address it, um, as we move forward?

Colin Anderson:
Yeah. That’s that’s a great question. Um, first and foremost, the CISO role is expanding. You know? Traditionally, it was, you know, you you the guards at the gate, you know, or you’re trying to protect the enterprise from threat actors or whatever. But the CISO role today is it’s about digital trust. You know? Some CISOs are taking on IT responsibilities. Some are doing application development, building products, building microservices for whatever product they’re they’re selling, taking on privacy, taking on other business functions because the CSOs become a business leader. It’s not just a role that’s kinda stuck in a technology organization. The CISO has a seat at the table. Uh, the modern CISO has to be a business leader. You know, maybe their domain of expertise is cybersecurity, But first and foremost, they have to be put focused on, like, what’s best for the business. So I think that’s one of the big changes over the last several years. I mean, I’d say after the Target breach over a decade ago, all of a sudden cyber became an issue for boards and more and more CISOs got a seat at the board, but they were still just kind of in their domain. But today, I think the modern CISO is you know, the their their remit, their responsibilities is much greater than it was five years ago.

Damien Apone:
Yeah. Just to jump in on what Colin’s saying, I think if you look back in history and and the target breach is a great milestone in in history, uh, the same could have been said for the role of a CIO years ago. Right? They had to put somebody in charge of technology. They called them a CIO. People didn’t understand IT. And I think through the maturation over time, the role of the CIO has become that business leader where they figured out how to have that communication with the board to get what they want and need. And I think that’s really where the role of the CISO is starting to go is they’ll be have an equal seat at the table just as the CIO did, but it’s it’s morphing over the past, you know, ten ten plus years, um, the role. Um, you know, it’s a it’s a challenging role, and I think what who fills the CISO seat does continue to change as well. I think early on, uh, we had a lot of security you know, folks that grew up in security and did security, and that’s what they knew. Um, I think the the person filling the seat is starting to be more on that business leader side. They can speak the same language commonly. Right? So I’m not an accountant, but I certainly understand certain things about finance. Right? Security is the same way. We just have to find that common, you know, simplified language, um, to be able to communicate effectively to the board what we need.

Meera Shankar:
Yeah. So let’s talk about you said something, Damien, communicate effectively. So what does that mean? Right? So I’d like to just hear a little bit more. Um, Damien, we’ll start with you. So how do you talk the talk in a way that’s simplified, universal, and kind of helping to eliminate this in transition? Right? As I kind of alluded to at the beginning, it’s two different languages. Um, you know, I’m a former practitioner myself. I remember sitting in these, you know, rooms with leadership trying to figure out how do I explain this to them in a way that they understand the impact of what I’m saying, not just talking over their heads. Right? So, um, you know, as we think about cyber leaders just kind of realizing cyber threats, they’re not going away. Right? There’s gonna be an ongoing struggle no matter how much technology evolves. So when you think about how organizations are getting information or translating information or communicating what to do with that information, how do you do it in a way that, um, is easily digested up and down the organization?

Damien Apone:
Well, part of it, Meera, is you answered your own question without realizing it’s really the impact. And I think, you know, having dealt with board reporting for a very long time, it’s, hey. We we put a lot of flashing things or blinky things or color coded things that the layperson just doesn’t understand. Um, we’ve communicated a lot of times through a position of fear, or we’ve kinda played on some of the fear, but we’ve never really answered the the most basic question that a board has is so what? Are you telling me this is a problem? So what? And that’s really the impact piece that comes in. And if we simplify our messaging with an impact, hey. We have an exposure here. Uh, they understand money very, very well. Right? We have a billion dollar exposure here with a high probability of occurring, and they should this happen. This is really what the impact is gonna be. I find as we’ve simplified that messaging to be almost that simplistic, Boards can actually grasp that. They don’t need to understand, well, we have this vulnerability or that vulnerability or this tech. They don’t care. That’s really the question they wanna know the answer to, and I think there’s also been a shift, um, you know, from that checkbox mentality. Right? We’re doing security because we have to, and it is becoming more of a strategic, uh, positioning, although that has its own challenges with budget and and what we’re spending money on. But I think people are starting to take it much more seriously just because they have to, whether it’s the SEC regulations or or other things that are happening.

Meera Shankar:
Great. And, Colin, I have

Colin Anderson:
Go ahead. Yeah. Give it

Meera Shankar:
to you for a second. So

Colin Anderson:
Go ahead. I was

Meera Shankar:
gonna say, as we all know, it’s cybersecurity this month. So, you know, we can talk about these things, but when you as someone on the receiving end of of information that Damien shares, right, when it comes to translating cyber risk into business decisions, can you talk a little bit about how to kind of balance the accuracy and the simplicity so that it’s easily digested not only by you but also your peers?

Colin Anderson:
Well, you what I was gonna play off of is what Damien said. It is about the the so what, the business impact. Mhmm. A lot of CISOs get get stuck because they they might have risen up through the technical ranks. They’re very familiar with with the the technical operating aspects of their environment, but they’re not connecting that cyber risk to business impact. You know, they’re not aligning necessarily their goals or their investments to growing that business or or that business strategy. And so that that’s, you know, that’s the language, you know, um, that really needs to be first and foremost, um, on that CISO’s mind when they’re talking to that board or or talking to their c suite because they’re not thinking in, you know, number of vulnerabilities or, you know, phishing emails or whatever the case may be. They’re thinking about, like, well, how does that impact impact our business? How does that impact our business strategy? Um, so it’s know your audience. You know, this is like presentation one zero one. Know your audience and speak their language. You know? Whether it be your board or your c suite, you know, the business impact that that should be front and center. And I think that’s where a lot of CISOs get get stuck because they may not know their business as well as they they should. You know? Mhmm. They’ve risen up through the technical ranks, and they’re very comfortable in their domain. They’re very comfortable in managing risk and fighting those threat actors, but they should be having more focus on the business strategy and the business growth because the CSO is a business leader, and their first job should be, you know, protecting the business. But, you know, one a or one b there is helping the business grow. And I think that’s, um, too often CISOs miss that alignment and are not necessarily viewed as a business leader because they’re so stuck in their their domain, and they’re they they don’t talk the right language.

Damien Apone:
Yeah. Just to just to kinda piggyback on on Colin, I think two things. Right? The first thing to to your question earlier, AMeera, was I think the language that we use is very complex, and cyber is notorious for an acronym about this. Uh, if you’re talking risk one and you’re talking FAIR methodology and ALE and an SL, it’s it’s just they don’t understand. So we have to kinda get rid of the jargon and really just simplify it. But I think the other thing that Colin was touching on is really important. And, again, I think this is part of the evolution of the CISO role is when we present risk, it is a business decision. Right? The business risk is all about a business decision that we’re either going to do something or we’re gonna treat it differently. And I think, you know, where cyber is really starting to grow out of is that we never presented it as an option or a business decision. It’s always, oh my god. We have to go do this because bad things are gonna happen. Right? So that doom and gloom as opposed to saying and there was no impact. It was just a lot of fear. But now the the evolution is really more towards, hey. Here’s a business decision. Risk is a business decision. You can accept this risk. You can transfer it. You can mitigate it. But I think that’s really where the role of the CISO shifts to be more of an adviser as opposed to the person who’s bearing the full burden, uh, of securing the organization to being more of, hey. We’re we’re a strategic adviser that says this is what could happen, but you know what? CEO, COO, CFO, you guys are the ones who are on the hook to make this decision. No different than an m and a or other type of product decisions. Right? That that’s where I think cyber is going to shift into is we’re gonna present you with a decision, and you need to make the right decision. We’ll give our recommendation, but that that’s really where the more we can speak their language in the terms they understand again, all boards understand dollars and cents. Right? If we say, hey. You’re gonna lose x amount of revenue if this happens. They understand that straight away. K. Well, what’s the likelihood of that actually happening? If it’s a high probability, okay. Well, what do we do about it? Then you should have the answer. This is what we can do to reduce risk and mitigate risk, which in turn gets to know another one of your questions. That helps drive value as it pertains to cyber. Right? And the more that we can show, hey. We’re reducing risk across the organization. I will tell you firsthand, I’ve got a finance department that loves that. I’ve got executives that love that because that is actually a metric that people understand and say, hey. Yeah. Right? We wanna make decisions based off of this risk reduction and and the potential of it.

Meera Shankar:
Yeah. So just, um, so one of the topics I kinda wanted to to just spend a moment on is what does this idea of board ready communication look like? Right? So I think, Damien and Colin, you both been pretty consistent, delightfully so, in that dollars and cents. Right? That’s the universal language. Um, so when you think about and, Colin, just this is for you. So when you think about how to build champions with your CFO, with your COO to kind of align on security growth and, you know, resilience goals and budget allocation and investment and presenting a unified front to go to the board, What are some tips that you found have worked well for you, um, that maybe our audience can can benefit from moving forward?

Colin Anderson:
Yeah. Um, first and foremost, it’s know your business. You know, your CFO, your CEO, your CRO, your chief marketing officer, they’re focused on growing the business. So as a CISO, you have to know your business. Know what your sources of value are. Know what the crown jewels are. You know, if your business strategy isn’t helping the business grow, is it helping protect what matters most to your organization, then you’re not you’re not aligned to your other c suite c suite leaders. And so first and foremost, you you need to focus in on what matters most to the business. Next, you know, you may not have all the data you want. You know? Um, depending on where your your organization is in terms of maturity, you know, you’re always gonna have some some blind spots. You know? But use the data you have and understand what that data is telling you about the risks to what matters most to your business, to those crown jewels or whatever you wanna call them. And then have, like, that objective driven conversation with those executives that aligns the cyber investment and the cyber strategy to the business strategy. They should be in lockstep. And if the business is growing in a new market, well, how can cyber help manage risk in that growing into that new market? If you have a new offering, maybe you’re a b to b business and you’re going to be a b to c business, and so your business model is shifting. And risks are gonna shift with that business model. And so that cyber strategy and that investment plan has to align with that business strategy first and foremost. If not, you’re not on the same page and you’re not talking the same language.

Damien Apone:
Yeah. I think, you know, part of it is, and I agree wholeheartedly, you have to understand your business and how it operates. I think, you know, even backing it up even further is we have to have a a clear understanding and agreement and alignment on what is the mission of security. Right? And some security organizations may think, oh, we have to protect the business at all costs, and we have to lock everything down. Right? There are there are some that have the belief that, hey. You know what? Our role is really to minimize the impact of of a security event over the next three to five years. Right? Depending upon how you align your mission is gonna be how you how you operate. So we’re we’re shifting more toward that. Again, that’s a risk based approach. It says, hey. What do we need to do? What are the most important things I need to look at and protect, uh, across our business to make sure? Again, we’ve always said, hey. We enable the business, but yet a lot of times, security is the department of no. Uh, we we we we enable you safely by saying no, and and there’s a compromise. Again, it’s all decision based. We never present the the decision or the options. Um, I think nowadays, it’s getting even more difficult when we talked about budget a little bit. Um, you know, I think a lot of organizations and boards are of the opinion that, hey. You know, the last ten years since Target, um, companies have spent a lot of money on cybersecurity, and I don’t think they feel that they’ve gotten the value because every day they turn around, some another company’s experiencing a major cyberattack. So I think they look at it from a return perspective and say, we’re spending too much money. Uh, what value am I getting? In the meantime, we have the security resources that are are are burning out because we’re trying to protect everything. And I think having a risk minded approach that is supported through risk quantification and presenting them, hey. Here’s our top 10 riskiest things. Right? When we talk about budget, these are the things that we should be spending money on. Period. End of discussion. There may be some compulsory items we need to do, but the more that we can align to that and then measure that risk reduction, and and if we can execute on that, I think that’s how we gain that alignment. At the end of the day, I think, you know, the COOs and the CFOs and the CEOs wanna understand that the money that they’re investing in cyber is actually going to keep them secure and and protect them as much as possible from from a, you know, a threat actor. Uh, and I think we’re we’re reaching that point now where there’s a lot of questions being raised about the spend and the value. Um, but I think that taking that risk approach and and quantifying the risk is a good way to overcome that.

Colin Anderson:
Yeah. Yeah.

Meera Shankar:
I know.

Colin Anderson:
A cost first value point that you just made, Damian, is a great good one, um, because when cybersecurity is just a cost center, you know, when you’re just viewed as something that you wanna kind of manage to spend down because if you’re just a cost center, you’re you’re insurance. You know, you’re protecting the profit of the organization and and you’re the insurance for that profit. You’re gonna try to figure out how can you pay the lowest insurance premium you can to protect your profit. But if you can flip the conversation a little bit and be that business enabler and you’re driving value, driving business growth, then you’re not just a cost center. You’re helping the business grow. So you’re helping the top line. Protecting the bottom line is always gonna be security’s job because you gotta protect that profit, protect, you know, the sources of value for your organization. But when that cybersecurity function can help drive sales, you know, new products or whatever the case may be, then you’re then you’re revenue positive. Um, and you’re not in that cost reduction conversation as much anymore. And so, I mean, I’m, like, I’m excited. My my cyber team is actually building business services, you know, SKUs that we can sell to our customer, um, becoming more of that, you know, top line growth engine rather than just, uh, you know, protecting the profit of of the organization. I think you today’s cyber teams need to be able to do both. Yep.

Meera Shankar:
Yeah. So I love that you guys talked about this, um, the cost first value. Right? Because I feel like, as you both alluded to, there’s a sense of, okay. Well, we have certain amount of funds. What are we gonna spend it on? But how do we make sure we get the biggest bang for our buck? Right? And I think that is a different kind of value that organizations are more and more understanding. You know? You gotta pay to play a little bit. Right? So if you put in the investment now, you’re gonna save yourself a whole heck of a lot of money later. Yeah. So so I just wanted to, um, spend a moment on that. Right? So it’s it sounds like now, boards and CISOs and kind of security professionals up and down the organization are getting a little bit more aligned. I’m curious to hear your take on why historically you think the the different players have seen budgets so differently and kind of what your hopes are and what your your thoughts are in terms of moving forward given the progress. What would you like to see, um, in terms of how how risk is communicated, how investments are communicated, how ROI is communicated?

Colin Anderson:
Is that question for me or Damien?

Meera Shankar:
Well, you spoke first, so you’re you can go on first.

Colin Anderson:
I I think I touched on it earlier. I mean, I I honestly do believe it. I and I know a lot of CISOs in the community. They’re not all talking the right language. It it really is they’re not talking EBITDA. They’re not talking margin. They’re not talking cash flow. Um, they’re talking vulnerabilities. They’re talking, you know, you know, social engineering. They’re talking, you know, the different types of threats that the enterprise might face as opposed to what are the what’s the lifeblood of of an organization? It’s EBITDA, it’s cash flow, it’s profit. You know? They’re not talking the same language, um, and so it’s not resonating. They’ll go talk to their board or their c suite, and they’re talking about the number of vulnerabilities in the environment as opposed to here are the number here’s the risks to our crown jewels. Here’s what, you know, is the potential impact if something happened to these crown jewels. You know? They’re not talking the right language. And part of the problem is the the whole risk conversation has been a little bit of art and science. Um, you know, you have some data that can you know, some empirical data that you can say, okay. Here’s the the risks to these core assets. But a lot of CISOs are also just going off their their gut, you know, their own opinion, their experience. And and so there’s there’s a combination of art and science. Unfortunately, you know, you’re talking to the CFO, the CEO, other business leaders, it is black and white. It is dollars and cents. You know, it is not there’s it’s much more science, not too much art. Um, and I feel like in the cyber realm, there’s still a little bit too much art, not enough science. And, you know, Damien touched on, you know, the idea of, you know, measuring risk, risk quantification. You know, how do you create a more scientific methodology to communicate, you know, business impact, business risk? And I think that’s where things are going because in order to speak the right language, you’ve gotta have solid data to back you up.

Damien Apone:
Yeah. And I think we collect a lot of data in cyber regardless of whatever space you’re in. There’s a ton of data. There’s not necessarily a ton of data analytics that we do to effectively tell a story. Uh, you know, from what what Colin’s sharing is, again, I think the an easy way or simplistic way to to to think of that is we spend too much time talking about the means and not the ends. Right? So vulnerabilities are just a means toward an end, and so we’re we’re we’re definitely not talking the the right piece. Um, you know, I think that, you know, we we have to educate and really use data. And the more that you can show the data, people will trust the data. They’ll question the data. Uh, but you use that to drive the value, but it has to be a holistic picture of that. But we definitely have to make sure that we’re focusing in on the right areas. Right? So when it comes to some of these values, right, we have to look at cyber as you know? I I I tell people, and I’m sure a lot of the folks here on the phone. Right? Finding a cyber vendor is not very hard. Right? We can throw a rock out the window and hit 50 of them. And so I think part of what what some in the industry get caught up with is the shiny, blinky new toy. And, oh my gosh, we have to have this because it’s the latest and greatest, and we have to go spend it. Well, you may or may not have a problem, that you may not have a risk that you need to go do that. So really understanding your business and aligning to your risks. Right? No different than the many organizations have an enterprise risk management team. Right? So, again, risk everybody understands risk, but nobody has the same common definition of risk. But

Colin Anderson:
Mhmm.

Damien Apone:
I think I think some of the groundwork has been laid, you know, previous to us. We just have to, um, get on board some of that same thinking and and address that problem in in that manner like an team does or how to communicate it effectively. Boards have been meeting with enterprise risk management teams for years. They understand the risks. Right? So, again, at the end of the day, it’s a decision. So when we go from a budgetary or value, it should always be, if we do this, what is the benefit to the organization? And for a lot of time, nobody was asking the question. Even from the business side, it was, oh my god. You gotta secure it. This is what you need. Go spend the money. Mhmm. I I I think those glory days are a little bit behind us right now, and it’s getting harder and harder, uh, to secure the funding without a true business purpose behind it. And how to advance the business.

Meera Shankar:
Yeah. And I think, you know, also, it’s interesting because we’ve seen how the the security actions have become more proactive as opposed to reactive. Right?

Damien Apone:
I

Meera Shankar:
think we still very much live in an industry where, oh my gosh, something happened. Let’s let’s put a Band Aid on it and then figure it out later. Organizations more and more are realizing if we put in some effort now and build the proper controls and structure and and plans in place, then ultimately, we’re gonna save ourselves just tons of money, branding, the whole nine yards. Right? So really using the data that’s at our disposal to figure out how can we get ahead of this, how can we get ahead of the problem, how can we make sure that when something happens, because it is just inevitable, right, every organization is at some point gonna face something, how do we make sure that we’re most prepared and minimize the negative impact, um, to the organization?

Damien Apone:
So Well, to pivot on that slightly, though, I think there is a lot of a lot of the tools and tech that are out there today do focus on prevention, and that’s where a lot of the spend is. But at the end of the day, to your point, something is gonna get through. And organizations, historically, when you look at resilience as the keyword these days, right, in the old days, it was Doctor and, you know, BC and Doctor, business continuity disaster recovery. Um, there’s not as much focus because, again, it’s an insurance policy that nobody wants to pay. Why do I wanna pay for something to sit around and collect dust? Well, you don’t need it till you need it. And when you need it and you don’t have it, it’s too late, um, type of deal. So you know? But even cyber is much more than just the tools that are out there. Right? It’s the people and the process. And what I find a lot of times is as much as we wanna buy the shiny, blinky new toy, we don’t have a technology problem in some cases. We have a people in process, which is a whole different, uh, animal that we’re not necessarily solving from an effectiveness standpoint.

Colin Anderson:
Yeah.

Meera Shankar:
You read my mind, Damien. So, um, go ahead, Colin.

Colin Anderson:
I was gonna say, I I I like your idea, the the proactive versus reactive mindset. Um, I I think to Damien’s point, there are a lot of preventative technologies. But those even those preventative technologies are waiting for something to happen. You know, they’re waiting for that attack to come here. You got that, you know, that firewall out there to help prevent the attack, but it’s you’re still waiting for the attack. I think, you know, to shift that equation a little bit and truly be proactive, you have to, you know, anticipate the attack before it comes. Maybe there’s you know, your organization may not be the first target, you know. And so there there might be a canary in the coal mine, so to speak. Another organization or another industry is gonna see that attack first and give you some intelligence. Like, how do I need to change my controls or change how I’m approaching things, or may maybe I don’t have the appropriate defense for a new tack attack. You know? They are evolving all the time. You know? I I we all talk about AI. We talk about nonhuman identities. There’s all these kind of new types of attacks that we may not have appropriate preventative technologies in place for. So having the intelligence and understanding how you might be attacked can help shift from a reactive mindset to a proactive mindset and allow you to alter or modify your your defenses, your preventative technologies, to get in front of that attack before it happens to you because you saw it happen to someone else. You learn from that, and you apply those lessons, you know, those IOCs or whatever you wanna whatever data you can get from that attack to improve your defenses for when that attack comes at you. So I do think you can become more proactive, but it’s almost having to think like a threat actor and having to predict what’s coming next. And the only way to do that is with some data and intelligence to help you make better decisions.

Damien Apone:
Yeah. And that’s something that we’re actually trying to morph into. Right? So I think there’s a lot of information be it through threat intel.

Colin Anderson:
Yep.

Damien Apone:
Um, you know, we we we understand who our threat actors are. Most companies don’t. So start right there. Right? You if you know who your threat actors are in any given location and you know how they attack, right, now you know the TTPs you would need to defend against. Now now we’re even better. So now you just really have to understand how does your technology align with that with the those TTPs and test it. Right? That doesn’t get you a 100%, but, you know, if you apply the Pareto principle, you’re probably more than 80% of the way there. Uh, as long as you can break that MITRE attack chain, and between that and and fixing your vulnerabilities, you can be far more effective than just trying to chase every single thing. Because if you’re not likely to spend time on that TTP or see it and we’re spending a lot of money there, then not always the great use of not always the greatest use of our limited funds. Um, it’s not an exact science. Right? I I I like it is an art and a science at the end of the day. Um, there’s much more, you know, leaning towards science. I agree with what what Colin said earlier, but risk itself is not a science. Right? It is still, um, you know, it’s still a gamble, which is why they call it a Monte Carlo simulation when you run the risk quant. Right? It it is, uh, it it’s all a gamble, but, again, you you take the best information you can to make the best informed decision, and you you kinda ride that.

Meera Shankar:
Yeah. And, uh, just an example of in real time about reactive versus proactive, I tried to be proactive about the lighting behind me, and now I’m getting washed out by the sun. So I apologize to everybody. Um, but the point is there are tools we can use to be preventative, and, unfortunately, nature went out today. So, um, okay. So great. So I wanna talk a little bit about, um, you know, beyond the data there is and and also, you know, beyond the data there’s a conversation. Right? And I think, Damien, you alluded to the sense of community and and really just understanding. And in the spirit of cybersecurity awareness month, I wanna talk a little bit about building culture, building a culture of security. Um, I, you know, in a in a past life have written policies and security training, and I think we all know it’s kind of an uphill battle when it comes to getting people to understand it, getting people to understand the importance of it, getting people to adhere to it. Right? Um, and so many organizations are kind of sidestepping these processes and not always consulting cyber teams and building risk awareness can be challenging. Um, so I’d like to just understand from you guys, you know, we talked about, okay, here are some very quantitative tools. Um, but just when it comes to cultural or structural barriers that kind of prevent cyber and business leaders from talking to each other, um, a, what does that look like? And, b, how have you how have you been able to overcome some of those hurdles? Um, so, Damian, let’s start with you.

Damien Apone:
Yeah. So I think, again, it it it comes from each organization is a little bit different. Right? I I can speak to organizations I’ve been in where where peers or leaders, their mission, and they take it very seriously, is to secure the organization. And so they are going to lock things down at all costs, so they become the department of no. Um, I think that is very detrimental to to the security organization. So it seems like when you get people to come to you, then you tell them no all the time. They’re just gonna go around you. And so that really kinda defeats the purpose. So, again, and I think it’s a partnership there where we have to approach it as a partnership that says, okay. What can we maybe we don’t wanna do a, but, hey, what about b? Right? Can we compromise? Can we find a a good solution that secures and enables the business at the same time? Because that’s really where the the the magic is, and we need to do it in such a way where we’re being you know, we’re trying to partner and and being collaborative so that they don’t try to avoid us. Um, you know, in terms of awareness or or security culture around risk, I think that a lot of times employees, you know, they take training because they have to take training. That doesn’t necessarily build the culture, and I find one of the most impactful things is, again, is how we shift it is from an awareness piece. When you start talking about an individual’s bank account, they care a lot more about what can happen to their bank account versus the company’s bank account. Right? So wherever you can make it personal. And I think, really, we continue the message of again, a lot of years for security, we would say, well, security says. Why are we doing this? Well, security says we have to do it. Right? And so we have to say, okay. We have to explain ourselves a little bit more and bring in the why. Right? Yes. Security says to do it, but do you understand why? Do you understand what can happen and make it personal? Once you can connect those dots, then people are gonna be, you know, much more open to collaborating from the business side as well. Hey. We’re saying no to this, but this is the reason why we’re saying no. Is there another way that we can do something? So I I think a lot of times, we just stop it now or because we said so and not provide the full explanation of impact or why it’s important. Um, and I think the more that we do that, you’ll build that culture of of security and collaboration.

Colin Anderson:
Yeah. I can’t agree more with the why is really important. Um, the WIFM. You know, what’s in it for me? Also really important. Um, I think too often security teams take a stick approach, you know, bad you you you should have caught that phishing email or bad on you for whatever. You know, it’s it’s it’s it’s a negative, you know, consequence as opposed to a positive consequence, you know, rewarding good things. You know? Hey. Thank Thank you for reporting that phishing email. Thank you for raising that issue to the cybersecurity team. You know? Have your humans, your employees be your a human firewall for your organization, you know, by helping educate them on the why. Why is this important to the business? Why is this important to their own job, their role? Why can this help the business grow? Why is this good for, you know, their specific job? The why is really, really important. And a lot of security teams don’t go there. They just say, you know, hey. These are the rules of the road. These are the policies that you have to follow. And an employee doesn’t doesn’t understand why. You’re just adding friction to my job. Why why are you making me do all jump through all these hoops? Because they’re smart. They’re gonna find a way around the hoops if they don’t understand why they’re important, um, and what’s in it for them. Like, if if, you know, the hoops are there to protect their own information. You know? Like, I I I want my own information to be protected. I want I wanna get paid at the end of the week or the end of the month or whatever it is. Um, the the the why is so important. And I think a lot of security organizations don’t focus on that as much as they focus on the rules, the policies that that you want everybody to follow. So I because I honestly believe people humans are inherently good. They wanna do the right thing. If they understand why that right thing needs to be done and they understand the benefit to them, the benefit to the company, um, I think the why is incredibly important.

Meera Shankar:
Yeah. Great. Well, I can’t think of a better way to end this conversation, and people are inherently good. So I’m gonna just thank you guys for that. Um, we have a couple of just questions I like to just pepper in here, um, before we release everyone back into their day to day. Um, so one question. So, Colin, this is for you. So how can CISOs position themselves as enablers and allies to business leaders so that cyber risk considerations are integrated into the business strategies? I think we talked a little bit about it, but maybe just some very concrete, uh, examples or or guidance.

Colin Anderson:
I I honestly, you need to start with building trust. You know, chances are you are hired as the CSO or security director or security general, whatever, because of your domain experience. But you still have to build that trust, you know, and make sure that other business leaders believe in you, you know, take your opinions to heart, take your advice to heart, um, that is the right thing to do for the business. So be honest. You know, if it’s if it’s bad, it’s bad. You know, focus on the good things and the bad things. Build that trust. Be honest. Um, know your business. Um, and these are the just the basic things for any executive to be successful. You have to have a foundation of trust. Um, you have to have a foundation of, you know, confidence and expertise, whether it be your c suite or your board. They have to have confidence in you in that role. And to build that confidence, you know, you’ve gotta build the trust, um, know your business. Uh, a lot of the stuff we’ve we’ve echoed here today, I think, is just foundational to get that support, you know, to be that enabler as opposed to just that cost center. Um, find those opportunities where cyber can help the business grow and tell that story. Um, help, you know, help drive your investment in cybersecurity because it’s gonna drive business growth or maybe it’s gonna reduce cost, you know, operating cost or whatever the whatever the business outcome you’re after is, whether cost reduction or business growth, show how that cyber investment or that cyber strategy helps deliver that outcome.

Meera Shankar:
Great. Damien, what are the key indicators of a strong cybersecurity culture? And in your experience, how can organizations measure their progress? Right? So Colin talked about trust. Colin talked about growing the conversation. So how does one measure that?

Damien Apone:
Not very easily. Um, honestly. So I I I think I I it’s a great question, though. Right? How how do you really know? And I think is what is the level of engagement between employees and the security organization? Right? And so it it’s a challenge from a security awareness perspective. It says, hey. We’re we’re doing awareness once a month, and we’re doing training four times a year, and we run phishing campaigns. Is it effective? Right? We can look at certain metrics, and, again, you have to have a way to measure effectiveness. Right? Are we seeing a decrease in our fishing simulations? Are we seeing a decrease in the amount of fishing that has gotten through that has been or an increase in what’s been reported? Uh, are we seeing more people you know, the the the great poster see something, say something. Right? Are more people speaking up? Are more people coming to us? Right? So and it all begins with trust, like Colin mentioned. But if nobody wants to come, uh, and engage with secure, like, hey. We saw this. We have that. To me, it’s harder to measure. But when people start coming to security as opposed to security going to them, you know you’re on the right you’re you know, you’re on the right, uh, path because it’s in their consciousness, and and it doesn’t happen overnight. Uh, it’ll take longer if you’ve come from that negative place. Um, but I think over time, like, the more positive interactions people have with security, right, you build the trust. You you’re willing to listen. You’re willing to be open minded. You’re willing to compromise and work together. That builds that trust. And I think over time, you’ll you’ll start to embed that culture. It’s not it’s not an overnight, uh, type of situation.

Meera Shankar:
Great. So a little bit of a two part question. So, Colin, we’ll start with you. So both of you guys alluded to this idea of risk quantification, which as we know is kind of taken increased presence and, um, had more of a played more of a role in the way that organizations are communicating risk and and how to talk about it. So part one is kind of chain with change always comes some pushback. Right? So how can organizations overcome some of this resistance to change and really encourage their peers and and leadership to kind of adopt these new their, I guess, quote, unquote, new security practices? Um, and then on the flip side, how do you balance reporting, um, reporting the results of risk quant without kind of going down a jargon rabbit hole? That’s a question from our another question from our audience. So, um, Colin, you can answer whichever one you want, and I’m gonna give Damien the other one.

Colin Anderson:
Yeah. Um, it’s easy to go down that rabbit hole. You know? Damien mentioned earlier, we have a lot of data. You know? But but what is that data telling us? What is what is that what are those insights telling us about risk to our business, risk to what matters most? I think risk quantification gives us more data, you know, and it’s and it’s it’s attempting to measure, you know, that risk to a different business, you know, department, business function, business system. You gotta be able to trust the data. So, you know, just like with with AI where you wanna you know, you you might get an answer and you wanna understand what sources were referenced there because you don’t want it to hallucinate on you. I think the same thing applies to to data and risk quantification. You need to understand the data that’s underlying that, you know, recommendation or that measurement or or whatever that you’re you’re you’re communicating to, like, demystify it, you know. And so, like, so when you’re trying to, you know, use this to drive an outcome, you know, whether that be budget or whatever, you you gotta be able to trust the data. And to trust the data, you’ve gotta demystify it a little bit. Um, when you can demystify it, then make it consumable by the business leader that you’re you’re you’re sharing it with. Like, here’s here’s why, you know, this is something that we need to invest in. You know, here’s the objective risk measurement. Here’s the data behind it. Here’s how it the impact to our business if we don’t do this because sometimes we don’t talk about, you know, the negative. Like, okay. Well, if we don’t do this, here’s the potential negative outcome. If we do do this, here’s the potential positive outcome. The more you can be transparent in terms of how you reached your conclusions, the more trust that will be in those conclusions, the more supports that you’re gonna get. So I think, um, we’ve gotta turn data into insights is is kinda what it boils down to, and I think risk quantification helps you do that.

Damien Apone:
Yeah. I think from the the on the jargon aspect, I think it’s how you tell the story. Right? And it is a story. At the end of the day, we are we are telling people the story, and we need to tell the story in the most simple way possible so that they understand. Right? We can simply say, hey. Based off of this scenario and with x amount of data, we’ve got this particular system. It’s got this much data. There’s a high percentage of of an event happening in the next five years. Right? And it should that happen, here’s the impact. Now when we look at how we measure that, if we take whatever the impact is divided by five, great. That is our annual number that we would compare the risk reduction to. Right? So you can you can explain what an ALE is or an SLE or these different things without saying it, but just explaining it in a way that, oh, okay. I understand that this could happen. If this happens, this is the impact. Okay. This is kind of the the the planning horizon. Okay. Well, how do we measure value? If we fix it, we believe we’re gonna see x amount of risk. K. What does that mean? Am I reducing impact? Am I increasing the the length of time? Right. So I think you can walk through it and just telling them the simple story. Once they hear it, you know, once or twice or or three times, they’re gonna understand it. So then it just gets into the, okay. Yep. Tell me what it is. Tell me what the number is. Tell me what the annual number is. What’s the probability? And then we we move on that way. What was the first half of the question if Colin didn’t answer it?

Colin Anderson:
Yeah. I don’t know. I mean, you’ve gotta you’ve gotta demystify the data. I mean, I storytelling is such a key skill. I mean, something I’m still working to master. I think it it it makes all the difference. You know? When you can use those analogies to show the value of cybersecurity, to tell that story in a way that the audience, whatever that audience maybe, can consume it and understand it. You know? Like, you’re you’re a general contractor and you’re building a house. You know? How to, like, create that story and that analogy so everybody understands what you’re what you understand.

Damien Apone:
Exactly.

Colin Anderson:
Um, it’s so critical. And but I think there was a quote once. Um, to know to be an expert, you have to simplify. You have to be able to be able to simplify something. So if you really know something well, you can make it very simple to understand. Um, and and that is the skill, and it’s a storytelling skill and something I think we’re all, as leaders, trying to master.

Meera Shankar:
Love it. So, um, with that, I will leave you all to master your day to day jobs. Um, thank you again so much to Damien and Colin. As mentioned, this session, uh, it has been recorded and will be shared later today. Um, and, yeah, everyone have a great day. Thank you so much.