CISO Alignment and Week in Review
Erik Boemanns
Leading you from IT risk to reward. A lawyer/technologist bringing executive expertise to IT GRC, privacy, and security. Together, we can reach your next level of success.
We're halfway through #cybersecurityawarenessmonth - and I hope everyone is more familiar with the four focus areas of updating software, having strong passwords, enabling multifactor authentication (MFA), and recognizing and reporting phishing.
TLDR? Where should the CISO be in a modern organization? A recap on my interviewing tips. A leadership thought. A cybersecurity awareness catch-up. And a post-note on acronyms (TLDR- Too Long Didn't Read).
Organizing Security for Success
Cybersecurity awareness doesn't limit itself to these four areas. Another key topic is how your organization is organized to focus on cybersecurity. Having an individual or team designated to cybersecurity is a key requirement, by insurance, auditors, and most regulatory frameworks. In this Forbes article, we even see the Securities and Exchange Commission (SEC) may require this expertise on the boards of publicly traded company.
I recently polled* a group of cybersecurity professionals on where they see the Chief Information Security Officer (CISO) reporting in the organization. Why does this matter, you might wonder? The short answer is it (1) vests the correct authority and power in the role to make the correct decisions for the company without inappropriate influence and (2) demonstrates the seriousness the organization places on cybersecurity.
The majority of votes were in favor of reporting to the CEO. Of interest though, 50% of overall votes were split almost evenly between being on the Board (as the SEC may require) or at least Reports to the Board.
This shift could also be influenced by the former Uber CISO's recent conviction last week. The conviction was related to the cover-up, but it was alleged the CEO at the time was also in the loop. CISOs having independence from even the CEO can be natural extension of how to mitigate this risk.
Regardless of how your company organizes - it's critical you define a role with enough authority and autonomy to investigate, report, and remediate cybersecurity incidents.
* The poll was in a private LinkedIn group, so you may not have access.
Week in Review
In case you missed it (ICYMI) - I talked about a few different topics this week. Since many people are still on the job hunt, I shared a few interviewing tips from my experience as a hiring manager and as an interviewee all those years ago. A few leadership thoughts cross my keyboard as well. And of course, I shared my daily cybersecurity awareness tidbit.
Check the posts out if you're interested and missed them!
Interviewing Tips
领英推è
- It's important to show up on time! I learned when my directions failed me, and I showed up 40 minutes late to an interview.
- Have fun during your interview!
- Bring what excites you to the interview.
- Reflect on challenges you've solved in the past.
- Talk about how you learn.
- Find the right place for you - not somewhere you aren't proud of.
Good luck this next week on your interviews. And if you're a cloud professional, .net or front-end developer, and want to work with me (or Improving), send me a message!
For the leaders...
A quick reflection on permission-based leadership, versus letting your team have some authority and autonomy to be creative.
Cybersecurity is Always Important
- I was highlighted in Tanya Dua 's post this week on cybersecurity jobs - check out the post and article.
- MFA isn't as strong as we think.
- Text-based MFA has some real problems.
- Phishing happens on Social Media (even LinkedIn!)
- I share examples of Text Message Phishing Attempts
- No matter how good your memory is, use a Password Manager
- Protect your older devices - update or retire if you can!
- Also, update all your devices! Not just phones and laptops!
Thank you!
A big shoutout to everyone engaging with conversations on LinkedIn. I love hearing your thoughts and opinions on all the important topics.
Lyndsee Nielson had a great thread about using acronyms in your posting. I did today, but also spelled them out first. We get caught up in jargon so often, we risk losing people who aren't our core audience. So always be conscious of jargon and acronyms. Check out her post and the conversation here.
For more of my past posts, check out:
And of course, subscribe to my weekly newsletter, and follow/subscribe to my profile to not miss anything during the week!