CISO Melbourne Summary (Day 1): Boost the wind in your business’ sails, with your cybersecurity strategy

CISO Melbourne held on July 16/17 2024, was a chance to focus on how cybersecurity leaders can help position cybersecurity at the core of their business’ strategy.

In my opening address as Day 1 Chair, I shared that leaders who can position cybersecurity as both a protective force AND a competitive differentiator will set up their businesses for lasting success. EY research has referred to these types of cybersecurity leaders as ‘secure creators’ and according to EY, less than half of cybersecurity leaders fall into this category today.

The speakers on day 1 provided us with an opportunity to hone both our ‘protective force’ skills and learn how to expand our ‘secure creator’ skills, to help ensure cybersecurity is a competitive differentiator for the businesses in which we work, ensuring we effectively help to ‘boost’ the business with our cybersecurity strategy.

Keynote opening speaker Nigel Hedges talked about the Sailboat exercise , a brainstorming technique he has used with his teams to help review progress towards a vision, identify risks, understand what slows them down, and what contributes to them achieving their objectives.?

In this article we will leverage the analogy of the sales boat to look at 4 recommended areas of action from our Day 1 CISO Melbourne speakers.

If the sailboat is our business, and our vision as cybersecurity leaders is to ensure cybersecurity is both a protective force AND a competitive differentiator for our business, then CISO Melbourne provided 4 recommended areas of action for cybersecurity leaders to consider:

1: Get to know your fellow crew members and how to motivate them (the importance of people)

2: Continue to protect the sailboat AND the fleet (strengthen the 'protective force')

3: Ensure the anchor is not dragging the business down (remove friction for our business)

4: Find ways to boost the wind in our businesses’ sails (security as a competitive strength)

1: Get to know your fellow crew members and how to motivate them

It is likely that as a cybersecurity leader, you and your team will be on a long voyage together with other people in your business that lasts many years.? If you are to be on this sailboat together, then walking the deck regularly, getting to know all of your fellow crew, understanding what language they speak and what information they need to be successful (so that you can help them, help you), is critical to a cybersecurity leader's success.

Some recommended actions from our speakers to help cybersecurity leaders achieve this:

• Remember that cybersecurity is part of ‘The Business’ –? we are not separate things.
• Remember the famous quote - "Seek to understand before you seek to be understood"
• Get to know your regulators and board pro-actively
• Aim to be the cybersecurity translator and the tour guide (for everyone on board)
• Consider building a brand for the cybersecurity team (Team logos can help)
• Communicate the why/what/where/how (Using our sailboat analogy, this means providing life jackets, explaining how they help, showing people where they are and more importantly explaining how to use them e.g. behaviour-based asks)
• Reward people when they demonstrate the behaviours you want (via. recognition and praise, incentives and prizes, certificates and badges)
• Use a range of communication channels to reach people and ensure content is relatable (role based, risk based, in the moment and beyond the workplace)
• Provide people with timely and good data to help them make informed decisions – good data also helps with accountability
• Always be open to feedback – consider a virtual or physical anonymous suggestions box

Insights drawn from speaker sessions from: Nigel Hedges, John Ellis, Andrew Morgan, Anne Jayasooriya and Panels re. Compliance Burden – how much is too much) moderated by Toby Amodia with Varun Acharaya, Roshan Duluwakgoda, Grant Lockwood and Sandeep Taileng and Educate, Educate, Educate – simple steps to improve accountability across the business? moderated by Vriti Magee including John O’Driscoll, Vijay Krishnan, Joanne Lu, Fiona Collie, Raheem Sar, Ryan Nera.

2: Continue to protect the sailboat AND the fleet

In the ocean of the internet in which our businesses operate, it is critical for cybersecurity leaders to continue with the work they are arguably most familiar with – protecting the sailboat from existing and new threats and strengthening their extended fleet of 3rd and 4th parties.? As the saying made famous by John F Kennedy goes “a rising tide lifts all boats”.

Some recommended actions from our speakers to help cybersecurity leaders achieve this:

• Ensure you are including your enterprise identity systems – the number #1 target in for attackers (involved in 90% of cyber attacks today) by considering tools that can help you to protect and quickly recover if the worst happens.? Also ensure you consider misconfigurations as well as vulnerabilities (keep the pirates out)
• Closely guard your secrets – technology exists that can help you to discover, monitor and manage them.
• SaaS providers are a big part of our ecosystem and often the responsibility for security is a shared one ?- follow best practices to effectively secure and monitor SaaS.? There are tools that can help with SaaS posture management, monitoring SaaS to SaaS integrations and delivering effective thread detection and response.

Insights drawn from speaker sessions from: Sean Deuby, Jamie Wright, Andrew Simbaqueda, Wayne O’Young.

3: Ensure the anchor is not dragging

As cybersecurity moves away from being the department of ‘no’ we have been viewed as in the past, it is critical to constantly remove friction for those of us we are sailing with.?

Some recommended actions from our speakers to help cybersecurity leaders achieve this:

• Think about how you can help the business to be more autonomous (consider how can you use automation more)
• Always link people back to actual risks and help them to prioritise – there are so many vulnerabilities in every back log, it is hard to see through the noise
• Don’t just share a long list of what is wrong – empower teams with information and knowledge that helps them to own and resolve
• The removal of friction can help create value for employees wherever they are – consider a long-term strategy that takes you towards a passwordless future (For example)

Insights drawn from speaker sessions from: Lawrence Crowther, Sean Deuby, Ashely Diffey.

4: Find ways to boost the wind in your sails

In this fast-moving world of constantly evolving technology, increased regulations and increased cybercrime, it is not enough for cybersecurity leaders to focus only on the protective elements of cybersecurity.

To truly become a ‘secure creator’ cybersecurity leaders need to find ways to ‘boost’ the wind in the sails of the business, delivering competitive advantage.

Some recommended actions from our speakers to help cybersecurity leaders achieve this:

• Understand how the organisation creates value and who is interested in it.? Apple and Netflix provide study examples of a brand associated with security & privacy
• While compliance does not = security, you can use it as a lever for growth by emphasising the value of it.
• Cyber can take a leadership role in helping the business plan for new regulation by brokering collaboration with legal, sales, cyber, privacy and other teams to proactively get ready for what customers might ask for/need such as reduced security incident notification times.
• Find ways to shift cybersecurity from a cost centre to a business enabler for example:

1. Deliver trust and assurance to customers through demonstratable security beyond compliance e.g. customer trust portals and/or security and compliance Packs (security certificates, Pen test results, attestations, audit reports, completed controls questionnaires, security policies, insurance certificates for currency, IT/DR/IR test results and plans, security overviews)
2. Support the growth engine e.g. provide security updates in marketing materials, being part of the bid team responding to RFP/RFQs.
3. Consider proactive customer outreach e.g. Annual customer security roadshows, communicating proactively with customers on significant changes to platform or service delivery

Insights drawn from speaker sessions from: John Ellis, Bo Falk, Charles Gilman and Panel re. Compliance Burden – how much is too much) moderated by Toby Amodia with Varun Acharaya, Roshan Duluwakgoda, Grant Lockwood and Sandeep Taileng.

Sincere thanks and Kudos to all the speakers from Day 1 of CISO Melbourne (Main Stage and Business Enablement track) for inspiring this article - we are stronger as a community thanks to the knowledge you generously shared.

?

?