Vol. 1, Issue 3, CISO XC 2023 - CISO Spotlight

This month, we're hosting our annual executive conference—a convergence of leading security minds. Join us on September 21st at the Renaissance Dallas at Plano Legacy West. This event is tailored for CISOs, Directors, and Senior Managers, offering a day of pragmatic discussions, insightful podcasts, and effective networking. It's all about idea sharing and community building. Secure your spot now—registration is still open. Find the registration link in the Upcoming Events section of the newsletter.

Upcoming Events

September 14th

• CISO XC - DFW InfoSec & Talent September Happy Hour?- Open to everyone in Information Security! Every second Thursday of the month.

September 21st

• CISO XC 2023 - Executive Security Conference?- Open to CISOs, Directors of Cybersecurity, and Senior Managers, non-vendor, non-sales roles
• Make sure to look through the sponsors for this event, on our website here

March 2024

• TBA... EVERYONE should be on the lookout for this one! Our biggest event to date.

Job Board

• Manager, IT Security - SanMar

If you have a job opening you would like us to post, send the link to Erin Pineda or Brandon Nichols to have it included next month.

Featured Article and Spotlight

This month we have an article written by George Finney , CISO XC Advisor, Bestselling Author, CSO at SMU, and CEO and Founder of Well Aware Security. Make sure to check him out and let him know what you think of his article!

How To Win Friends and Influence People To Be More Cybersecure

At the beginning of George Johnson’s career as a safety inspector, he would tell people about the roles and regulations requiring them to wear hard hats. They would put their hard hats on when they saw him, and then promptly take them off after he left.??

Later on in his career, he would go to the worksites and ask if the workers thought the hard hats were comfortable and checked if they fit properly. He would then remind them in a polite tone that the hats were required to protect them and suggested they were them at all times. He found that this approach was far more effective.?

This makes so much sense. People weren’t wearing hard hats because they were uncomfortable. Johnson began to have empathy for his team and he dived deeper into why they were doing what they were doing. He focused on the WHY rather than throwing around his own authority and bossing people around.?

This story was so important, it was one of the very first ones that Dale Carnegie’s chose to begin the book he’s known all over the world for: How to Win Friends and Influence People. By criticizing we shut people down and stop them from listening.??

What is our unofficial motto in cybersecurity? “People are the weakest link.”?

Every successful CEO will tell you that their most important asset is their people. What would our CEOs tell us if we told them… “actually no, people aren’t our most important asset, they’re our weakest link?” Would we finally get a seat at the table? I don’t think so.?

I think that people are the only link in cybersecurity. I’ve read How to Win Friends and Influence People more than 10 times. I need to reread it every year as a refresher because it’s so hard to live and work in that mindset. Cybersecurity is a challenging career: I get stressed out with pressure, overwhelmed with deadlines, and just keeping up is a challenge. So when someone else makes a mistake that causes an incident, the easiest thing to do is to blame them.??

It's the easiest thing to do, but we know it’s not the most effective thing to do in cybersecurity. It doesn’t build or repair relationships. It doesn’t help prevent the next incident from happening. How would we go about making this shift in mindset that Carnegie shows us? What would it look like for us to do what Johnson did and ask if the hard hats are comfortable??

A few months ago, one of my users was the target of a phishing campaign and she clicked. After we began investigating, I reached out to her to talk about what had happened. The website that she had been directed to had already been taken down so we were curious to know what her experience was and what techniques the cybercriminal had used so we could prevent it in the future.?

I’m very sure that the CISO was the last person she wanted to talk to at that point. When we talked on the phone she was incredibly embarrassed. I could tell that she was working hard to be helpful, but the stress of the situation was overwhelming her to the point that she was shutting down. So I stopped and just let her tell me her story.?

I learned a lot of things at that point about how cybersecurity wasn’t comfortable. She wasn’t using the “remember me” function for two-factor authentication because that’s how she thought security was supposed to work. And she was under a huge deadline at the time, so she was working hard to log back and do MFA again every few minutes.??

We had thought perhaps at first she was a victim of an MFA fatigue attack. Instead we just hadn’t trained our community that cybersecurity doesn’t need to be a burden. Like George Johnson, I think we can be more effective in our jobs by focusing on the “why” for our users. We’ll win friends and influence people to be more cybersecure along the way.?