Super Cyber Fridays!
Join us TOMORROW, Friday [03-08-24], for "Hacking Breach Response"

Join us Friday March 8, 2024, for “Hacking Breach Response: An hour of critical thinking about recovery, containment, and remediation after a data loss event.”

It all begins at 1 PM ET/10 AM PT on Friday March 8, 2024 with guests Matt Radolec, vp, incident response and cloud operations, Varonis and Charles Garzoni, deputy CISO and staff vp of cyber defense operations, Centene Corporation. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Varonis

Defense in Depth
Why are CISOs Excluded from Executive Leadership?

Every company claims they take cybersecurity "very seriously." If that's the case why do we see a dearth of CISOs listed in executive leadership? Is this just a factor of company reporting structure, or do CISOs really not have a seat at the table with the business?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap, CISO, LinkedIn. Joining us is our guest, Ben Sapiro, head of global cyber security services, Manulife. 

Do executives not want to hear the message?

Understanding why CISOs get excluded from leadership starts by understanding the dynamics of an organization’s leadership. A CISO’s primary concern often doesn’t speak to what stands out with the rest of the C-suite. "Most executives are rewarded for being risk-takers, and the CISO predominantly is there to 'manage risk' and facilitate the appropriate amount of risk vs reward. Many executives don't want to hear that message," said Todd Fitzgerald of the Cybersecurity Collaborative. Often the reporting structure of companies further contextualizes the CISO role as outside of leadership, with Sean Kalinich of Richey May noting, "A large number of CISOs report to the CFO which shows the position tied to an expense and not a serious part of doing business."

CISOs increasingly carry liability

It seems to have never been more perilous to be a CISO, with regulatory scrutiny increasing during a cybersecurity incident. "Considering the federal government is seeking jail time for CISOs, it doesn’t exactly make a lot of people want to volunteer to be in the crosshairs. Financial liability with indemnity is one thing, but criminal liability is entirely another," said Thomas Struan at Celsior Technologies. This liability has ‘knock on’ effects with the rest of the C-suite, with Niels E. Anqvist of zafehouze.com relating his experience, "When I visited a large public organization, we discussed cyber security, breaches, and trends. Two C-level execs left the meeting room saying they needed to report to the market if they knew anything about vulnerabilities and breaches.” They forced themselves not to know to protect them from any liability of having known.

Communicating cybersecurity risk to the rest of the business

For public companies, placing a priority on lowering cybersecurity risk often isn’t validated by market performance. "Most companies view the risk to stock value to be low, regardless of cyber risk. The historically low shareholder consequences of corporate breaches inform this decision," said Paul Neslusan of Oracle. Some companies only prioritize cybersecurity as a matter of optics. "Breached companies prioritize privacy and security only after they’ve been breached, and only do so for regulatory and marketing purposes," said Thomas O'Malley of DropVault. 

Organization needs business motivation to address this issue

Pressure from critical third-parties could provide the business motivation to improve the situation. "Insurance underwriters should consider cybersecurity experience in leadership when deciding whether to offer cyber insurance," suggested Barry Rabkin of Near Earth Autonomy. 

Vikram Venkatasubramanian of Nandi Security proposed ties this into a selling point for third-parties, saying, "It would be good to have data that showed correlation between security expertise at the C-level and lowered cyber risk in doing business with that company - just to protect the small guys who do want to take action."

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Listen to the episode.

Thanks to our podcast sponsor, Query

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be David Cross, SVP/CISO, Oracle.

Thanks to our Cyber Security Headlines sponsor, Conveyor

Cyber chatter from around the web...
Jump in on these conversations

"What OS do you see most in your workplace?" (More here)

"Is the MITRE ATT&CK really that influential?" (More here)

"Potential Burnout?" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [03-08-24] Hacking Breach Response

• [03-15-24] Hacking Security-Driven Sales

• [03-22-24] Hacking Effective Third-Party Risk Management

• [03-29-24] Hacking Detection and Response

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.