View this email in your browser

Defense in Depth

How to Always Make a Business Case for Security

How can security leaders and how do they go about matching business case to every security action they want to take? Is this the right way to sell security to the board?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Sravish Sridhar, founder and CEO, TrustCloud. Here’s what we discussed on the show.

Why is it so critical to find a business case for security? Security products are not for the security department. A security professional can love your product, but fail to ever purchase it because they can’t make a business case for it. Steve Zalewski, while CISO at Levi Strauss, would often say, “How does your product help me sell more jeans,” Robert Vitelli of AArete countered with "My job is not to help you sell more jeans, it is to ensure that you continue to sell jeans. Selling jeans is the marketing and sales departments."

Take advantage of quantifiable requirements. If your business must meet certain thresholds, "don't overlook quantifiable items given to you,” said Grant Yost of VillageMD. “For example, does your cyber liability policy require an investment to implement a control? Perhaps that premium reduction, or the ability to be insured at all, is the number you need. Are you in a regulated industry and required to maintain risk assessments and corrective action plans?"

Start with the common ways security aligns to the business. Security can reduce risk of incidents, facilitate compliance, and improve customer trust, noted Christian Hyatt of risk3sixty. Jonny Tyers of Jonny Tyers Limited said for any security initiative you should be able to positively answer any of these questions: “Can it affect our revenue?” “Can it affect our compliance/regulatory/legal standing?” “Does it affect delivery of our services?” 

Walk a mile in your CFO’s shoes. In his journey to become a CISO, Daniel Luechtefeld of AlgoSec chose a CFO to be his mentor. “I have learned the hard way that not only must infosec investments be tied to financial KPIs, they must be tied to the specific KPIs that the CFO weighs most heavily. They must meet the CFO's mental frame. Any other approach leads to a slashed budget and loss of infosec staff,” said Luechtefeld. For less confrontational engagements with your CFO "achieve fluency in your organization's key financial reporting and learn how to tie controls there wherever possible,” advised Jim Rutt, CISO of The Dana Foundation.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, TrustCloud

Super Cyber Fridays!

Join us Friday [05-12-23], for "Hacking Security Culture"

Join us Friday, May 12, 2023, for “Hacking Security Culture: An hour of critical discussion on motivating the entire organization to always be thinking conscientiously about security.”

It all begins at 1 PM ET/10 AM PT on Friday, May 12, 2023 with guests Austin Wolf, staff information security analyst, Code42 and a special guest (that means we’re still in booking mode). We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Code42

LIVE!

 Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Shawn Bowen, CISO, World Fuel Services.

Thanks to our Cyber Security Headlines sponsor, Pentera

Cyber chatter from around the web...

Jump in on these conversations 

"Is a degree necessary for the highest-level roles in infosec?" (

More here

)

"How Safe Are Those in the U.S. from Foreign Hackers" (

More here

)

"'High risk users' how do you drive the point home?" (

More here

)

Coming Up On Super Cyber Friday...

Coming up in the weeks ahead on Super Cyber Friday we have:

• [05-12-23] Hacking Security Culture

• [05-19-23] Hacking the Software Supply Chain

• [06-02-23] Hacking the Future of Risk Management 

Save your spot

and register for them all now!

Thank you!

Thank you for supporting CISO Series and all our programming  

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.