Super Cyber Fridays!
Join us TOMORROW, Friday [07-12-24], for "Hacking the Materiality of a Data Breach"

Join us Friday, July 12, 2024, for “Hacking the Materiality of a Data Breach: An hour of critical thinking about when a breach is material or not.”

It all begins at 1 PM ET/10 AM PT on Friday, July 12, 2024 with guests Jason Clark, Chief Strategy Officer, Cyera and Dustin Wilcox, vp and CISO, Elevance Health. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Cyera

Defense in Depth
Telling Stories with Security Metrics

We know that storytelling is a key to communicating risk to the business. How do we integrate metrics to help us tell those stories?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Shirley Salzman, CEO and co-founder, SeeMetrics.

Finding the purpose in metrics

Metrics don’t have value in and of themselves. You need to understand why you’re collecting them in the first place before you utilize them in a narrative. "I look at our most critical business processes and how we are focusing on those. Then I look at what systems are supporting them. From there I look at how we are securing all of the aspects of these systems that are supporting the critical business processes" said Andrew Wilder, CISO at Community Veterinary Partners. Once you understand why you’re collecting metrics, you can use them as a tool to connect to the business. As Damian Leger of Acadiana Security Plus distilled it, "You need to tie cyber risks directly to business risks using compelling business language that the board easily understands, preferably in dollars and cents, risks and liabilities, and most importantly, profits. We cyber folk are in the business of business enablement."

Using metrics to answer business questions

Questions about ransomware readiness may seem reductionist coming from the business, but you still need an answer that doesn’t immediately become technical jargon. "You can answer the specific question by conducting a 3rd-party ‘ransomware readiness assessment’ and sharing the results. From that assessment, you can analyze and prioritize findings for action,” said Jorge Lopez of Zoom. As an industry, we’re still working out how to work this story structure into our automation efforts. Jared Pfost at Kalles Group outlined the challenge, saying, "The challenge I see is ‘how’ to build an automated, story-driven dashboard measuring control effectiveness organized by different threat scenarios. Integrating and visualizing multiple control sources is expensive. Investing in measurement should be an explicit part of the strategy.”

Speaking to your audience

CISOs need to tailor their message to the targeted executive. Think about what your audience cares about. If your metrics help solve their problems, you’ll get more buy-in and build trust. "Providing effective proof points isn't just about knowing the statistics: it's also about choosing which metrics are most valuable for your audience and presenting them in a way that is most helpful for that audience,” said Neda Pitt, CISO at Belk. 

Communication is a two-way street

While you’re focusing on telling a story with security metrics, remember that you’re not the only party communicating. "When the board asks ‘what are you doing to protect from a particular threat’ they are trying to determine if you understand the business, have done a risk analysis of the threats and criticality of systems, then taken steps to mitigate those threats,” said John Scrimsher, CISO of Kontoor Brands. As Patrick Lee of Safe Security points out, this two-way communication starts a virtuous cycle of dealing with risk. "It starts with risk tolerance and acceptance - how much is the business willing to accept? How much loss/cost are they okay with if the inevitable does happen? They want to know if you can give them confidence that their investments are cared for."

Thanks to our unwitting contributor, Michael Calderin, CISO at YAGEO Group.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Listen to the episode.

Thanks to our podcast sponsor, SeeMetrics

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Andrew Cannata, CISO, Primo Water .

Thanks to our Cyber Security Headlines sponsor, Entro

Sponsored content
Getting Visibility into Your Cyber Horizon with OpenText

New AI tools can be a boon for defenders, but they're also leading to increased phishing, smarter threat actors, and advanced reconnaissance tactics. Paul Reid, global head of threat intelligence, OpenText, describes how their PsyDNA product offers real-time insights into active attacks and reconnaissance, helping companies understand and protect their expanded digital footprint. CISOs need new tooling to stay ahead in the ever-changing cyber threat environment.

Watch the video.

Huge thanks to our sponsor, OpenText

Cyber chatter from around the web...
Jump in on these conversations

"What job boards do you guys use to find jobs?" (More here)

"Full Kaspersky Ban Possible in USA" (More here)

"Why are startup security products better than those from security pioneers?" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [07-12-24] Hacking the Materiality of a Data Breach

• [07-19-24] Hacking SOC Automation

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.