Super Cyber Fridays!
Join us TOMORROW, Friday [01-24-25], for "Hacking Platformization"

Join us Friday, January 24, 2025, for “Hacking Platformization: An hour of critical thinking of how stitching together data, tools, and processes is necessary for the success of your security program.”

It all begins at 1 PM ET/10 AM PT on Friday, January 24, 2025 with guests Elad Koren, vice president, product management, Palo Alto Networks and Yabing Wang, vp, CISO and CIO, Justworks. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Palo Alto Networks

Defense in Depth
If and When Should a CISO Have a Long Term Security Plan?

How does a CISO approach strategy as they become more comfortable in their role? Is a long-term strategy even possible for a new CISO?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by David Spark, the producer of CISO Series, and Mike Johnson, CISO, Rivian. Joining them is Gaurav Kapil, CISO, Bread Financial.

It helps to have a vision

Having a long-term security plan requires balancing immediate needs with a dynamic vision. "You need 3-6 months to understand the business and how it operates if you're coming in fresh," said Michael Collins of Cyber Cognition. "Within the first year, I'd be aiming for a three-year 'vision' of where you want to be, with a rolling annual plan.” A six-month horizon might be actionable, but Jay Wilson, CISO at Insurity, also sees value in longer-term planning. "It’s a living vision, not static, but providing that to your peers and team members can inspire and also help other teams outside of security aspire to meet with you for many months/quarters to help the company reach the tenants of that vision."

The benefit of planning

Any long-term security strategy requires flexibility and adaptability in an ever-changing landscape; a fixed-target plan is doomed to failure over the course of years. "I doubt that any current strategy can be relevant in a three-year perspective—internal and external factors like COVID, wars, quantum cryptography, and AI advancements make it impossible," said Vsevolod Shabad of BT Group. “Use a dynamic portfolio of risk-driven security initiatives instead of a solid multi-year security strategy, continuously adapting this portfolio to the current landscape." Greg Notch, CISO at Expel, thinks planning is more valuable than any specific output. "Plans are basically wrong as soon as they’re written, age like milk, and have error bars that increase exponentially on the time axis. I am, however, firmly in the Eisenhower camp of 'plans are useless, but planning is indispensable.’”

It’s never too early to start

Exercise clear communication and patience to establish a strong foundation for strategy. "It is important to have that conversation early to set expectations with the CEO or CIO. They may expect to have something multi-year because their last CISO did it that way. So during the hiring process, breaking this down and setting proper expectations that it will grow and mold the longer you are with the company stops them from feeling like you are just going with no long-term strategy," said Chase Sutphin of Fortinet. This doesn’t happen overnight.  Donnie Hasseltine of Second Front Systems emphasized that this process always requires effort: "It takes time to set the foundation and establish the culture, and every time you dig into an issue, you discover more that needs to be done, which can be overwhelming."

Don’t make rash decisions

Creating a multi-year cybersecurity strategy will always seem daunting. Summing up our conversation, Ohad Horenstein of Kovrr, said, "It's essential to take the time to gather the necessary information and insights before making long-term decisions.” While it can seem like a luxury to do long-term planning when you’re new to a role, at some point, you’ll need to do that legwork. Just ensure everyone knows you’ll need to do it before making any long-term decisions.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Listen to the full episode.

Thanks to our podcast sponsor, ThreatLocker

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Shaun Marion, vp, CSO, Xcel Energy.

Thanks to our Cyber Security Headlines sponsor, Vanta

Cyber chatter from around the web...
Jump in on these conversations

"What Are the Most Effective Strategies for Managing Third-Party Risks in 2024?" (More here)

"Red team vs Blue team which do you prefer?" (More here)

"The problematic perception of the cybersecurity job market." (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [01-24-25] Hacking Platformization

• [01-31-25] Hacking the Third-Party Risk Management Process

• [02-07-25] Hacking Security Effectiveness

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.