View this email in your browser

Defense in Depth

How Should We Discuss Cyber With the C-Suite?

How detailed do we get in our conversation with business leaders? Do we dumb it down? Or is that a recipe for trouble?Here's our last Defense in Depth for 2022! Please listen to me and my co-host Geoff Belknap, CISO, LinkedIn and our guest Lee Parrish, CISO, Newell Brands discuss what's the right way to approach cyber with the C-suite. Here were some of our key points in discussion. Please provide your insight.Understandings, not details, so decisions can be made. “The executive team expects the CISO/security leadership to understand the details and apply that understanding to solve the business problem at hand," said Jonathan Waldrop of Insight Global. “If you cannot communicate the technical strategy decisions that you need from your executive leaders in simple terms that relate to those business decisions that they need to make, you need to work on that,” said Geoff Belknap. “It is not the other way around.”The C-suite should not and will not become cybersecurity experts. "Many executive decision makers are not technical and the cost to transfer that knowledge becomes too great,” said Paul Weizer of USSOCOM. “Trust in your workforce with periodic status updates will go further than making everyone in the C-suite a software engineer or data scientist." The discussion with the C-suite should be periodic, sequential, and each conversation should build on each other like chapters in a book, said Lee Parrish. Keep in mind, said Belknap, “You are the security part of the business team.”Simplicity is not the goal. Clarity and concise communications are the objectives. "The idea that the person who needs it explained to them simply should be making the investment decisions about it is insane. 'Clearly' - Yes. 'Concisely' - Absolutely. 'Simply' - is for students,” said Bull Holland of BMNT. What’s simple is how you break up complex concepts, like ransomware. You don’t ask the board if they want protection against ransomware, noted Belknap. Instead, you first have detailed conversations with the teams as to how you tackle ransomware and explain to the board what mitigations you do have in place and what can be done in addition to reduce exposure and possible damage from a potential attack.C-suite must have some base level of technical understanding. Christine Kleiber of US Dept. of Defense said, "We cannot make data driven decisions if we don't have digital fluency. We cannot outsource our technological competence." This may seem somewhat contrary to Geoff’s previous comment, but there is a minimum level we have to expect. Geoff remembers the days when executives wanted all their emails printed out.Listen to the full episode here over on our blog where you can read the entire transcript. And if you’re not already a regular subscriber to Defense in Depth, please go ahead and subscribe now. This is our last episode of Defense in Depth for 2022. We’ll be back the first week of January, 2023 for a new episode. Until then, Happy New Year!

Thanks to our podcast sponsor, Qualys

Super Cyber Fridays!

Join us TOMORROW, Friday [12-16-22], for "Hacking Non-Traditional Cyber Risk" - LAST SHOW of 2022"

Join us next week on Friday, December 16, 2022, for “Hacking Non-Traditional Cyber Risk: An hour of critical thinking about how your third parties’ risks affect your business.”

It all begins at 1 PM ET/10 AM PT on Friday, December 16, 2022 with guests Jonathan Ehret, vp, strategy and risk, RiskRecon, A Mastercard Company, and Steve Zalewski, co-host, Defense in Depth. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.Register

Thanks to our Super Cyber Friday sponsor, Mastercard

LIVE!

 Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Jeremy Embalabala, CISO, HUB International.

You can participate live in the conversation by registering on YouTube 

. 

Subscribe to the podcast

or subscribe to the daily newsletter.

Thanks to this week's headlines sponsor, Fortra

Cyber chatter from around the web...

Jump in on these conversations 

"Gov. Hogan orders TikTok ban for Maryland state employees because of cybersecurity risk" (

More here

)

"ChatGPT shows promise of using AI to write Malware" (

More here

)

"Settling a debate which a skeptic said multi monitors is not the normal for infosec work spaces." (

)

Super Cyber Friday...

Coming up in the weeks ahead we have:

• [12-16-22] Hacking Non-Traditional Cyber Risk

• [01-20-23] Hacking Automated Security

• [02-03-23] Hacking People and Process

• [02-10-23] Hacking Your Security Program

Save your spot

and register for them all now!

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.