Download your copy of our insight paperLaws and regulations governing privacy and the protection of data, particularly sensitive personal data, continue to proliferate across the globe. But why should CISOs care about data privacy and how should they manage regulatory transitions to ensure their information security program stands up to data privacy protection laws? To get ‘real’ insight into this topic, we hosted a virtual roundtable where we invited a small group of top CISOs, operating in highly regulated industry sectors in the US, to share their lived experiences. Our guest speaker Robert Ball, Chief Business Development Officer & General Counsel from Ionic, also shared insight into why the domain of the CISO has expanded in light of emerging data privacy and protection laws. Download our insight paper for the key takeaways from the event and to discover 10 technology tips for CISOs to effectively manage data privacy. Download
29 Oct 2020
Convincing decision makers to invest in Cyber Security According to Senior Technology Leader, Dan Crisp, there are several strategies which can be used to get past organisational resistance and convince decision makers to investment in Information and Cyber Security. Read his guest blog below to learn more... Dan Crisp, Senior Technology Leader About Dan CrispDan Crisp is the founder of Digital risk Insight, a technology risk strategic advisory consultancy. He began his career as a technology merger & acquisitions analyst at Citi. Subsequently, he led the technology risk, cyber risk, and Basel programs for JP Morgan Chase in the US. Dan went on to serve as Chief Operations Officer for Barclays Global Information Security in London.Dan also served as the CISO and Chief Technology Risk Officer for BNY Mellon with technology risk, cybersecurity and data privacy oversight responsibility at BNY Mellon Corporation and its affiliates and subsidiaries. While there, he led the innovation, development and deployment of a global technology risk regulatory controls and analytics system for technology and privacy risk. Many decision makers overestimate their company's cybersecurity defenses – ‘no news is good news’ and they may not be enthusiastic about allocating more budget to protect themselves. One of the biggest barriers experts in my line of work find is convincing executives that doing nothing allows cybercriminals to gain advantage and potentially is putting the company at peril. I believe that there are several strategies which can be used to get past organisational resistance and convince decision makers to investment in Information and Cyber Security: 1. Reframe success metrics - what worked before is no longer effective It is an arms race, what used to work doesn’t work six to twelve months later, you’ve constantly got to be thinking about upping your game and getting that across to non-technical people is essential. For want of a better analogy – executives need to understand that they can’t simply buy the car and then continue drive it for a decade - without servicing it - just because they don’t want to spend further money or buy a new one.Use problem statements to help push back on the status quo and facilitate conversations as to why what you’ve always done is no longer good enough. Here is an example:“Our information security management system requires reassessment and transformation to ensure continued effective protection for our clients and the company.” 2. Benchmark with peers to challenge assumptions about the adequacy of cybersecurity investmentsFor example, when the Travelex breach occurred in London other currency exchange companies wanted to make sure it didn’t happen to them. There were questions like – what was Travelex’s Cyber Security footprint? What was their approach to risk management? How did it compare to their own company and therefore, how likely was this to happen to them? 3. Follow the organisational expectationsUse provided expected financial templatesWork with finance in advance to ensure your budget can withstand challengeUse storytelling to illustrate the risk Although it’s important that you have done your homework, laid out a clear budget and you speak the language of finance – you want your conversations to be risk based- not dollars and cents based. 4. Refine your presentation approachKeep the focus on the risk to the organisation (operational, reputational, regulatory, litigation, etc.)Present in non-technical languageUse storytelling to illustrate the riskCreate a sense of urgency. Inaction is dangerous.Leave a strong document trail leading to the person(s) who grant budgetAlways provide a follow-up email regardless of the meeting outcomeYou want to leave a strong document trail, and I call that the smoking gun, where it’s been explained in layperson’s terms and is abundantly clear to the budget granter – this is what’s at stake... 5. Use the three-slide technique Problem statementRisk storytelling Solution with costingThe discovery of the three-slide technique is a defining moment in my career. When I was working for a bank, we had a Big 4 consultancy firm provided us with a 40-slide presentation deck, which we spent quite a bit of money on. We were to use these slides to present our justifications to the board for asking for exponentially more money. The CISO I worked with at the time said she didn’t want to use them. She only wanted three slides. One explaining what the problem was. The second was to be the scary slide – explaining what would happen if they didn’t address the problem. The third was the solution and cost. It was so powerful and effective that we got the funding we asked for. I have gone back and used this technique, incrementally, for projects and programme fund raising with great success. 6. Use narratives to illustrate the risk of inactionI have found the use of narratives incredibly powerful. We used to call those the scary slides i.e. here’s an example of something that has happened recently and here’s why it might happen to you.News headlines cause decision makers to take action — even if it's short lived Storytelling activates sensory centers in the brain that make people relate to the story on a personal level — it places them inside of the storyStorytelling is extremely powerful when it comes to marketing and other forms of communicationUse storytelling to demonstrate the risk, create a sense of urgency and leave them with the impression that you have laid this at their feet, with all of the risks and consequences outlined and now the decision is in their hands.You almost want to worm into a person’s thinking so that they wake up in the middle of the night thinking about what you’ve laid at their feet. You want them thinking - what if we have a cyber-attack and I’m the budget granter who said no? That said, it’s important to use storytelling to convey the drama for you- you want to portray yourself as the calm and collected person who has the plan.A helpful the trick for me with the storytelling is to make them as scared as you are and no more. If you’re stretching your own fear, it's going to be transparent. Remember...you are competing for finite resources and budget. The best storytelling wins the day and the funding! Download our insight paper For more insights from top CISOs download our recent insight paper. It features the key takeaways from our recent CISO virtual roundtable where the challenges of setting best practice for secure remote working and obtaining budget were discussed. Download Speak to a Cyber Security recruiting expert If you need help finding and hiring exceptional Cyber Security professionals or you are searching for your next opportunity, please get in touch to speak with a Cyber Security recruiting expert at Stanton House.
20 Oct 2020
Business leaders are discussing what increased remote working and reduced real estate costs mean for investment and budgets for their different business functions going forward – including of course - Information and Cyber Security. So, now more than ever CISOs need to ensure that they have a voice in these discussions and a seat at the board table. Download our insight paper Our recent insight paper features the key takeaways from our recent CISO virtual roundtable where the challenges of setting best practice for secure remote working and obtaining budget were discussed. Our guest speaker and Senior Technology Leader, Dan Crisp also shares the techniques he has found most valuable in convincing key stakeholders to invest in Information and Cyber Security. Download
26 Aug 2020