Four Key Questions Every CISO Should Ask Their Board


Manage episode 285318274 series 2643387
By Steve Moore, Exabeam and Steve Moore. Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio is streamed directly from their servers. Hit the Subscribe button to track updates in Player FM, or paste the feed URL into other podcast apps.

Dr. Eric Cole of Secure Anchor joins us in this episode to talk about the misconceptions of what a CISO should really be. This episode focuses on the corporate side of cyber security and the line between a CISO and a security engineer.BACKGROUND Dr. Cole has over 30 years of cyber security experience. Before that, he was a hacker for eight years for the CIA. After spending almost an entire decade hacking into systems, he decided to switch from offense to defense, which he describes as being more challenging.

MISCONCEPTIONS ON THE CISOBeing a CISO is not a technical role. The CISO is a strategic position that focuses on the strategy of execution. They focus on the growth of the business while understanding finance, revenue and how they can incorporate cyber security into that equation. Anyone in a technical mindset should not be a CISO – CISOs need to communicate and task their teams instead of running head-first into the data center. Anyone that enjoys doing the latter should consider switching to a security engineer.

FINDING THE RIGHT FITUnsure if you selected the right CISO? They need to be comfortable in conservations revolving business decisions. The answers to “What business are we in? How does our organization make money?” should be as seamless as answering their name or where they’re from.

ADVICE FOR A NEW CISODr. Cole reveals the secret to briefing a board: keep it short and simple. The only thing board executives care about is the potential for risk and what it will cost to fix that risk if it occurs. Going into this with a data, tech-focused perspective will not allow for a thorough understanding of the situation between the CISO and other executives. In another light, putting out little fires as a CISO is not going to scale well. A CISO entering the company should look at the processes in place within the organization and see how they can get security injected into it. Instead of managing the symptoms, get to the root of the diagnosis.

THE NEW CISOWhen asked that the new CISO means to Dr. Cole, he emphasizes a business executive that is entrusted with helping the organization grow and be successful through cyber security. This CISO would use their focus on cybersecurity as a business enabler instead of viewing themselves as a technical resource.

LINKSExabeamDr. Eric Cole - TwitterDr. Eric Cole - YouTubeDr. Eric Cole – Books on Amazon

63 episodes