Our editorial team has curated the finest sessions from the CISO Platform Top 100 Awards & Annual Conference 2025—India’s first award ceremony that celebrates those making a meaningful impact in the world of security. 

The 16th annual conference was held at Clarks Exotica, Bengaluru, bringing together over 200 attendees for insightful keynotes, engaging panel discussions, and interactive round tables, alongside valuable networking opportunities. The CISO Platform Top 100 Awards is more than just a recognition—it reflects a commitment to advancing the cybersecurity industry and strengthening the broader ecosystem. Over the years, the community has developed and shared 500+ best practices and frameworks as part of this initiative, driving meaningful change in the industry.

Here's the master guide:

Panel Discussions:

1. Implementing DPDPA For CISOs - Click Here

2. Evaluating AI Solutions: Understanding The "Real" vs "Hype"? - Click Here

3. 2025 Top Security Goals For A CISO - Click Here

4. AI For Bad vs Good: AI Use Cases For Offense and Defense - Click Here

5. Top Trends In Cybersecurity In 2025 - Click Here

Keynotes:

(P.S. The following blogs and session videos are currently in preparation. We’ll share the links as soon as they’re ready.)

1. Future Of SIEM: AI Automation & Autonomous Cybersecurity - Click Here

2. Orientation: The CISO Platform Community - Click Here

3. Building A Resilient Digital India: Cybersecurity In The Age Of AI - Click Here

4. AI As A Deputy CISO - Click Here

5. Unveiling AI Powered Data Security Posture Management With DPDPA Compliance - Click Here

6. Software Supply Chain Security - Click Here

7. Demonstration Of AI & Automated Attack Trees For Offensive Security 

Round Tables:

(P.S. The following blogs and session videos are currently in preparation. We’ll share the links as soon as they’re ready.)

1. Cloud Data Security Taxonomy For DPDPA - Click Here

2. Simplifying Financial Regulatory Compliance Using Fortinet Security Fabric

3. Implementing SEBI's CART Guidelines: Strategies, Challenges, And Practical Compliance Solutions

4. Neutralize Attack Paths And Exposure: Adopting An Attacker's Perspective - Click Here

Imagine this. You’re standing in your kitchen, making toast. Suddenly, you hear a dripping sound. You glance at the sink and notice water pooling around the base. It’s not a flood—yet—but it could be. You investigate the source, tighten a loose pipe, and wipe up the water before it causes damage. Crisis averted.

That’s how modern cybersecurity should work. Small drips turn into big floods if no one’s paying attention. Attackers love these “drips” in your network. And with AI, they’ve learned how to find them faster, scale their attacks, and hit where it hurts the most. The key to defending your organization? Learn to think like an attacker and neutralize their paths before the damage is done.

Let’s explore how.

Attackers Are Smarter Now (Thanks to AI)

Attackers aren’t just relying on brute force anymore. They’ve got AI, automation, and endless time on their side. What does that mean for you?
It means you’re dealing with threats that are:

• Scalable: Attackers can launch millions of phishing emails, personalized to each target. It’s like having an army that never sleeps.

• Automated: Vulnerability scans happen in seconds. They’re mapping your attack surface while you’re still sipping your coffee.

• Targeted: AI helps them craft the perfect bait, making phishing attempts look almost indistinguishable from real emails.

• Exploit-Focused: They’re not just searching for any weakness—they’re hunting for high-impact vulnerabilities that open critical pathways.

When attackers are this fast and adaptable, you can’t afford to move slowly.

The Problem with Vulnerability Management Today

Let’s face it—vulnerability management feels like running on a treadmill. You patch one issue, and ten more pop up. Why? Because the traditional ways of prioritizing vulnerabilities aren’t keeping up.

Here’s what’s broken:

1. Impact Is Hard to Measure: CVSS scores alone don’t cut it. Not every “critical” vulnerability is actually critical to your unique environment.

2. Too Much Noise: You’re drowning in alerts, false positives, and low-priority vulnerabilities that clog up your to-do list.

3. Attack Surface Blind Spots: You can’t defend what you can’t see. Shadow IT, misconfigurations, and third-party risks expand your attack surface.

4. Vulnerability Fatigue: Ever feel numb to all the alerts? You’re not alone. Many teams are stretched thin and start to tune out the noise.

5. Communication Gaps: Explaining technical risks to business leaders is like speaking two different languages. Without a common risk-based approach, things get lost in translation.

How to Neutralize Attack Paths

If traditional vulnerability management isn’t enough, what is? The answer lies in adopting an attacker’s perspective. Attackers don’t think in silos. They think in paths—chains of vulnerabilities that, when combined, give them access to your most valuable assets.

To stay ahead, you need to break those paths. Here’s how:

1. Use Attack Path Mapping Tools

Automated tools like CART (Continuous Automated Red Teaming) help map out potential attack paths in your environment. They identify the “low-hanging fruit” that attackers would target first and highlight the paths leading to critical assets.

It’s like following a trail of breadcrumbs—only you’re destroying the trail before anyone can follow it.

2. Red Teaming: Think Like an Attacker

Red teaming isn’t just about simulating attacks; it’s about uncovering the paths that attackers are most likely to exploit. Regular red team exercises help you test your defenses against real-world tactics.

Pro tip: Make it collaborative. Involve blue teams in the process to create a stronger, more unified defense.

3. Trend Analysis and CTEM (Continuous Threat Exposure Management)

Attackers evolve. Your defenses should, too. Trend analysis helps you spot emerging threats and adjust your strategy accordingly.

CTEM, on the other hand, is about continuous improvement. It’s not a one-time assessment; it’s a living, breathing process that evolves with your organization.

4. Simulate Attacks to Test Your Defenses

Attack simulation tools allow you to safely test how your defenses hold up against different attack scenarios. It’s like a fire drill for your network.

When done right, simulations reveal hidden vulnerabilities, misconfigurations, and gaps in your incident response plan.

5. Shift to Risk-Based Vulnerability Management (CRQ)

Not all vulnerabilities are created equal. A risk-based approach helps you focus on what matters most by tying vulnerabilities to business impact.

Using Cyber Risk Quantification (CRQ), you can calculate the financial impact of potential attacks and prioritize your efforts accordingly. It’s about shifting from “What’s vulnerable?” to “What’s most at risk?”

The Future of Cyber Defense: Stay Ahead by Staying Adaptive

In today’s threat landscape, standing still means falling behind. Attackers are evolving, and so should you. By thinking like an attacker, mapping out attack paths, and focusing on what really matters, you can stay one step ahead.

It’s not about patching everything—it’s about patching the right things at the right time.

Call to Action: Join the Cybersecurity Community

Want to stay ahead of the curve? Join CISO Platform, the global cybersecurity community where top CISOs share insights, strategies, and best practices.

Sign up today: Join CISO Platform

Contributors:

- Bikash Barai (Co-Founder at CISO Platform & FireCompass)

- Balkishan Chauhan (Technical Director - Skybox Security)

- Aftab Syed (Country Manager, Skybox Security)

Every company wants to unlock the magic of cloud data, but it’s not a free ride. Especially with data privacy laws like the Digital Personal Data Protection Act (DPDPA) keeping you accountable. Getting data security right can feel like juggling water balloons in a windstorm—but that’s where a smart taxonomy steps in.

Think of taxonomy as your cybersecurity GPS. It’s a framework that tells you where your data is, how it moves, and what’s protecting it. Let’s explore how this works under the DPDPA lens.

The Building Blocks of Cloud Data Security Taxonomy

The trick to managing cloud data security is breaking it down into bite-sized tasks. Here’s how you can do it:

1. Data Discovery and Inventory

First rule of data security: Know what you’re dealing with. Like cleaning out a messy attic, you need to find all the sensitive stuff hiding in shadow IT corners. Data discovery tools can scan your cloud environment and map your data assets.

Tip: Start with unstructured data. It’s often the sneaky culprit when breaches happen.

2. Data Flow Mapping and ROPA

Data doesn’t sit still. It flows. Mapping its path helps you answer key questions: Where does it go? Who touches it? This step also satisfies DPDPA’s Record of Processing Activities (ROPA) requirement.

Imagine: It’s like tracking a package—except the package is your customer’s personal info.

3. Data Matrix and Classification

Once you know what data you have, sort it. Not all data is created equal. Some need kid-glove handling (think health records or financial data). Others? Not so much.

Pro Tip: Use automated classification tools to label sensitive data in real time.

4. Privacy Impact Assessment (PIA)

A Privacy Impact Assessment (PIA) shows how your data practices impact people’s privacy. It’s like a stress test for your data processes. The goal? Spot risks before regulators do.

Example: If you’re using AI models, ask: Does this data get anonymized? Is consent crystal clear?

5. Data Minimization

Less is more. Collect only what you need. Store it only as long as you need it. DPDPA loves data minimization—and so should you.

Reality Check: Why hang on to old customer data if it’s not bringing value? That’s just extra baggage.

6. Risk Treatment

You’ve found your risks. Now what? Decide how to manage them. Some you can mitigate with controls. Others might need a transfer (cyber insurance) or acceptance.

Key Insight: Not every risk needs fixing. Prioritize based on impact.

7. Localization and Cross-Border Transfers

With DPDPA, data localization is a hot topic. Know where your data resides and where it travels.

Solution: Use cloud storage regions that align with your compliance needs.

Essential Security Controls for Cloud Data

Once you’ve mapped your data landscape, it’s time to lay down security guardrails. These controls reduce your attack surface and keep sensitive data safe.

1. Fundamental Security Controls

Start with the basics:

• Access controls (limit who can see what)

• Encryption (protect data at rest and in transit)

• Multi-Factor Authentication (MFA)

Analogy: Think of these as the locks on your cloud house.

2. Policies and Procedures

Clear policies set the tone. They tell employees what’s allowed and what’s not. Procedures guide your response to incidents.

Bonus: Align your policies with DPDPA to cover compliance gaps.

3. Privacy and Consent Management

Under DPDPA, users must give informed, explicit consent. A consent management tool helps automate this.

Quick Win: Make your consent forms simple and transparent.

Refined Tech Architecture for Cloud Data Security

Once your controls are in place, you’ll need the right tech stack to back them up. Here’s what’s trending in cloud data security:

1. Data Discovery and Classification Tools

Automatically find and classify sensitive data. This reduces manual effort and speeds up compliance.

Example Tools: BigID, Varonis

2. Data Loss Prevention (DLP)

Prevent accidental data leaks. DLP monitors emails, downloads, and file sharing.

Scenario: A sales rep accidentally tries to send a customer list to their Gmail account. DLP can block that.

3. Data Security Posture Management (DSPM)

DSPM tools give you continuous visibility into your cloud data security posture. They help you detect misconfigurations and compliance drift.

Benefit: Fix vulnerabilities before attackers exploit them.

4. Digital Rights Management (DRM) and Information Rights Management (IRM)

Control who can access your sensitive files—and what they can do with them.

Example: Allow a contractor to view a document but block downloads or screenshots.

5. Cloud Access Security Broker (CASB)

CASBs combine classification, DSPM, and IRM. They act as gatekeepers between your users and cloud apps.

Analogy: Think of CASB as the bouncer that enforces your cloud security policies.

6. Cloud Security Posture Management (CSPM)

CSPM tools continuously scan your cloud environment for misconfigurations.

Use Case: Detect open S3 buckets, exposed APIs, and other common cloud missteps.

7. Identity and Access Management (IDAM)

Manage user identities and control access. IDAM is critical for Zero Trust architecture.

Tip: Implement role-based access control (RBAC) to minimize privilege abuse.

Final Thought: Simplify to Secure

Data security doesn’t have to be overwhelming. By breaking it down into clear steps and leveraging the right tools, you can secure your cloud environment and stay DPDPA-compliant.

Remember, the cloud isn’t the wild west—not if you build a smart security taxonomy.

Join the Cybersecurity Community

Want more insights like this? Join CISO Platform and connect with 50,000+ security professionals. Let’s build a safer, smarter digital future together.

Sign Up Here: https://www.cisoplatform.com/main/authorization/signUp

Contributors:

- Bikash Barai (Co-Founder at CISO Platform & FireCompass)

- Aravinth Kumar Ramachandran (Director of Engineering, Barracuda Networks)

Imagine seeing photos and videos of a massive political rally flooding your social media feed. It looks real—except it never happened. That’s the power of disinformation propaganda: creating false realities that influence thoughts, decisions, and even national security.

What is Disinformation Propaganda?

Disinformation propaganda is false information spread to mislead and manipulate. It’s used to push specific agendas, influence opinions, and create confusion. The goal isn’t just to misinform—it’s to control the narrative and drive behavior based on falsehoods.

Types of Disinformation Propaganda

Chester Hosmer highlights the key forms of disinformation campaigns targeting organizations and individuals:

1. Brand Impersonation

Attackers impersonate trusted brands to push their products or steal information. They use the authority of a brand’s name to deceive people into trusting false content.
Result: Loss of trust and stolen data.

2. Nation-State Fake Intelligence

False information is strategically spread to infiltrate organizations and influence their decisions. Nation-states use fake intelligence to push political and economic agendas.
Result: Misguided decisions and organizational disruption.

3. Catfish Rallies

Fake events are staged online to manipulate public perception. Photos and information are shared to convince people that the event actually happened, even when it didn’t.
Result: Public confusion and manipulation of social opinion.

4. Malware-Laced Disinformation

Disinformation campaigns often include phishing links that deliver malware. Once clicked, the malware spreads through networks, compromising systems and data.
Result: System breaches and data loss.

5. Political Disinformation

False information about political candidates is spread globally, not just domestically. Manipulated audio files and false narratives are used to mislead voters.
Result: Misinformed voters and weakened political trust.

Why Platforms Aren’t Stopping It

Section 230 of the U.S. Communications Decency Act (1996) shields platforms from liability for user-generated content.

• Platforms are not treated as publishers but as distributors of information.
• If a newspaper publishes false information, they can be sued.
• If a social media platform distributes false information, they are protected under Section 230.

Platforms resist monitoring or changing content because that would shift their legal standing from a distributor to a publisher—making them liable for the content.

The Cybersecurity Risk

Disinformation propaganda isn’t just a media problem—it’s a direct threat to cybersecurity.

• Phishing and malware are embedded in false content.
• Business Email Compromise (BEC) attacks use false authority to steal data and funds.
• Manipulated data can compromise AI-driven business decisions.
• Emotional triggers increase the success rate of social engineering attacks.

Conclusion

Disinformation propaganda isn’t going away—it’s evolving. False narratives, fake events, and manipulated content are now part of the threat landscape. Defending against disinformation is just as critical as defending against network intrusions.

Join CISO Platform—The Cybersecurity Community

Stay ahead of evolving threats. Connect with 50,000+ cybersecurity professionals and gain access to exclusive resources, insights, and best practices.
Join Now

By: Chester Hosmer (Technical Author & President, Python Forensics, Inc.)

Unfortunately, I am old enough to remember how SIEM was done before the arrival of threat intelligence feeds. We had to write broad behavioral (well, “behavioral-ish”, if I am totally honest) rules without relying on any precise knowledge of attacker infrastructure and details of their operations (IF event_type=exploit FOLLOWED BY event_type=config_change ON the same machine THEN alert).

Another choice was to write simple atomic rules on obviously bad single events (IF event_type = logs_deleted THEN alert). Detections involved the patterns we observed (rarely, but we did have honeypots and IR), hypothesized (more often) and sometimes made up in the lab. Back then, detections rarely were built from precise and detailed knowledge of malicious activity.

 

 

Arrival of threat intelligence (TI) feeds in 2005–2010 has helped with some SIEM problems, but possibly made others worse. It definitely made some people lazier and made them rely on “OMG, look mom, a bad IP!” or other fragile indicators (you can hash this out on your own) from the bottom layers of the pyramid of pain. Their detection became a bit faster, a lot more fragile, a bit broader (with some luck, and with enough TI vendor spend), a lot noisier (“hi, feeds with 97% false positive rates!”) but also a bit more… I dunno.. “narrow-minded” (“not in my threat feeds? So not a threat!”)

Thus here is a notable point: technical TI have pushed many SIEM operators to lower levels of the pyramid, perhaps unintentionally. As a sidenote, when smart people offered them “strategic TI”, they could not find an obvious hole in their SIEM where it could be shoved, so they didn’t use it…

Obviously, TI brought obvious good news too: it made things better by relying on rapidly developing data about the attackers and their activities provided by the threat feeds. In a sense, TI “corrupted” SIEM, and as we know, many corrupt systems continue to function, and occasionally improve. Then again, maybe this metaphor is a bit much, as TI+SIEM did bring a lot of good news (especially on the alert triage and investigation side, TI as context, etc)

Finally, I also noticed that this area is where the “romantic dreams” of many SIEM operators clash with reality on the ground the most. Naive “get TI -> shove into SIEM -> detect threats” crowd shows up at the bar, drinks all the vodka, and leaves disappointed … ok, my metaphors suck today, Gemini, help?

So, Anton, the point? Enough with the rants already!

How to make real work closer to the perfect world?

What can we do to make TI work better inside your SIEM?

Specifically, how can we detect better using TI?

Before we get to the current answer, let me present my 2019 answer: “Detecting Threats by Matching Threat Intel to Logs — Oh Really?” (Jul 2019). I suggest you go read it, especially if you are at the “tieing my shoelaces seems really hard” stage of your development with SIEM and TI (or if you like my jokes…). We don’t want people creatively repeat 2015 mistakes in 2025… especially because there are 2005 mistakes to be repeated?

So I want to push this forward. And I will do this with a table, an ugly table that Anna used to love so much… Here it is: threat intel in SIEM in the real world vs the unicorn utopia.

 

 

OK, what’s next? How do we journey from the real world to a magical world where TI is beautiful and effective? This will be covered in the next blog!

Related posts:

• “Detecting Threats by Matching Threat Intel to Logs — Oh Really?”
• “About Threat Intel Retro-Matching”
• “Focus Threat Intel Capabilities at Detection Engineering (Part 4)” and the rest of the series
• “Blueprint for Threat Intel to Detection Flow (Part 7)”
• “Back to Cooking: Detection Engineer vs Detection Consumer, Again?”
• “2021 Threat Intelligence Use Cases”

Useful reading:

• Awesome Threat Detection
• How Google Does It: Making threat detection high-quality, scalable, and modern
• Implementing a Modern Detection Engineering Workflow (Part 2)
• On Detection: Tactical to Functional: Part 11: Functional Composition
• Using Google Threat Intelligence to create behavioral detections as a detection engineer

- By Anton Chuvakin (Ex-Gartner VP Research; Head Security Google Cloud)

Original link of post is here

A fair-weather SOC by Meta AI

Do you have a fair-weather friend? Or two?

Fair weather friend (via Google)

OK, do you also have a fair-weather SOC?

This train of thought was inspired by reading pilot forums about how some training approaches lead to “fair weather pilots” who perform well in all cases except real emergencies. Anyhow, let me stop with this because this is not my area; it only triggered the ideation process for me.

So, what does fair-weather SOC look like? First, this reminded me of “compliance SOC” or “better than nothing SOC.” The latter is, practically, sometimes worse than nothing (If you have nothing, you also have no illusions. If you have a dramatically sub-par capability, you have illusions and you may act as if you are covered for some risks, while in reality you are not). Naturally, a “compliance SOC” serves a single purpose — to prove to an auditor that you have a SOC (and nothing else). For an MSSP, it may be a SOC built to make money by fleecing low maturity clients who don’t know better and just “want better than nothing security” done “by somebody else” (that they can then sue for fun…)

Anyhow, I digress, what makes a SOC a fair-weather SOC? Here is my top 5:

#1 Lack of experience with major incidents: 

The team may have limited experience dealing with significant security incidents, resulting in a lack of preparedness and inadequate response capabilities when a crisis occurs. This can lead to slower response times, failure to detect threats, long triage times, and an inability to respond quickly yet correctly. And, yes, your SOC team may be “proven” (on minor incidents) and “metrics look good” (in the absence of attackers), but it won’t hold up in inclement weather.

What to do? Given that instrumenting a major incident is probably not the way to go, tabletop exercises are likely the main means of addressing this. These days, gen AI helps a lot here. And so does testing SOC automation under stress.

#2 Inability to operate under pressure: 

When faced with a high-pressure situation, such as a major incident, the team may struggle to make decisions, communicate with annoying bosses ;-), or coordinate a cohesive response (Gemini suggested something else for a chance to use the word “delve” but no thank you…). So the team may have a plan, but they never did any planning.

What to do? Not to make the work more stressful, for sure! Planning activities, drills, practice checklists and — again — tabletops are the way to go. And you know who else works well under pressure? Robots! Automation is indirectly helping you operate better under pressure. If you automate yourself out of a stressful job, your job will be to (calmly) make the robots, while they (stressfully) operate … (this is kinda the point!)

#3 SOC metrics (if any) are smooth and measure efficiency:

They teach you nothing about what will happen when things are NOT normal. Efficiency only matters … if your stuff actually works, and works when it really has to.

What to do? Look at your SOC metrics stack and try to see which metrics measure how calm waters flow and which metrics measure how you handle the storm surge. For example, average alert triage time has nothing whatsoever to do with triaging alerts resulting from a top tier APT compromise. Measure efficiency, effectiveness and “effectiveness under fire” that cover cases when the attacker shows up. This blog and webinar cover the topic.

#4 Untested Tooling and Technology Under Stress: 

The SOC relies on tools and technologies that have not been rigorously tested under high-stress scenarios or against real-world attack simulations. This reveals weaknesses when the pressure is on. People who build such SOC tool stacks assume that everything would be fine, they essentially forget that threat detection is hard and that (some) attacker care to not be detected (duh!)

What to do? Conduct regular performance testing of security tools, simulate high-volume attack scenarios, and validate the effectiveness of automated — and manual! — responses. If you use BAS or similar tools as part of such testing program, then really hit it.

#5 “Mature” and very rigid processes: 

This one is going to be weird. Many years ago I remember a research paper that lamented that some SOCs had excessive maturity — the concept that I found illogical at the time. It manifested as excessively polished yet rigid processes, where consistence absolutely won over creativity (SOC consistency vs creativity conundrum is covered here). Some “compliance SOC” devolve even deeper into “cargo cult SOC” where the processes are rigid and diligently followers; they are also wrong. This combined fragile process stack with wrongness, a killer combo. Overly rigid, ‘checkbox’ SOC processes that crumble under pressure,” and if diligently followed, they lead you wrong.

Weirdly, over-reliance on “fair weather”, fragile automation fits here too. While automation is hugely valuable and is a bit part of the cure, an over-reliance on fragile automated tools that break when the attacker shows up and tries something funny can become a disease.

Similarly, lack of threat hunting and adversarial simulation (both essentially “proactive” i.e. not attacker-led processes) is a feature of a fair weather SOC. The SOC primarily reacts to alerts and incidents, with minimal proactive threat hunting or simulated adversarial testing. This leaves them unprepared for sophisticated attacks that bypass standard detection methods.

What to do about it: Hunt! Do security things that do not follow rigid processes, require and stimulate creativity. Implement regular threat hunting exercises, conduct red team/blue team exercises, and engage external experts for penetration testing.

Call to action

So, “Is your SOC a fair-weather friend?” Review our list, do a solid “red team” run on it and call Mandiant for an assessment, then double down on building things that help “when the attacker shows up.”

Resources:

• Baby ASO: A Minimal Viable Transformation for Your SOC
• SOC is Not Dead Yet It May Be Reborn As Security Operations Center of Excellence
• A Brief Guide for Dealing with ‘Humanless SOC’ Idiots
• How to Banish Heroes from Your SOC?
• EP180 SOC Crossroads: Optimization vs Transformation — Two Paths for Security Operations Center
• Stop Trying to Take Humans Out of SOC … Except … Wait… Wait… Wait…
• New Paper: “Future of SOC: Transform the ‘How’” (Paper 5)

- By Anton Chuvakin (Ex-Gartner VP Research; Head Security Google Cloud)

Original link of post is here

The Cyber Threat Landscape for Small Businesses 

Small and medium-sized businesses (SMBs) face a rising tide of cyber threats, challenging the misconception that only large corporations are at risk. As cybercriminals increasingly target smaller organizations, SMBS must understand the risks, potential costs, and critical defenses needed to safeguard their operations.

Why Small Businesses Are Prime Targets

The numbers tell a stark story:
- 43% of cyberattacks now target small businesses.
- 46% of attacks occur in businesses with fewer than 1,000 employees.
- On average, SMBs lose $25,000 per cyber attack, with some incidents costing much more.

In 2020 alone, SMBs experienced over 700,000 attacks, resulting in $2.8 billion in damages. As digital dependence grows, small businesses must view cybersecurity as an essential investment, not an optional expense. A successful cyberattack can result in lost revenue, damaged reputation, and costly recovery efforts.

The Financial Impact of Cyber Attacks on SMBs

The costs associated with cyber incidents can quickly become overwhelming:
- SMBs spend between $826 and $653,587 on average to address a cybersecurity incident.
- Cybercrime costs are projected to increase by 15% annually, potentially reaching $10.5 trillion by 2025.

Many small businesses need adequate protection to recover financially from cyber attacks. Proactive cybersecurity investments help mitigate the impact of attacks, preventing costly disruptions that can put entire operations at risk.

Critical Cyber Threats Facing Small Businesses

1. Phishing and Ransomware
   - Phishing and ransomware are the leading threats. Ransomware demands can be costly, with average demands reaching $5,900.
   82% of ransomware attacks target companies with fewer than 1,000 employees and 55% hit businesses with fewer than 100 employees.
   Small businesses with revenue of less than $50 million are disproportionately affected, and they often need more resources to recover.

2. Credential Theft and Supply Chain Attacks
   - Credential theft is prevalent, with stolen credentials allowing attackers to infiltrate systems.
   - Supply chain vulnerabilities expose businesses to risks from third-party providers, amplifying the impact when a vendor or partner is breached.

3. Attacks Using Stolen Devices
   - Compromised devices are another entry point, particularly with remote work on the rise, leading to unauthorized access and data breaches.

Small Business Preparedness: A Reality Check

Many SMBs are unprepared for cyber threats:
- Only 14% of SMBs have a dedicated cybersecurity plan.
- 47% of businesses with fewer than 50 employees don’t allocate any cybersecurity budget.
- Half of small businesses lack basic IT security measures, and just 17% have cyber insurance. Of those with insurance, 48% waited until after an attack to purchase coverage.

The Role of Human Error in Cybersecurity

Human error contributes significantly to cyber vulnerabilities:
- 95% of cybersecurity breaches are due to human error, often stemming from untrained or uninformed employees.

Employee training and awareness programs are critical in addressing this gap. With the right training, employees can become a strong line of defense, reducing errors that lead to breaches.

Actionable Cybersecurity Recommendations for SMBs

For small businesses, a robust cybersecurity posture doesn’t require complex, high-cost solutions. Here are essential, achievable steps:

1. Strengthen Access Control: Implement multi-factor authentication (MFA) and strong password policies to prevent unauthorized access.
2. Regular Security Scans: Conduct vulnerability scans and penetration tests to identify and address system weaknesses.
3. Anti-Malware and Firewalls: Use reputable anti-malware software and firewalls to safeguard against external threats.
4. Secure Development Practices: If applicable, ensure coding practices are secure and conduct regular code reviews.
5. Develop a Cybersecurity Plan: Establish a documented cybersecurity plan outlining security policies, incident response procedures, and training programs.
6. Cybersecurity Training: Educate employees on recognizing phishing attacks, handling sensitive data, and following cybersecurity best practices.
7. Cyber Insurance: Consider cyber insurance to cover potential financial losses and recovery expenses in case of an attack.

Conclusion

Small businesses are no longer immune to cyber threats, and the consequences of inaction can be severe. By understanding the risks, implementing critical cybersecurity measures, and educating employees, SMBs can build a resilient defense against evolving cyber threats in 2024 and beyond. Investing in cybersecurity now is a proactive step toward securing your business's future.

By: Christophe Foulon, (vCISO at Quisitive)

Original link of post is here

Small and medium-sized businesses (SMBs) are encountering increasing cybersecurity challenges. As cyber threats increase in sophistication and frequency, protecting sensitive data and maintaining secure operations has become critical for SMBs. Historically, these businesses have been seen as easy targets due to limited resources and expertise in cybersecurity. However, technological advancements, particularly in artificial intelligence (AI), are changing the game. With the rise of automated security systems, AI is increasingly being relied upon to safeguard businesses.

The importance of AI in modern cybersecurity cannot be overstated. AI-driven threat detection is reshaping security strategies by offering speed, accuracy, and efficiency that traditional methods cannot match. For SMBs, integrating AI technology presents numerous benefits, including enhanced protection and adapting to evolving threats.

II. AI-Driven Threat Detection: What is AI-Driven Threat Detection?

AI-driven threat detection refers to using artificial intelligence to identify and respond to cybersecurity threats. Unlike traditional security measures that rely on predefined rules and human intervention, AI uses machine learning algorithms to analyze patterns and detect anomalies in real time. This proactive approach allows for swiftly identifying threats before they cause significant harm.

Advantages of AI in Identifying Threats

One of the primary advantages of using AI for threat detection is its speed and accuracy. AI systems can quickly analyze vast amounts of data, identifying potential threats with a precision that surpasses human capabilities. For example, AI-enhanced systems can detect phishing attempts or malware intrusions within seconds, minimizing damage and reducing downtime.

Real-world examples of AI-enhanced cybersecurity tools include solutions like Darktrace and Cylance, which use AI to monitor network activity and detect unusual behavior indicative of a cyberattack. These tools have successfully thwarted attacks on SMBs, demonstrating the efficacy of AI in real-world scenarios.

Case Studies of Successful AI Implementation

Numerous SMBs have successfully integrated AI-driven solutions to enhance their cybersecurity. For instance, a small healthcare provider implemented AI-based security tools to protect patient data from ransomware attacks. The AI solution quickly identified and isolated the threat, preventing data breaches and maintaining patients' trust.

These success stories highlight essential lessons and best practices, such as the need for continuous monitoring and updates to AI systems to ensure ongoing protection.

AI and Data Protection: The Role of AI in Safeguarding Data

In addition to detecting threats, AI plays a crucial role in AI and data protection. AI uses encryption, anomaly detection, and user behavior analytics to safeguard sensitive information. By identifying irregular patterns, AI can prevent unauthorized access and data leaks, which is crucial for SMBs handling confidential customer information.

Challenges and Solutions in AI-Driven Data Protection

Implementing AI for data protection comes with its challenges. Common hurdles include the complexity of AI systems and the need for specialized knowledge to manage them. However, these challenges can be overcome with strategic planning and investment in training and resources.

Solutions include adopting user-friendly AI tools tailored for SMBs and simplifying implementation and management. Additionally, collaborating with cybersecurity experts can provide the necessary guidance to optimize AI-driven data protection strategies.

Future Trends in AI and Data Security

As AI technology continues to evolve, new trends are emerging in data security. One such trend is integrating blockchain technology with AI to create tamper-proof systems. This combination offers enhanced protection for data storage and transactions. Additionally, the development of AI-powered predictive analytics is set to revolutionize threat prevention by forecasting potential cyber threats before they occur.

IV. AI-Enhanced Cybersecurity Tools

Overview of AI-Enhanced Tools Available

The market offers a variety of ai-enhanced cybersecurity tools explicitly designed for SMBs. Tools like Norton Small Business and Fortinet’s FortiAI provide advanced security features, including real-time threat intelligence and automated responses to potential threats. These tools are invaluable for SMBs, offering robust protection without needing a large IT department.

Implementation Strategies for SMBs

Integrating AI-enhanced tools into existing security infrastructures requires careful planning. SMBs should start by assessing their security posture and identifying areas where AI can benefit most. Budget considerations are crucial, as AI solutions can vary in cost. However, many providers offer scalable options that grow with the business, ensuring affordability and effectiveness.

Evaluating the Effectiveness of AI Tools

SMBs should focus on specific metrics and KPIs to assess the performance of AI cybersecurity solutions. These may include the number of threats detected, the speed of incident response, and the reduction in security breaches over time. Continual improvement and updates are essential as cyber threats evolve rapidly. Regular assessments ensure that AI tools remain effective and aligned with security standards.

V. Machine Learning in Security

Introduction to Machine Learning in Cybersecurity

Machine learning in security involves using algorithms that learn from data patterns to improve threat detection and prevention. While AI encompasses a broader range of technologies, machine learning focuses specifically on enabling systems to learn and adapt over time without explicit programming.

Applications of Machine Learning for Threat Prevention

Machine learning has numerous applications in cybersecurity, such as identifying zero-day vulnerabilities and enhancing intrusion detection systems. For example, machine learning algorithms can analyze network traffic to identify unusual patterns that may indicate a cyberattack, allowing for immediate intervention.

Benefits and Limitations of Machine Learning

The benefits of using machine learning for security in SMBs include improved threat detection capabilities and reduced false positives. However, there are limitations, such as the potential for algorithm bias and the need for large datasets to train models effectively. To mitigate these limitations, SMBs should focus on using diverse datasets and continuously refining their machine-learning models.

AI Technology in SMBs: Adoption Strategies for AI in SMBs

A strategic approach is essential for SMBs looking to adopt AI technology. Begin by identifying specific areas where AI can address existing challenges, such as enhancing data protection or improving threat detection. A phased implementation plan can help manage costs and ensure a smooth transition.

Cost-Benefit Analysis for SMBs

Conducting a cost-benefit analysis is crucial to understanding the value of AI technology. While initial investment costs can be high, the long-term savings and return on investment often justify the expense. Benefits include reduced downtime, fewer security breaches, and enhanced customer trust, all of which contribute to business growth.

Success Stories from SMBs Using AI

Many SMBs have thrived by integrating AI into their operations. For example, a small retail business used AI-driven analytics to enhance its cybersecurity measures, significantly reducing fraud cases. These success stories provide valuable insights and inspiration, demonstrating the transformative impact of AI on SMBs.

In summary, AI has a profound impact on cybersecurity for SMBs. By leveraging artificial intelligence security solutions, small businesses can protect themselves from increasingly sophisticated cyber threats. AI offers enhanced threat detection, robust data protection, and efficient cybersecurity tools that empower SMBs to safeguard their operations.

Looking ahead, SMBs are encouraged to embrace AI technologies as part of their cybersecurity strategies. As the landscape of AI in cybersecurity continues to evolve, those who adopt these innovative solutions will be better positioned to thrive in a digital world. The future of cybersecurity is bright, and AI is at the forefront of this transformative journey.

- By Christophe Foulon (vCISO at Quisitive)

Original link of post is here

Mastering Your First 30 Days as a CISO: A Strategic Roadmap

Stepping into the role of Chief Information Security Officer (CISO) is no small feat. The first 30 days are a critical window where you establish credibility, align with business objectives, and begin shaping the organization’s security posture. The decisions you make and the relationships you build during this time will influence your success in the long run.

In this blog, we’ll explore some key takeaways from "From Day One to Success – The CISO’s Guide to the First 30 Days" by Abdur Rafi, DGM – IT & CISO at ABP Pvt Ltd. This guide offers a structured framework to help CISOs hit the ground running, assess organizational risk, and build a foundation for long-term security success.

Week 1: Getting Oriented

The first week is all about understanding the landscape:

• Meet with Key Stakeholders – Start by introducing yourself to senior executives and department heads. Understand their security concerns and business priorities.
• Review Company Goals and Strategy – Align security objectives with the company’s growth strategy and operational goals.
• Assess Existing Security Policies – Evaluate current security protocols and incident response plans to identify gaps and improvement areas.

Week 2: Building a Baseline

Once you’ve established an understanding of the company’s security posture, the next step is to assess risks and define immediate priorities:

• Conduct a Security Assessment – Review network security, endpoint security, cloud security, and data protection measures.
• Create a Risk Register – Identify critical assets and potential vulnerabilities. Prioritize mitigation efforts based on impact and likelihood.
• Evaluate Compliance Requirements – Ensure the company meets standards like ISO 27001, GDPR, and PCI-DSS.

Week 3: Focusing on Early Wins

Building momentum is crucial in the third week:

• Identify Quick Wins – Start with achievable improvements like strengthening password policies and implementing MFA.
• Build a Cybersecurity Culture – Educate employees on security best practices through internal communications and training sessions.
• Engage with Third-Party Vendors – Evaluate the security postures of key suppliers and partners to mitigate supply chain risks.

Week 4: Strategic Planning and Action

As you close the first month, it’s time to define long-term success:

• Develop a 60-Day Action Plan – Outline both short-term and strategic goals to strengthen the organization’s security maturity.
• Set Measurable Security Goals – Define key performance indicators (KPIs) to track progress and measure success.
• Communicate Your Vision – Share your security strategy with executives and staff to ensure alignment and buy-in.

Why This Guide Matters

This guide isn’t just about managing security—it’s about embedding security into the DNA of the organization. The insights and structured approach outlined by Abdur Rafi provide a clear path for new CISOs to not only survive but thrive in their first month.

Want to dive deeper into each step and discover practical tips for success?

Download the full guide: Click Here

By: Abdur Rafi (DGM – IT & CISO, ABP Pvt Ltd)

In the age of digital transformation, safeguarding data privacy and confidentiality is a top priority for healthcare organisations. With vast amounts of sensitive patient information now stored, processed, and shared digitally, healthcare providers must implement robust strategies to protect against cyber threats and ensure compliance with regulatory standards. Here’s how healthcare firms can lead the way in data privacy protection:

Adherence to regulatory requirements

Healthcare organisations operate in a highly regulated environment, and compliance with laws such as  Health Insurance Portability and Accountability Act (HIPAA) and General Data Protection Regulation ( GDPR) is non-negotiable. These regulations outline strict guidelines for managing patient data, from secure storage and processing to the transfer of information. Healthcare firms must maintain vigilance in adhering to these standards to avoid penalties and safeguard patient trust. A proactive approach to compliance demonstrates an organisation’s commitment to protecting patient confidentiality and data integrity.

Cloud security and vendor management

With the growing adoption of cloud-based services, healthcare organisations are increasingly relying on third-party vendors to store and manage sensitive data. Ensuring data sovereignty and security requires due diligence in selecting cloud providers that comply with relevant regulations and have advanced encryption mechanisms in place. Strong vendor management is key—organisations should ensure that their contracts explicitly address data confidentiality, encryption for data at rest and in transit, and compliance with local laws. This helps mitigate risks and ensures that healthcare data remains secure, regardless of where it’s stored.

Employee training and awareness

In the battle against cyber threats, employees are the first line of defense. Regular, comprehensive training is critical to ensuring that healthcare staff are well-equipped to handle sensitive patient data securely. These programs should go beyond the basics of security to include practical guidance on recognising phishing attempts, creating strong passwords, and securely managing data. Implementing engaging training techniques such as phishing simulations and incident response drills helps employees stay vigilant and prepared to act swiftly in the event of a security breach. By empowering staff, healthcare organisations can significantly reduce the risk of human error leading to data breaches.

Encryption and secure data practices

To safeguard sensitive patient information, healthcare organisations must implement the highest standards of encryption and secure data handling practices. This includes encrypting data both at rest and during transmission, employing anonymization techniques to protect patient identities, and utilising robust authentication methods such as multi-factor authentication (MFA) and role-based access control (RBAC). By adopting secure communication protocols like HTTPS and SFTP, organisations can ensure that data remains confidential and protected from unauthorized access at every stage.

Zero trust security and real-time monitoring

Adopting a Zero Trust security framework is essential in today’s threat landscape. This model ensures that no individual or device is trusted by default—every attempt to access sensitive data is verified and monitored. Healthcare organisations can further protect against cyber threats by establishing Security Operations Centers (SOC) that provide real-time monitoring of access attempts, identifying and mitigating suspicious activity before it leads to a breach. By enforcing strict access controls and continuously auditing access logs, organisations maintain compliance with both internal security policies and external regulatory standards.

Regular audits and compliance checks

Routine security audits are crucial for identifying potential vulnerabilities and ensuring compliance with regulations. These audits assess whether existing data protection measures align with legal requirements and offer opportunities for continuous improvement. Conducting regular compliance checks prepares healthcare organisations for external inspections and reinforces the trust of patients and stakeholders. By adopting a proactive audit approach, organisations can stay ahead of potential risks and ensure that their systems are fortified against evolving cyber threats.

Promoting a security culture

Fostering a security-conscious culture within the organisation is key to maintaining long-term data privacy and protection. Leadership must take an active role in championing data security initiatives, ensuring that every employee—from top management to frontline workers—understands their responsibility in safeguarding patient information. By promoting continuous education, recognising security champions, and providing regular communications on best practices, organisations can create a workforce that is both vigilant and dedicated to maintaining the highest standards of data privacy.

As healthcare firms continue to embrace digitalisation, implementing comprehensive data protection strategies is vital to maintaining patient trust, ensuring regulatory compliance, and defending against cyber threats. By prioritising robust security practices, investing in employee training, and fostering a strong security culture, healthcare organisations can lead the way in delivering secure and efficient patient care in the digital age.

By: Kishore Kumar Mortha (Head-Information Security, Risk & Compliance, Omega Healthcare)

Link to original article – Click Here

The warrior Achilles is one of the great heroes of Greek mythology. According to legend, Achilles was extraordinarily strong, courageous and loyal, but he had one vulnerability–his “Achilles heel.” Homer’s epic poem the Iliad tells the story of his adventures during the last year of the Trojan War.

www[.]history[.]com

INGRESS

One of the least talked about and underestimated parts of security strategy is leadership. I think that this is something that needs more attention when it comes to strategy in general. And leadership goes into so many different aspects of a security strategy. All the way from the development of a strategy to aligning the strategy towards your organization’s mission, vision, and objectives. You as a security leader need to be able to ensure the security strategy is embraced by your stakeholders. By those in your security team and those outside of it, i.e. your organization. You are the one that needs to influence them. Without leadership skills, this will become hard. Not impossible but it will become challenging.

You may be able to create the best security strategy out there but if you can not communicate it, visually and verbally, the true value of it becomes very slim. In the worst case, it will become a cool paper dragon sitting somewhere that no one knows or cares about. And the sad thing is that I have seen this happen. Many organizations spend crap tons of resources to create those world-class strategies but too often they become useless due to that they are never communicated, explained, aligned with the organization, or operationalized adequately.

You as a security leader need to:

KNOW THE WAY, SHOW THE WAY & GO THE WAY.

There is tremendous power in a security strategy if you as a security leader can ensure that you get the support of your key stakeholders to embrace it. You are the one who needs to be able to influence those in your organization who need to be influenced. Inspire those who need to be inspired. It is not enough to do that strategy presentation once and then say: “The strategy is completed, the only thing that remains is the execution.”. Yes, I have seen this happen IRL.

I think that from a security point of view, developing and managing a security strategy is one of the most honorable tasks a security leader can be given to take on. If you are given this opportunity and task, treat it with respect. You have now been given the opportunity and power to potentially influence your organization and everyone within your organization in an infinite positive trajectory.

Developing a security strategy is not a PowerPoint exercise that is about you. A security strategy does not hold a self-existence on its own. It is developed for your organization. Not for the cybersecurity team. Yes, the cybersecurity team needs to support it and execute parts of it. For this reason, make sure to develop the security strategy together with your team. It is not a one-man show but someone needs to be leading the way. And this is the role of a security leader. You are the one that needs to lead the way.

MYTH-BUSTER: PART 3

A security strategy can only be created through a top-down driven approach.
This is not the truth. It can start from the middle or the bottom. This is less optimal and may leave some things in the strategy unaddressed. In any case, it needs to go up to the top and involve the key stakeholders in your organization, i.e. executives and senior leaders. And it needs to cascade down through your organization, to involve the key stakeholder in your organization on this level.

ISO 27001 and NIST CSF are equivalent to a security strategy.
No. ISO 27001 is a standard. NIST CFS is a framework. They both may be a part of the strategy in one or another way but they do not equate to a security strategy.

Small organizations do not need a security strategy.
No. The size of the organization does not eliminate the need for a security strategy but it will, most likely, be a factor that determines the application of it.

Only security subject matter experts are needed to develop a security strategy.
Totally no. They are one of the stakeholders, for example, parts of those who will operationalize the tasks needed to accomplish the desired outcome of the strategy.

A security strategy doesn’t need support from executive management, the board, or key stakeholders in the organization.
No. This is key to success. Make sure that you have support from your key stakeholders and include them in the development process of your security strategy. This can be done in many different ways.

A security strategy is the same as a security road-map.
No. A security strategy is the long-term plan and the road-map is the tactical plan, i.e. also referred to as the security program here and there.

A security strategy does not need to take external circumstances into consideration.
Not true. The industry the organization is operating in, the regulatory requirements, geo-political trends, threat landscape are just a few examples of external factors that need to be considered.

A security strategy should be a part of the IT strategy.
No. Security is not and shall not be a subordinate or a part of the IT strategy. They both support the organization but from different perspectives. IT will though be one of the key stakeholders.

Physical security does not need to be considered in a security strategy.
No. Physical security is one aspect that will influence the security strategy and needs to be considered.

There is only one way and/or method for how to develop a security strategy.
No. The development can be conducted in different ways and with the help of many different methods. There are though better and less good ways to develop one.

EPILOGUE

Developing a security strategy is not rocket science. Sure, if one has never done so before it will be a bit more challenging but it’s still doable. The task itself doesn’t require any special gifts or superpowers. One of the most important ones, i.e. leadership, was mentioned in the ingress. Another highly important “skill”, or let us call it attitude rather, is that you find it fun. If you do not find the task fun, I think the security strategy will suffer and so will your organization.

Going into a task with a less positive attitude and mindset will most often set the tone for the outcome. If you as a security leader do not find this part fun or that you have someone else in your team or network who you think is better suited for the task, there is nothing wrong in handing over the responsibility to that person. Doing so comes down to self-leadership. Know what you are good at and don’t be afraid of delegating responsibilities or tasks to people around you who might do it better. You as a security leader are the one accountable for the security strategy and still need to take ownership of the outcome. This part can’t be outsourced.

 

As I stated in the ingress, leadership skills are one of the most important skills for a security leader. This is especially true when it comes to the subject of security strategy. Don’t put yourself up on that pedestal and make it into an ego game where the task is about you. It is about your organization. And you need to do what is best for your organization. If this comes down to asking for help or letting someone else lead the work, do that. Don’t let yourself fall into the trap of limiting what your organization needs due to that you are afraid of asking for help.

Developing a security strategy is a teamwork exercise. It is not a one-man show and shall never be conducted as such. That teamwork exercise also provides a very beautiful platform for you as a security leader to develop and make sure there is inclusiveness. Make sure to spend time together with your team and stakeholders in the development phase and you will have it back multiple times throughout the execution phase. Very often I see and hear organizations downplay this part. Many rush through the strategy development phase and want to get out on the other end and start executing things. This is one way of doing it but I think that not spending “enough” time together with your security team and stakeholders will backfire.

Security strategy development is not about:

“This is how it is going to be, I have decided!”

Security strategy development is about:

“This is what WE have developed together and committed to as a team. We will make epic shit happen that will support our organization to become successful.”.

Which approach do you think will be most successful? Yes, it is a no-brainer. I recommend you as a security leader pick the one that you think will be the most successful for your organization.

Choose to become a legend, like Achilles. Choose to become the type of security leader that your organization will speak about when you are no longer there. The security leader who made an impression on your team and organization resulting in stories of you being told to others.

Achilles might have been a myth, but the stories about him are still told. Wouldn’t it be cool to become that security leader who sets those trails and creates those stories? I think it would. And I also think that it is up to each one of us as security leaders to choose how we want the stories about us to be told. We own the responsibility for the way we lead our organizations and how we want to become remembered. Choose how you want to become remembered. As a legend or not, the choice is up to you.

Link to original article – Click Here
Follow Henrik Parkkinen on LinkedIn – Click Here
Visit HenrikParkkinen.com 

Having a diploma on the wall from your leadership coach does not mean you are a leader. Having loads of leadership coaching hours in your backpack does not mean you are a leader. Both these things increase the chances that you are a better leader compared to others who lack these investments though. But there are no guarantees.

Ticking off a course, certificate, or diploma that confirms and validates your time spent on a certain subject is a quick win and also serves as a very good starting point if you want to deepen your understanding of a certain subject. And this is a natural starting point for a leadership journey. You need to start from somewhere. But that is about it, especially when it comes to leadership. The rest is learned from practicing the things you learned in reality. But from where and how should that practice in reality start? In my previous article, SECURITY LEADERSHIP – THE JOURNEY & CREATION, I wrote about the security leadership journey and the creation of a security leader. In this article, I will explain where the journey starts.

WITH YOU

It starts with you and within you. If you are not capable of leading yourself, you will not be capable of leading someone else. Simple as that.

And to take away a myth out there about leadership, I will do so straight away. Technical skills are less about actual leadership. It can be an ingredient to leadership but it is not equivalent to being a leader or leading. Becoming the best one at a certain subject (technical or non-technical) does not mean that you are a leader. But here is the thing, very often the best and most technically capable person knowing the most about a certain subject becomes promoted or asked to lead. And I get it, this is very much how we perceive and interpret leadership. The best one is the one that sets the direction for the rest to follow. But is this the best way?

I see many aspiring and existing security leaders approach their career path and role in this way. They strive towards becoming the best of the best in their domain/subject of expertise and from there see that natural pivot into a manager or leadership role. It is understandable that this seems like the natural trajectory but in fact, this is not where leadership magic happens. The most technically skilled person does not need to be the best leader. This can be the case but there is no truth to that this is always the case.

Here and there this type of leadership, conducted mainly through domain expertise, is necessary but this is not always the case. Certain security leadership roles will though benefit from strong domain expertise combined with strong leadership skills. This is for example true if the security leader does not have an army (also known as a team of people) who will conduct the working tasks related to the domain expertise. In this case, there are some things that the security leader needs to consider. One of the most crucial ones is for example –> Succession Planning. How will you ensure that there are people in your organization who can backfill you if needed or if something unplanned happens? Can you ensure that your skills are transferable to other people? A good way to approach this scenario is to ensure your skills and responsibilities can be carried out by a group or team of people. Can you coach a group or team of people to share your skills and working tasks? Yes, this is a part of what is also known as Business Continuity Planning.

As I said multiple times before in several of my articles: Security is a supporting function in an organization. It is not about you or about the security team in isolation. It is about the organization. You as a security leader are there to ensure that security will support your organization to become successful.

Before you can lead or coach someone else, you need to have the capabilities to lead yourself. This is where leadership starts. It starts with you. Master self-leadership and the rest will become so much easier.

According to my belief, it is those you lead who will validate if you are a leader or not. Keep in mind, that there are different leadership styles out there and one style might not fit a certain type of team, individual, or situation. I personally think there are some clear attributes that make up a good and bad leader. In this article, I will focus on describing those good things. And if you do more of some of those things (that I will be talking more later) that fall into the “good” category, you will more likely become a leader that your team wants to follow.

Leadership starts with you. Before you are about to lead others, you need to be capable of leading yourself. And the better you do it, the better you will be capable of leading others. Trust me on this one! For many, this is yesterday’s news and nothing strange but for others, this is sort of an eye-opener. And to become a leader, to build yourself up to a leader the absolute first step to take is to choose to be a leader. If you do not make this choice, to be a leader, what are you going to build upon? Leaders are not born. They are to some extent built from the moment one chooses to become a leader. And the choice is first and foremost made by you, intentionally or unintentionally.

“As a leader, the first person I need to lead is me. The first person I should try to change is me.”

John C. Maxvell

Some people do not see themself as leaders but they take on the role naturally. And this is what I mean by these people making an unintentional choice to become “a leader”. They do the work as a leader and people are willing to follow these persons. You might have chosen not to be a leader but those around you choose to follow you. In this case, you are a leader. Some call this category of leaders “informal leaders”. They have not been appointed or given a certain role but instead, demonstrate attributes that make others follow him/her. I think that this form of leadership is one of the purest as this shows the power of true leadership. It is not about a title, role, degree, certificate, or diploma. It is about how you make others feel who are around you.

And do not mix things up. A manager and leader at not the same but it can go hand in hand. And you can be a leader without being a manager. And you can be a manager without being a leader. It is up to you which type you want to be, a manager or a leader. Or the combo.

So why do we promote the best technically skilled people into leadership positions? I think this is a good question that we as security people need to ask ourselves. I think there are a couple of reasons for it. One of them is that most cybersecurity education and programs are mainly focused on technical skills and knowledge. And this is of course how it should be as the field in itself is very technical. Now in later days, there is an increased amount of leadership training within most education and programs, which I really like to see.

Another reason why this phenomenon is taking place is because of that security to some extent stems from a technical background with a high ingredient of IT. Security and IT are not the same thing as some people tend to think. They are two different disciplines but with some natural overlaps as both for example have as purpose to support an organization to become successful (in their own ways).

And then of course, if the culture in an organization promotes technical skills rather than leadership skills this will for sure add to the equation. An organization gets the type of leadership it honors. If technical skills are what defines “good leadership” in an organization, that is the way to go. However, I do not think this is a scalable or sustainable way how to create successful organizations. This is my belief though. And at the same time, I think that being a security leader you need to have a technical understanding. Leading a team or yourself in an area that is, to a very high degree, dependent on technology will become much easier if you have a technical understanding. This is though how I see it and I am fine with that everyone does not agree. But take a look at the conceptual model above I have created. I think it demonstrates in a pretty good way what I mean.

So, how do you become that exceptional security leader that others want to follow and that creates new leaders? The million-dollar question. And the starting point is (as I said before):

It starts with you and within you.

If you are not capable of leading yourself you will not be capable of leading other individuals, teams, and leaders. If you are not able to lead yourself in a self-developing progressive direction you will not be able to lead others around you and make them grow.

WHAT TO DO?

The stuff I have been writing about this far is about “Self-leadership”, also known as “Personal leadership”. The same thing but named a bit differently.

What does self/personal leadership come down to and what skills do you need? In my own book of knowledge, personal leadership skills comes down to:

• Vision – you need to be capable of creating a vision for yourself. A long-term goal that you have crafted which is formed around the type of leader you want to become towards yourself. It is you who decide and create this vision for you and not someone else. If you can not create a vision for yourself and lead yourself towards that vision, how will you be able to do so for an individual or team that you lead?

• Self-reflection – you need to be capable of self-reflecting. You need to be able to tap into yourself, coach, and guide yourself towards your vision. If you can self-reflect you will be able to find out what you need to do to become that leader you are striving for. Do you for example need to show yourself some more love, compassion, and strength in your mental resilience? Or maybe get better at setting goals, deadlines, and planning? If you can’t self-reflect, the actions that you need to take will be very hard to identify. I would say, impossible.

• Ownership – you need to take absolute ownership of your own shit and actions. Your leadership development journey is about you and it’s you who must own the outcome. Take accountability and own every single piece of it. It is up to you. It starts with you and ends with you. If you do not want to take ownership or own the outcome, no one else will. And if you want to become the leader, in alignment with your vision, you must own the outcome.

• Courage – you will need to have the courage to do those things that you find uncomfortable. To grow and to do so in a continuum you must show braveness towards yourself. If you are afraid of, for example dealing with your past or negative self-thoughts, and choose to not do so these things will hinder your leadership development. No one else can be brave and go through your mental or physical struggles. This is something you in the end must do on your own. Be brave and have the courage to do so.

• Adaptability – you need to be able to adapt to reality as it changes. Our lives are full of surprises and un-calculated situations. You cannot plan for everything. Life and reality is not perfect. You will face situations that will test you from time to time. This will happen in your work life and private life. Make yourself comfortable to adapt to the situation that takes place. Do not try to change the world around you. Instead, try to adapt to the reality around you. This might mean that you find a certain situation very uncomfortable or stressful and you have done everything in you power to adapt. The next step, to adapt, might be to cut yourself loose and get out of the situation. This is not giving up. This is about taking ownership of yourself and your well-being. And there is a difference between “running away” and being “realistic”. You adapted to your reality and did what was necessary for you.

Now you might ask: are these things everything that you need to learn and be capable of? Definitely not. But this makes up a very good starting point. And if you start with these things, your foundational personal leadership skills are built on solid ground. Many of these skills are also closely related to the thing called emotional intelligence, i.e. your capability to manage and understand your own emotions, inner voice, thoughts, thinking, and those you lead.

EPILOGUE

Leadership is not about definite answers or absolute figures. It is about humans. And each human has his/her own starting point and configuration, I.e. skillset, knowledge, experiences, background, philosophy, and so forth. Telling a person to just do a little bit of this and that will not make the person a leader. That is not how you coach, guide, or lead someone or yourself.

The journey of becoming a leader is something each person needs to do on their own. And especially when it comes to self/personal leadership. It is you who need to develop your own leadership skills. Your leadership coach or mentor, who is there to guide and coach you can only show you the way but it is you who need to go the way. You need to walk that path toward your vision face the obstacles and figure things out. Is it easy? Definitely not. Will it be worth it? Absolutely!

Personal leadership is about developing your mindset and becoming able to direct your actions to reach your desired goals. These goals can take place in your working and/or private life.

Leadership starts with you. And it is you who decide and define the leader that you want to be, this is up to you. You are the owner of your own vision. No one can or should be taking this away from you.

If you do not know yourself, how your mind works, or how you operate yourself you will not be able to fully unleash your own superpowers. Sounds like hippy shit, but this is kind of the core essence of leadership. If you do not know or understand how to unlock your own full potential, how will you be able to coach someone else or a team to do it?

You decide what form and type of leader you want to become towards yourself. This task is not for someone else to decide on. You are the owner of defining, deciding, developing, and making sure you become that form of leader you want to become.

I encourage you to take a couple of minutes and write down if you haven’t already done it, what form of a leader you want to become. What do you define as a good leader? This is the first exercise from where actions can be taken to enable the trajectory towards becoming a leader. The type of leader you want to become. Make a vision. Self-reflect. Have courage. Take ownership. And adapt along your own leadership journey.

Link to original article – Click Here
Follow Henrik Parkkinen on LinkedIn – Click Here
Visit HenrikParkkinen.com 

MYTH: A traditional story, especially one concerning the early history of a people or explaining some natural or social phenomenon, and typically involving supernatural beings or events.

Source: dictionary[.]cambridge[.]org

INGRESS

Security favors preparedness and preparedness comes in a couple of different forms. To simplify stuff, I would say that there are mainly two forms:

• Current preparedness
• Future preparedness

They both are self-explaining. We as security leaders need to prepare our organization to take on the current things happening, such as targeted attacks, new regulations, vulnerabilities, awareness, and so forth. And the same goes for the future. We can not and shall not sit on our asses and wait for the future to appear in front of us as a surprise. This is in fact how many organizations do it when it comes to security strategy.

Why not learn from the current and past things we have taken on to prepare our organizations for what is about to happen and what is in front of us? Everything in the future is not unknown to us, some things are but not everything. We know some things are coming our way and some stuff is here to stay. I don’t think that future preparedness needs to be that hard. But it requires at least one thing, which is:

Time to contemplate

I think that many security leaders can emphasize what I am about to write. We need time to sit down and contemplate to take on the future. This can take place in a quiet space or in a more organized form with colleagues or people outside of your own organization. And if we, as security leaders, do not take responsibility for doing this work no one will do it for us. No one else knows our organizations better than we do. So why not invest the time to contemplate about the future? This is one of those things that is an absolute requirement if we as security leaders shall be able to help and support our organization to take on what is coming our way.

Ingress is completed, and some words of wisdom dropped. Let’s jump into part 2 of the security strategy myth-buster!

MYTH-BUSTER: PART 2

You must have an MBA, CISM, CISSP, and/or similar certification to develop a security strategy.
No. These may though be helpful but they do not ensure that a person will be capable to pull of the development of a security strategy.

Only organizations with critical infrastructure, assets, intellectual properties, and similar need a security strategy.
No. Security favors preparedness which goes hand in hand with the subject “strategy”. Planning and preparing for what an organization needs from a current and future perspective is something each and every organization should do.

Small organizations do not need a security strategy.
No. The size of the organization does not eliminate the need for a security strategy but it will, most likely, be a factor that determines the application of it.

Only large organizations and enterprises need a security strategy.
No. See the above answer. In a large organization, the security strategy will most likely, look a bit different compared to a small organization. A security strategy does not come in a fixed format that looks the same for each and every organization.

A security strategy can be outsourced.
No. This:

Accountability for security can never be outsourced.

If your IT environment and security capabilities are managed by a third party, they are accountable and responsible for your organization’s security strategy.
No. See the above answer, the same principles apply.

A security strategy will ensure your organization is secure.
No. The security strategy will point out the long-term plan and direction for the organization. It is the execution of the strategy that will make things secure. That cool-looking PowerPoint will not do the work or make things secure on its own.

A security strategy will stop breaches and data leakages from happening.
No. See the above answer. It is the operationalization of the activities within the strategy that will do the magic.

A security strategy is a one-time investment and exercise.
No. There should be some form of room to adjust the operationalization security strategy along the road, i.e. the security program and projects executed. The world around us is not static and for that reason, it is a good move to keep this in mind. You can not control what is happening around you or outside of your organization. Adjust accordingly if needed.

A security strategy is very expensive.
No, this is also bull sh*t. It requires investment and resources, as with everything else. The opposite is rather more true. It can be very expensive to not have a security strategy and just go out swinging and hoping for the best. I would not recommend any organization, independent of size, industry, geography, etcetera doing so, to approach security as something that is a pure firefight or with a very short perspective in terms of planning.

EPILOGUE

To prepare for the future time and resources need to be invested and sanctioned. There are no crystal balls or magic wands out there, or not at least to my knowledge, that do the job for us. But at the same time, we have never been equipped with better capabilities to prepare ourselves and our organization to take on the future. What is available out there is loads of valuable information that can be used to better understand what is coming our way. The majority of the information is also available for free, for example through different experts who share their knowledge or through podcasts, webinars, reports, websites, blogs, and so forth.

I think that with very little time and effort almost any organization can achieve significant improvements in their future preparedness. And one of the best ways to do so is through having informed and intelligent conversations about what is coming our way. To widen our perspectives as security leaders. Gaining perspectives through picking the brains of a collective group of people will for sure add value to better understanding those potential future things that are coming our way and how they may impact our organization.

If you want to know more about how to improve your organization’s future preparedness, this is a good starting point:

• WHAT ARE EMERGING RISKS?
• EMERGING RISKS & HOW TO FORECAST THE FUTURE

I am a strong believer in doing things together and having a strong team around you when it comes to security. And this is especially true when it comes to security strategy and future preparedness. This is not something that a bunch of security people should do in isolation or on their own in a basement. Doing it this way will most likely leave out valuable information that your organization could benefit from. Security does not exist in isolation. Security has as a purpose to support the organization, it is not something that has its own self-existence.

And those future things that are coming our way, and that will have an impact on security will not only come from the security industry itself. New trends and changes related to technology, geopolitics, economy, and society are just a couple of subjects that will, directly or indirectly, impact security. And, trying to at least stay a little bit ahead of the curve will put you and your organization in a much better spot compared to doing the opposite. Invest time and resources in preparing for the future. Doing something is far better compared to doing nothing. The future is coming. And we can not stop it but we can prepare for it.

Question:
Are you and your organization prepared for the future?

Link to original article – Click Here
Follow Henrik Parkkinen on LinkedIn – Click Here
Visit HenrikParkkinen.com 

lead (v.1)
“to guide,” Old English lædan (transitive) “cause to go with oneself; march at the head of, go before as a guide, accompany and show the way; carry on; sprout forth, bring forth; pass (one’s life),” causative of liðan “to travel,” from Proto-Germanic *laidjanan(source also of Old Saxon lithan, Old Norse liða “to go,” Old High German ga-lidan “to travel,” Gothic ga-leiþan “to go”), from PIE *leit- (2) “to go forth.”

www[.]etymonline[.]com

THE JOURNEY

Security leadership, or any form of leadership, is an endless and continuous journey. It is not something you do once or fully accomplish by acing your performance in one single moment, like outperforming that final boss in a video game. Leadership doesn’t work that way.

Security leadership as I see it and how I will explain it in my articles about the subject is less about technical security skills or domain expertise. Sure, it is about leadership skills, and a security leader for sure needs foundational knowledge of the domain he/she is a leader in, i.e. Security.

Security leadership is less about being the best at a certain security subject or domain. But knowing a thing or two about security, in a security leadership role will for sure be helpful.

Security leadership is about the capabilities and skills you need to have as a leader to make yourself, your team, and your organization successful. To guide and coach others to grow. To lead. It is less about you and primarily about those who you lead.

Your journey to become a leader will most certainly put you up for situations where you need to grow through change. The change may be big or small. You or those around you might feel the change you are making. And I think that it is a good move to be prepared for that changes may cause some sort of form of a feeling. And there is nothing wrong with it. Just be prepared for it. It can be a good move to inform those around you that you going through your journey, for example, a leadership development program.

No one ever said that leadership is easy. But it becomes as easy or hard as you make the journey. Accept that you might be tested from time to time and need to take yourself through uncomfortable situations, thoughts, scenarios etcetera. Don’t be too hard on yourself, there is no need to make this journey to a performance or measure yourself against someone else or another leader. Try to find joy and relaxation in your leadership journey. There is no need to rush it or force the pace of it. The journey is about you. And it is a lifelong one if you choose to become a leader. The sooner you start to accept this fact the easier the journey will become.

THE CREATION

Security leadership is something that can operate on different levels and contexts. A CISO is not the one and only role where security leadership is applied in practice, this is just one of many roles. Security Directors & Managers, Functional Managers & Leaders, Architects, SOC Leads, and Risk Managers are a couple of examples where security leadership is needed.

But the thing here is, everyone might not want to take on that journey. Everyone might not choose to or want to become a leader. And this is totally fine. Leadership is not something everyone is into or finds interesting exactly like many other things in life. And the truth is that the majority of humans prefer to follow and not take the lead. This is just how it is and there is absolutely nothing wrong with this truth or being more comfortable with following or not enjoying leading.

The first thing you need to do, if you want to become a security leader is to choose to become a leader. Yes, this is a choice you need to make. As I said, the majority of humans rather follow. If you make the decision to become a leader, this means that now the journey and creation begins. If you do not choose to be a leader you cannot create the form of a leader of yourself that you want to become. Leadership starts with you and within you. It is not something that will come as a package with a title or role. Being a leader is not the same thing as being put in the spot or role where you need to lead. Take a second a think about this sentence once again.

From my personal point of view, security leadership (or any other form of leadership) can be conceptualized according to the below model.

As I mentioned earlier, security leadership starts with you. If you can not lead yourself you will not be able to lead someone else. Before you can take on the responsibility to lead individuals or teams, you need to be able to lead yourself. This is self-leadership. You need to have your own shit together, being able to direct and operate yourself in such a way that is taking you in the direction needed to reach your own goals and vision whatever they are. Before going out there and leading others you need to be able to demonstrate self-leadership. This is the first step in your personal journey and the creation of a security leader.

The model illustrated has as its purpose to conceptualize the relationship between leadership skills vs security skills. Both skill stacks are needed but they are weighted a bit differently depending on the circumstances you are a leader in. Think about it this way: As you become a leader who leads larger and larger teams, organizations, and other leaders your true power and capabilities as a security leader come from how well you will be able to tap into the collective strengths to achieve your desired goals. You as a leader are not supposed to have all the answers to the questions or know how things are done in detail. You will be less dependent on your personal security skills and more dependent on your leadership skills to enable the collective strengths of your team’s skills.

Your role is to make sure that those you lead and are around you have the necessary resources accessible to accomplish the goal. Sure, you as a security leader might be a part of the smart ideas you as a team figure out but you are not the one and only that shall sit on all the answers. Security is a team sport and you as a security leader, when you start to lead teams/organizations/leaders, need to be able to delegate and trust the power of your team. And you as a security leader are the power of the collective skills and strengths of those around you. Make sure to surround yourself with people who complement you. Don’t be afraid of or let your ego stop you from letting the right person with the most appropriate skills shine or execute the tasks needed so that you together as a team become successful. You are there to lead and make the team and others successful.

And no, telling someone what to do or how to do things is not leadership. This is more related to “management” or (poor) communication.

“No, no, no, no! I’m, telling you.
This is how it is […]“

INFO: The above exemplifies very bad leadership, management, and communication. And yes, I have been faced with this form of “leadership” a couple of times. And personally, it really doesn’t sit well with me…and is not something I practice or recommend. Going this path will most likely increase your chances of becoming less popular as a leader.

Here and there you as a leader will though need to manage situations. I believe that situations may need to be managed but not humans. Humans should be led. They should be guided and coached. It might sound a bit philosophical but I think that if you as a leader create an environment and climate where your team feels safe, they will need less management. But they might still need to be led which goes hand in hand with being coached and guided. There is so much more to say about this subject, i.e. how to create a team and a safe environment & climate, and I promise to come back to the subject in another article about security leadership.

EPILOGUE

Leadership is one of the most powerful capabilities that will make or break an organization when it comes to security. Just think about it, replace good security leadership in an organization with bad and see what happens. Swap in some bad leadership in a couple of those <key_security_leadership_roles> and see what happens. I can promise you that the effects will be less positive. And I have seen this take place a couple of times. It is sad to see but it is actually something many organizations need to go through and experience. This is kind of also a natural part of the the evolution of an organization as people come and go, rotate roles, are promoted, layoffs, positive and negative things happen etcetera. And this also somewhat demonstrates the truth that security leadership is hard. It’s not something that a random dude from the street with some cool leadership pokemon’s on the CV can pull off.

Leadership, independent if it is related to security or not, is challenging and hard. It is not a cakewalk. It is not something everyone can do equally good. If it were, the world would look different. I am not here to save the world or all those organizations out there that lack security leadership. That would be a too-big mission for me to take on.

What could ever go wrong on this boat trip where these two leaders, Batman and Joker, totally drop out on their responsibilities and ownership. Circus.

But what each one of us, including myself, as security practitioners can do is make sure we practice strong self-leadership skills. We start with leading ourselves in the way that we would like to be led by a leader. If each one of us takes full ownership of the way we lead ourselves we are for sure contributing to good and strong leadership. And as I said several times before, leadership starts with and within each one of us. I think that self-leadership skills are heavily underrated when it comes to a career in security. Leadership skills will never go out of fashion.

And take this lesson with you:

“Guys, I will put leadership on pause for a while. I don’t have time for this sh*t now, I have more important things to focus on! See you later.”.

Nope, that will not work out well. I have seen this take place several times in reality. Leaders going AWOL (absent without official leave) and just dropping their responsibilities and ejecting themselves from their teams. Guess what happened to these teams when leadership chooses not take on their responsibilities? Yes, it turned out to be a form of a corporate circus. Or a form or a boat trip where there was no direction or destination. People will after a while start to feel lost and frustrated. They will start to question things. Someone might take on the pseudo-leader role without actual mandate or authority. Some more frustration and confusion start to boil up.

Leadership is for sure a very interesting thing that does not come for free. It requires time, from you as a leader to be there for those you lead. It takes time to build up a team and also to keep that team together. There are for sure self-led teams but they are not created out of thin air or just pop-ups due to when someone comes up with the idea “We shall be a self-led team!”.

My purpose with the writing(s) about security leadership is to provide perspectives on the subject and inspire, help, and motivate others who are on their own journey to create or develop their own security leadership skills.

I will through a couple of articles explain the different parts of the conceptual model found in this article related to security leadership:

• Self-leadership
• Leading individuals & teams
• Leading leaders & organizations
• and of course, share my reflections and experiences from my career

If you want to start to develop your leadership skills instantly I recommend you to contemplate the information in this article. Ask yourself at what level do you see your own leadership skills currently in relation to the conceptual model? Maybe you have the courage to ask people around you how they see you as a leader? And after you find out the answer to the question, ask yourself where do you want to see yourself in the future? What form of leadership skills would you like to develop? Maybe you are completely satisfied where you currently are? Or maybe you want to strengthen your self-leadership skills? Or maybe you want to improve your skills in leading a team? Only you have the answer to this question. Only you know what you want to do. It’s your choice.

Link to original article – Click Here
Follow Henrik Parkkinen on LinkedIn – Click Here
Visit HenrikParkkinen.com 

“It is not the strongest of the species that survives, not the most intelligent that survives.

It is the one that is the most adaptable to change.”

 

Charles Robert Darwin, 1809 – 1882

Change is constant, we may like it or not. But it is the truth. It can not be stopped. Change may come from both internal and external forces and requirements. They may be small or big and more or less impactful. What we know, is still, that change is constant. And this is one of those things that Security GRC when it comes to the security universe, can support to manage in a more controlled and systematic way. Managing change is only one part of the benefits that may come from Security GRC. But before we dive further into the benefits and the rest of this article, I will put some more context around the subject –> Security GRC.

GRC stands for Governance, Risk Management & Compliance. This article is about Security GRC.

The purpose of this article is to put my own words on the subject. I have already kind of, in several articles talked about it and explained what it is from each letter in the acronym. But this article will serve as a short summary of what Security GRC is and also shine some light on the why, how, and when.

Security GRC is not something unique to the security industry or discipline. It is a discipline and practice that the security industry has adopted. GRC has been a thing in several other industries before it reached security. Some of these are:

• Finance
• Medical
• Healthcare
• Insurance
• Energy

What these industries have in common, and have had for decades, is that they are highly regulated. SOX is one of the regulations for finance, HIIPA applies to healthcare, and FDA applies to food and drugs, PCI-DSS is applicable when payment cards are used for digital transactions.

These are just a few examples. The list of regulations has through the years increased and still does. Almost each and every industry is today, to some extent more or less regulated. GDPR for example is one of those regulations that impacts a very high span of organizations. In Europe, almost each and every organization is impacted.

Regulations related to AI are another example and when technology drives the the increased need for further compliance through regulations. As you might already know and have figured out, the last regulation that an organization will need to comply with has not been invented or developed at this point. There is more to come and the list will be made longer. The piles of regulations will increase. The requirements related to compliance will not go away.

A commonly confused practice within GRC is the G, Governance. Many confuse Governance with Management. There is a difference and it’s pretty obvious when put into context.

Governance is, short and simple, about the bigger picture and less about the details. It is about setting the direction, strategy, and vision. These “ bigger picture” things are (in general and shall be) the board’s responsibility. The execution of the day-to-day activities is operationalized by the organization and starts out with the CEO. The CEO is not the one who will do all the work but will delegate the responsibility and accountability to the team around him/her, also known as the Executive Management Team, EMT (consisting of roles such as for example CFO, CMO, CIO, CISO, COO, CRO and so forth). The EMT delegates the operationalization, to some extent or fully, to their team members (Vice Presidents, Directors etcetera). The execution of the objectives to achieve the strategy, set by the governing body (the board), is managed throughout the organization.

This is somewhat of a simplified description of how the chain of delegation and governance may take place. Depending on, for example, the operational model and structure of an organization may contribute to the picture looking a bit different. The structure I have described is not set in stone but gives a good overview of the overall idea.

Sorry, I know! The text is very small and might be hard to read. Use the zoom function if possible, I think the illustration is valuable to study.

The takeaway is that the model I described for how Governance can be applied to several parts of an organization to achieve the same outcomes. For example IT Governance, Financial Governance, Business Governance, Security Governance, and so forth. For each part of an organizational entity, a leadership committee (I.e., governance) establishes the strategy.

The strategy for example Corporate Finance is developed by the leadership committee which delegates the accountability and responsibility for managing the execution of the objectives to the roles and responsibilities in the Finance organization to operationalize the strategy.

The Corporate Finance Strategy is not something that takes place in isolation, it is aligned as a part of the overall corporate strategy in direction with the board’s strategy for the organization.

Properly established Governance will provide control, transparency, direction, ethics, and separation of responsibilities. Generally, Governance is responsible for the “What” and Management is responsible for the “How”.

How things are carried out in reality may though take a different form between organizations. When theory meets reality those may not always align. More or less, every organization has some form of Governance in place that serves as a decision-making body for where those “bigger picture” things are discussed and decided on. And for Governance to function it need leadership. Governance can’t exist without leadership. Establishing Governance does not equate to that leadership being accomplished. These are two different things but they go hand in hand.

There is certainly more that can and should be said about Governance but I will stop here for now. Let’s jump into the What, Why, When, & How explanation of Security GRC.

WHAT?

In this article, Security GRC is explained as:

A structured and holistic discipline covering the practices of Governance, Risk Management, and Compliance, ie. GRC.

As you may see there are fewer wordings in this explanation about “security” or something such as protection, resilience, detection etcetera. These things affect Security GRC or may be an outcome of the work. How the objectives are managed and actualized in alignment with the strategic direction, i.e. Governance.

Security GRC is a subset of Corporate GRC which is focused on the management and oversight of security efforts. This means that Security GRC in an organization is a part of a bigger puzzle as explained earlier in this article. It does not and shall not operate in isolation from the rest of the organization. Security GRC shall be integrated with Corporate GRC, other GRC disciplines, and the rest of the organization.

Security is a team sport and so is Security GRC. This is not something that is a one-man show or something that only is a thing taking place in a security team. This is a discipline that is established to support the organization it exists in. And yes, a tool or software for Security GRC, that helps out to automate things such as evidence collection, risk reporting, and data classification, is and can be a part of the puzzle but this is not a unicorn solution.

Before a tool or software implementation of a Security GRC tool, other things should be established. Let’s call these things foundational components of Security GRC. These things equate to for example structure, frameworks, and processes. And of course, you need to have support for the change from your stakeholders and sponsors. A tool or software should rather, as I see it, be a natural progression in an organization’s maturity journey of Security GRC rather than the absolute starting point.

This principle is not unique to Security GRC though, it applies to pretty much more or less all aspects of an organization’s maturity journey. If an organization does not have people and processes available and educated on a certain subject/discipline/skill/<etcetera> technology will provide less value. I have seen this mistake several times in a bunch of different forms of projects throughout my career. IT Service Management, Risk Management, Identity & Access Management, and Cloud Security Governance just to mention a couple examples. The list could have been made longer but I will stop here for now.

WHY?

The values gained for an organization that chooses to establish Security GRC can provide:

Ensured compliance, mitigation of risks, and contributed to an improved security posture, and cyber resilience in alignment with the organization’s strategic objectives.

An organization that chooses to establish Security GRC will gain positive effects and value addition from managing the three practices (Governance, Risk Management, & Compliance) in synchronization. Each of the three practices within GRC is and shall be seen as a unique perspective which all serve the same overall purpose. Go back to the picture above in the What section and study the descriptions.

The practices together form a system and a holistic structure that operates as a totality. The value generated for an organization by synchronizing and integrating the three practices may for example be:

• reduced or elimination of duplicated efforts
• increased efficiency through the usage of common processes and methods
• increased insight and understanding of the organization’s security and compliance posture
• improved alignment of investments in relation to the organization’s strategic direction

HOW?

The establishment of Security GRC in an organization:

Shall be adapted toward the organization’s culture and not the other way around.

The form of how Security GRC is established may differ between organizations. A very mature organization, for example operating in the Finance industry, will have a more “complex” setup compared to a start-up company developing software. Both these organizations need some form of Security GRC but the practical implementation will differ. The reasons for it, are for example but are not limited to:

• Culture
• Regulations
• Organizational size
• Geographical spread
• Operating model
• Organizational history
• Organizational structure

I think it is very accurate to say that there is no one-size-fits-all Security GRC setup that can be copy-pasted into each and every organization. There are of course general recommendations and principles that make up a good starting point, but these are just that. Even the best theoretical principle or model may not become best friends with security in reality. In this article, I share some of my thoughts about Security in reality.

WHEN?

Security GRC shall be established when:

The organization is mature enough and sponsoring for the implementation is established with key stakeholders.

If an organization is not “mature” enough to establish Security GRC or the decision is not sponsored by key stakeholders the journey should not start. I am by no means saying the establishment is or shall be a cakewalk but if an organization lacks the understanding of “why” Security GRC is needed, the conversation must start here.

A very big part of an organization’s maturity, related to security (independent of its GRC or something else), starts from an awareness point. If the organization and the key stakeholders are not aware of why that security thing is needed this is the starting point. And to establish this form of awareness is usually not something that is accomplished through one meeting or as a quick discussion at the coffee machine.

It is up to you as a security leader to influence your key stakeholders and decision-makers in your organization to understand why Security GRC is needed. You need to create awareness and explain why, what, when, and how Security GRC is needed. If you identify that an organization is in need of it, don’t sit and wait for it to happen. It is up to you to lead the way. You need to influence your organization to realize the values of it. Communication. It’s up to you as a security leader.

EPILOGUE

Most organizations have some sort of Governance established. In some places, it is more formalized, in other places less. My observation of why this is the case is due to what an organization requires or how mature they are.

Just because you as a security leader identify the need for an organization to implement Security GRC does not mean they are mature enough for the change. Or that they actually need it in the way you want to implement it. And the key thing here is “change”. Change requires inclusion and to create inclusion leadership is required.

How big is the change? How fast is the change? How <insert> is the change? What we know about change, is that it is constant. Adaptability is key. The reality will constantly be changing.

Implementing Security GRC is a change, small or big of course depending on where the starting point is…as I explained earlier in the article. Adopt the change and establishment of Security GRC to fit into your organization, it will never, or with a very small chance, work the other way around.

And implementing Security GRC is not about implementing a certain tool or software. This may be a part of the establishment but should not be the first place or starting point. This is how many organizations do it, and I understand it. Going with a tool/software implementation before the establishment of adequate core processes and structuring, such as for example a Governance structure & framework, Risk Management framework & processes, Compliance framework & auditing processes will most likely turn out in a less optimal outcome. I wouldn’t recommend the starting point to be from a tooling/software orientation. It should be the other way around –> structure, frameworks, and processes.

You are the expert who is there to show the way, know the way, and go the way. Actions speak louder than words but before you start taking action on this subject, make sure to have your sponsors and key stakeholders with you on the change. This is key to any change.

Link to original article – Click Here
Follow Henrik Parkkinen on LinkedIn – Click Here
Visit HenrikParkkinen.com 

Visiting the Amazon rainforest is the coveted dream of many nature lovers and wildlife enthusiasts from around the world. However, visiting the world’s largest tropical rainforest is not free of dangers as the forest houses some of the most deadly creatures known to us (and maybe deadlier ones yet to be discovered).

The Amazon is home to the mighty jaguar, the powerful green anaconda, the highly toxic poison dart frogs, the shocking electric eels, flesh-eating piranhas, and more.

Thus, visitors to the Amazon are advised to be cautious and well aware of their surroundings at all times during their visit to the rainforests. Here we describe some of the deadliest creatures of the Amazon and why we consider them so.

However, in the end, we must remember that most of these creatures mentioned below are facing threats to their survival due to human activities. Now, who is deadlier, them or us, is a question we have to think over.

source: www[.]worldatlas[.]com

Comparable to the Amazon jungle there are threats in the digital and cyber landscape we as individuals and our organizations need to be aware of. As our world becomes more digitalized and as the technology evolution increases, so do the threats targeted against us and our organizations. I have written more about the challenges and contemplations around the subject in this article, Creation of Resilience. Togehter!.

From a security perspective (Cyber Security, Information Security, and IT security) a Threat is part of a risk. Today they are real and become more and more advanced, nasty, and harmful each year.

This article will look into “Threat” from a micro perspective, in the same way as for risk in the article I mentioned below. The perspective I will provide for you around what a threat equals to the illustration below.

I will explain what a threat is. What it consists of. Different characters and types of threats. You will, after reading this article, have a broader and deeper understanding of what a threat is and what makes up one.

If you are interested in reading more about risk, in the context of security I recommend you to read this article “What is Risk. Explain & Modeled”.

WHAT IS A THREAT?

When it comes to Threats in the security universe, an important thing to keep in mind is:

Threats can not be controlled.

Think about a threat as something that is out of your control, like in a sports game between two teams where there are offensive and defensive tactics taking place back and forth. You, and your team, cannot control the offensive tactics and strategies of the other team or the other way around.

In this scenario, it does not matter how much you yell at the referee or at the other team’s players, coaches, leaders, or the audience. This is a total waste of energy. You are focusing your efforts on the wrong place. And the results will be slim. You will get to train your ra-ra capabilities…and yeah, that is about it. What you can control is your own team’s tactics and strategies against your opponent.

There is an obvious reason certain coaches in team sports do not focus on stuff they can not control. And likewise for winners. They focus on winning, not on the opponent or things out of their control.

“Winners focus on winning.
Losers focus on winners.”

So why am I going with another sports analogy again or speaking about where to focus the energy and efforts when it comes to the Security-Ville. Yes, you are right –> Security is a team sport! The same principles apply. You can not control the actions of an opponent, i.e. external or internal adversarial. And, I do not know anyone who has the psychic powers to do so. I am not one of those people at least.

DESCRIPTION OF THREAT

To put some context and word around what a threat is, when it comes to the security realm, the following description gives an ok explanation:

Threat – A potential cause of an unwanted incident or anything capable of acting against an asset in a manner that can result in a negative impact or consequence. A threat is in general something that cannot be controlled. For example, a hurricane, geo-political events, or cyber-criminals. When there is a human behind a threat, they are in most cases driven by two factors: skill and motivation. Skill is the knowledge they possess. Motivation is in most cases related to financial and monetary aspects.

Now I will dissect the concept of a Threat into smaller pieces. Show you what a threat consists of.

THREAT MODELIZED

The components that a threat consists of, according to the model I have constructed and present below, are an Actor, Action, Motivation, and Capability. See Figure 1 and the explanation for each of them below, they are very much self-explanatory I would say but I give them a word or two.

 

ACTOR

Each Threat consists of an actor. An actor can, in this model, be external or internal. External actors are for example cyber-criminals, nation-states, and terrorists. Internal actors are for example insiders and negligent employees.

ACTION

Each Threat is conducted by an action. The action can be intentional or unintentional.

MOTIVATION

Each Threat is driven by a motivation. The motivation can for example be financial, political, ideology. A negligent employee’s motivation may be a human error resulting from an unintentional action.

CAPABILITY

Each Threat is dependent on its capabilities. A capability is the collected components building up the capability, such as resources, skills, knowledge, tools, tactics, procedures, economics, technologies, and capacity.

To explain the model, and the elements within it, I have constructed three examples. A threat from an external perspective and two threats from an internal perspective. There are some small differences but the concept still, more or less, remains the same. See Figure 2 below.

The Threat is carried out by an Actor (Cybercriminal, Insider, Negligent Employee). Each Threat, carried out by the Actor is conducted through an Action (Intentional or Unintentional). The Action is driven by Motivation (Financial, Disgruntled, Human error). In many cases, there might be more than one Motivation and a combination of for example Financial + Disgruntle. The Threat is actualizing the Action and Motivation through the Capabilities (resources, technologies, tools, tactics, procedures) or may be manifested through the lack of Capabilities (knowledge, awareness).

Figure 2

In Figure 2 above there are two additional components, Target and Asset, that I did not explain above. These are not a direct component of a Threat, they are rather an indirect part of it.

Target is, as the name of the component says, what the Threat is directed towards. Asset is the actual component the Threat is attacking and targeting to compromise.

My goal here is to help you, to gain perspectives of how a Threat may manifest itself and what it consists of. To help you better understand and reflect on what a Threat is and those applicable to you and your organization.

The model is not and should not be thought of as a cyber attack kill chain or an actual attack path. An attack can and will most often contain several sequences. This model has the purpose of conceptualizing what a Threat consists of.

The model should not be confused with or seen as something comparable to for example MITRE ATT&CK or frameworks for Threat modeling. These frameworks do a much better job of detailing what TTPs (Tools, Tactics, and Procedures) in relation to an actual attack path is applicable. MITRE ATT&CK is also a good way to go when constructing and developing hunting queries, detection rules, or gaining more “in real life” knowledge of how a threat is actualized through an attack path.

REFLECTION

A Threat is driven by, mainly when there is a human behind it, motivation and capabilities. This statement is not applicable to environmental threats.

Environmental threats are still applicable to the security universe as they can for example cause outages and disruptions that can result in a negative impact on an organization. More than once, and if history is a predictor of future events, environmental threats have had significant negative impacts on for example leading cloud service providers.

These cases will keep taking place even for those with world-class data centers or security capabilities in place. These threats are those that are less likely and take place with a lower frequency but come with a high negative impact.

“Anything that can go wrong will go wrong.”

Murphy's law

Is there a need to have an understanding of a conceptual model to understand or think about what a threat is? In general, I would love to say –> No.

But the fact is that the security universe is kind of complex. But that does not mean that we need to speak or make it more complex than it actually is. And my models do not have as a purpose to make sh*t more complex than it already is. It is actually the opposite.

The fact is that many security professionals do not even know the difference between risk, threat, and vulnerability. Yes, this should not be the case but this is the reality still today (when this article was first written in 2024). And to shine some light on the subject and help people to better understand the composition of a threat, this is my attempt to do so. Keep in mind though, this conceptual model is just that. It is a conceptual model. It zooms in on the subject Threat from a closer perspective and exemplifies how the manifestation may take place and why.

I think that for a security professional, one should understand what and how a Threat is built up. A Threat is not the same as a Risk or a Vulnerability. Here there is still very much confusion in the industry. And I think that in many cases confusion is created around the subject due to standards, frameworks, and similar models as my own look at a Threat from a different viewpoint. There is not a the-one-and-only definition out there that we as security people are unified around. And to be clear, this is not the intent of this article. The purpose is to illustrate and exemplify what a Threat is from a conceptual perspective.

EPILOGUE

Threats that are not understood or identified by your organization are potentially more harmful to the organization. This is due to that you and your organization lack the understanding of how it may impact you and/or where it is coming from.

If you are facing a new opponent, that you have never played a game against before, I think that one way to close a bit of the gap is to gather some intel of the opponent. Intel about your opponent will not necessarily make you win the game but it will increase your awareness, of for example their offensive tactics, and general preparedness.

The same ideas can be applied when it comes to Cyber Threat Intelligence (CTI). It can be snake oil but it can also be value-adding if it is translated into actionable information that can be applied. But for now, I will leave the subject of CTI hanging here. I think that almost every organization can increase its security awareness if it starts to analyze its threat landscape more systematically. And this can be done without CTI.

To better understand the effects, of a negative impact of a threat being actualized, I recommend conducting asset valuation. I know that asset management is a pain for almost every organization but at least conducting asset valuation of the crown jewels in your organization will put you in a better position compared to not doing so.

Keep this in mind, without asset valuation the asset that a threat is targeting in your organization is going to make it hard to:

• understand the negative impact from a business and organizational perspective
• evaluation and implementation of adequate security controls in relation to the asset value

Conducting an asset valuation may take one or more of the following factors into consideration:

• Monetary or financial loss
• Loss of productivity
• Loss of competitive edge
• Loss of intellectual proprieties
• Loss of operational capability
• Loss of business continuity
• Penalties related to contractual breach
• Penalties related to regulatory violations
• Damage to the organization’s brand
• Negative effects from an internal or external compliance perspective

In short, it will be much harder for you to protect your organization’s assets in relevance to their value because you do not know how to do it or against whom. If you want to know more about how to protect your crown jewels, take a look at this article.

Link to original article – Click Here
Follow Henrik Parkkinen on LinkedIn – Click Here
Visit HenrikParkkinen.com 

MYTH-BUSTER: A person, book, etc. that shows that something generally thought to be true is not, in fact, true, or is different from how it is usually described.

Source: dictionary[.]cambridge[.]org

INGRESS

One of the powerful things about having been a consultant for many years, in my case +20, is that you get to see many different types of organizations, people, and cultures. What this really gives you as a professional is a broad perspective of security and how it manifests itself in different contexts and industry verticals.

In the two sentences you just read, there is especially one very strong word that I think is rarely contemplated around when it comes to security. The word that I am after is:

Perspectives

I am a strong believer in simplifying things when stuff is to be explained. If we do so with security, it is mainly about three things –> People, Processes, and Technology. Each of these three things, dependent on the organization may manifest themselves differently.

The different manifestations will, for a consultant who gets to experience them perhaps, add to “more” perspectives. This does not need to be an absolute truth but I think this should be the case. And this should also be a reflection and value-adding attribute that a consultant brings with him/her into the assignments one takes on.

From a customer point of view, this is one of those things, in my opinion, that also justifies the price tag for hiring a consultant. A consultant needs to, as I see it, have the capability to add more values and not only those from a subject matter expertise point of view. A customer will expect and also pay that extra price for those added values, i.e. multiple perspectives gathered by that broad and diversified experience.

So, what does this have to do with the subject security strategy? Personally, I think that to become a well-accomplished security strategist, multiple perspectives will be highly-valuable. The reason for this is because each organization is its own creature. Each organization has its own unique characteristics. And the more exposure a security strategist has to multiple different organizations, the more perspectives the person has gained. Now the ingress is completed and the myth-buster will follow. Hang on!

MYTH-BUSTER: PART 1

A security strategy is only about technology.
No. Technology can be a part of it but doesn’t necessarily need to be but this is most often the case to some extent in reality as many security controls are built on technology.

A security strategy shall only be built on risks.
No. Risk is one dimension of a security strategy. And risk reduction shall be one of the outcomes of the execution of it.

A security strategy shall be based on ISO 27000, or equivalent standard or framework.
No. A standard or framework is or may be a starting point that could be used for inspiration but these things are not and do not equate to a security strategy.

A security strategy is not allowed to be adjusted before a new one is developed.
No, this rule does not exist in reality. If there is a need to change the strategy, I strongly recommend doing so but keep your stakeholders, sponsors, and team informed about the change/adjustments.

A security strategy does not need to have a roadmap.
No. A strategy, independent of whether it is related to security or another context, must have a roadmap. This:

A strategy without a roadmap is like a fast and cool looking car without an engine.

It looks great, like that PowerPoint strategy presentation, but it will not take you anywhere.

A security strategy is only created for and owned by the security team.
No. A security strategy is created for the organization. Security in an organization is a supporting function and does not exist in a vacuum.

A security strategy can not be created if there is no security policy in place.
No. A security strategy can be created without a security policy being in place. The policy creation might though need to be one of the outcomes if there not one existing.

A security strategy can not be created if there is no Information Security Management System implemented.
No. See the above answer. In reality, the same principles apply.

A security strategy will make an organization compliant with ISO 27000, NIST CSF, and similar standards and/or frameworks.
No. A security strategy can though include activities, investments, and initiatives that will take an organization closer to or make them compliant with a certain standard or framework.

A security strategy must be developed by the CISO.
No. The strategy development does not need to be conducted by the CISO. The CISO will though, in most organizations, be delegated the accountability (from the management team or CxO) to ensure the strategy is developed, implemented, and followed.

EPILOGUE

One of the most limiting factors for a security leader or professional, in my opinion, is to be locked into absolute ways for how things must be done. This is not only limiting you as a professional to expanding your perspectives but also sets the organization you support in a suboptimal spot that becomes limited to your ways of doing things.

I do not say that one must invent the wheel every single time or come up with new things for each and every situation. Security does not need to strive for “innovation” or to be something creative when solving problems, ensuring protection, or supporting an organization. But there you had it. It is about supporting the organization. This is the primary mission for security.

 

Personally, I think that adaptability is key. You as a security leader need to be able to adapt to the reality you are facing. By doing so you will take on the reality in the form as it is presented to you. And the reality is not always perfect. Approach it in the way that it is presented to you. This will lead to a broadening of your perspectives and understanding of security through the collected experience from those multiple and unique situations you are faced with.

And do not get stuck at striving for perfection. Strive to get sh*t done that is thought through and that adds value to your organization.

It is easer to adapt to the situation you are taking on compared to trying to adopt the situation to fit into your perception.

Link to original article – Click Here
Follow Henrik Parkkinen on LinkedIn – Click Here
Visit HenrikParkkinen.com 

Team on me, team on 3!
1, 2, 3
TEAM!

You decide to or were maybe appointed to lead a team. And now you ask yourself the questions:

• Where should I start?
• What is expected of me from those I will lead?
• What decisions am I expected to make?
• What are the actions I need to take to form the team?
• What <insert question here>?

I think the rabbit hole of questions can become endless. And for some security leaders, or leaders in general independent of the domain where they lead, there are very few questions. They know what to do, how to do it, what is needed, and where to start. This is not as clear for everyone in a leadership role or position. Or in each and every situation. Each of us as leaders and humans comes with our own experience and knowledge from the past related to leadership.

THE TEAM

What is a team? Have you ever thought about it? Have you ever sat down and discussed this subject with those you lead? If you haven’t, this is a very good starting point for you as a leader together with those who you lead to have a conversation around. And I can almost for sure say that you will get a bunch of different answers. And guess what? There is nothing wrong with those answers or that they sprawl. I would say that it is the opposite. This exercise aims to bring out those perspectives so that you and your team can agree on what a team is. If each team member doesn’t share the same understanding or perspective of what a team is, how will you be able to form one?

 

Keep this one in mind: “team” can and will mean different things in different forms and situations. A team can be a composition of a formal and/or appointed leader and a set of individuals who together have a common goal. Or it can be a composition of a group of leaders operating at the same hierarchical level in an organization. Or it can be two individual contributors, from two different parts of an organization or different organizations. These are just three examples, I think you get the drill. A team can and will take different forms.

For me, a team is much more about forming a common mentality and attitude compared to rank, role, hierarchy, stripes on the shoulder, skill level, and all that jazz. Many called this, “common values”. Whatever it is called, a simple and effective exercise to do in a team, to very quickly understand each other is to form “Does & Dont”. Two of my personal favorites to that “Dont” list, which I have carried with me and have done for years are:

• Don’t be an asshole

• No backstabbing

I don’t think any further explanation is needed or how they can be manifested. They are pretty clear, aren’t they? I think that most of you reading this article understand what they mean and have some sort of personal reference. Everyone of us has to some degree experienced them both. And these forms of mentalities, attitudes, and behaviors are for me not ok in a team. A team can still experience the things I listed but the thing here is that if you and your team agree that this is not something that is ok, you all have agreed that it is also ok to say “Hey, this is not ok! Your type of behavior, mentality, attitude, way of doing things are not aligned with our agreed <values/principles/agreed rules/…>.”. And you, as a leader, carry the responsibility to call things out that are not ok. Don’t make the mistake of letting small “don’t things” become ok. Make sure to take care of the stuff immediately, don’t let things slip. Leadership is about actions and not about those words you put down on paper.

And no, a team is not accomplished because someone decides that the word “team”, “team player” or “teamwork” shall be a core value. Or that there is something fancy written on the wall, like:

“We win and lose together!”

I love strong quotes and taglines. And I kind of like the one above as well. There is some clear power in them…if the words are practiced in reality within the TEAM. Yes, actions speak louder than words. And cool quotes and taglines can for sure be helpful to unite a team but they do not do the work on their own. They can though be a piece of a puzzle forming a strong team that provides some common foundational and agreed upon “instructions” of what a team means for each and every one.

Many high-performing teams, in the military, sports world, and corporations use taglines such as the one above to unify their team. I like it but I do not think that they are magical. They don’t “fix” a team. Fixing a team is accomplished through leadership. This is the magic. Leadership is “the magician” who can put together the pieces needed to create a strong team.

In reality, there is no form of magic that a leader needs to have. It is more or less doing the same things that are found in my article about self-leadership but applying the principles on a team.

But to answer the question, “What is a team?” I think the below words summarize it pretty well:

A team is a group of people who trust each other, help each other, and accomplish goals together.

Quite simple, at least in theory. But when practiced in reality, it is not always that simple. Leadership does not come for free or without effort. “We are a great team!” is not something that just takes place due to the leader or team member wishing this to be the case. Becoming a great and strong team is something that requires those things in that sentence to be practiced in reality. So let’s take a look at each piece of them.

TRUST EACH OTHER

I am a believer that a strong team is built on certain foundations and where trust is the most important one. If you and those within the team don’t trust each other you will not be able to bring out the best from each one or from the team as a totality. To ensure trust is established there needs to be psychological safety in the team. This means, for example, but not limited to, that each one in the team feels that they can be vulnerable, ask for help, speak up, provide feedback, be themself, are shown respect, and many other things. The list can be made longer but without psychological safety in a team it will be hard, if not impossible, to bring out the best from each one.

There are loads of exercises and methods for how to work with psychological safety in a team. And personally, I think that it is something that needs to be practiced in a continuum. You need to make it an integral part of your team’s DNA and you as a leader need to show the way. Again, actions speak louder than words. Having the courage to show vulnerability as a leader is one of the best ways to lead by action. Trying to be the alpha <*BIIIIP*> is a less good approach. Of course, if you know it all and know how everything is done. You have accomplished it all –> done everything, don’t have anything to learn from someone else, listen to someone else, or ask questions of someone else. In that case, you don’t need to listen to my advice. (Yes, I'm trolling <buuuuuhuuuuuuuu>).

HELP EACH OTHER

Being a part of a team means that you are a part of something bigger where your team is dependent on you and your contribution. It is very few professional jobs where you are riding down the sunset alone, i.e. not being a part of a team. In a team, there needs to be a mutual agreement that help is something everyone can ask for and provide. That cliche “A team is not stronger than the weakest link.” for sure has very much truth in it. Fixing that weakest link can many times be done if help is provided or asked for.

And for some people to be able to ask for help there needs to be a certain degree of psychological safety in a team. There are loads of professionals out there who are afraid day in and day out to ask for help. Some of these walk around with that imposter syndrome. Others are just not comfortable asking for help due to that is something they never learned. But, what you as a leader need to do is to form this “mentality”/culture/environment in your team. We as security leaders have the responsibility to ensure that “asking for help” is something that is a natural part of the environment we have in a team.

But, unfortunately, this is not always the truth. These things should not take place in a team but they do here and there. They are real and they are also, according to my emperic experience, common. Asking for help is not always a natural part of a team. You as a leader have a unique position to demonstrate how to, ask for, and provide help shall be done. Actions. Lead by actions. Actions. Show how asking for help shall be done and be brave to show the way for your team.

ACCOMPLISH GOALS TOGETHER

I believe that most of us as humans have leadership capabilities within us to some extent. For some, they are more developed or activated. Some people just have them switched on. They take on a leadership role naturally and the people around them are willing to follow in their footsteps. Personally, I have seen that people who come from a team sports background have a bit of an edge here when it comes to leadership. This is not an absolute fact, but it makes perfect sense as within a sports team there are always formal and informal leaders. Those who are on the field, like a captain for example, and those leading the team in the roles as coaches. And in a team sport, you are dependent on each other.

Winning a gold medal, in most sports is not a one-man show. You need to have a team around you. Someone who challenges you. Someone who mentors you. Someone who coaches you. Someone who picks you up when you fall. Someone who inspires you. You need people around you who make you successful. Yes, some people are “self-made” champions and pros, but this is not something that goes hand in hand with security.

Security is a team sport. Security will, very few times, be a one-man show in an organization. As a security leader, you need to have a team, and your team needs a security leader who leads the team toward a common goal you have set up to accomplish together. If you have decided to be the best security team in the world, that is something. But in that case, to be the best out there in the world, you also need to go out and compete against other security teams. Becoming a world champion in something is not done in isolation from competition. But at the same time, I think that a far better goal is to establish something that is internalized and relatable to your own organization. Security is not a competitive sport against other security teams. There are very interesting “security competitions” out there of different kinds that can be used to tighten a security team. Something that challenges and creates a competitive environment where that teamwork mentality is demonstrated and practiced together. I would use these forms as something fun. Something that is a part of the journey you, as a security leader, do together with your team to grow. In the end, you as a team decide on the goal you want to accomplish. And this should be done together.

I think that a team needs to spend time together forming a common goal/vision that everyone takes ownership of. How this goal/vision will look will depend on the team. And the method for developing that team goal/vision can take different forms. There are for sure some methods I personally believe in more but in the end the goal/vision and method for developing it should also, according to my belief, be chosen to fit your team. You as a leader are there to do what is best for your team, not the other way around. But I strongly believe that the better that goal/vision is understood by everyone in the team the stronger you will become as a unit. Seeing is believing and a way to accomplish this is through using visual models and images together with feelings.

“How do we want to feel when we have reached the mountain top together and look at that beautiful sunset on the horizon?”.

You as a leader shall turn that goal/vision into something visible. Make sure to do so and be consistent, spend time with your team looking at the goal/vision to focus your common efforts. Create focus, and momentum and keep going together. Show the way for your team and make it to an exciting growth journey towards the goal/vision you have created together. And do not forget to celebrate, when you together achieve big or small milestones and of course when you have reached the goalposts on top of that mountain.

BORN? BUILT? CHOSEN?

I don’t think that leaders are born. I think they are to some extent built. But first and foremost, a leader is a person who has chosen to lead. As I described in my previous article, the building of a leader starts within each one of us. Maybe this sounds like a spiritual statement or awakening (and for some it is) but this is the truth. And before the building can start out the person must choose to become a leader. You do not need to be handed a role or position to lead, it can be done without a formal position. But here and there the formal appointment of a leader is needed. Someone who points out the direction and acts as a role model who inspires others, and empowers the team to grow. In a utopia, a team is self-led. But this is not, as I have experienced, something that just happens because of that you as a team decide on it. It requires investment from each and everyone in the team. It requires that you as a leader build up a climate and environment where your team feels safe and comfortable to make decisions, make mistakes, not be judged, and feel respected –> Psychological safety.

Back to the scenario in the ingress: Now you stand there and have been given one of the most powerful positions that may impact the future trajectory of those you lead in the rest of their careers. You maybe did not choose to be a leader but someone made the decision and chose you. And you are now, as a leader, having the power to make an impact on your team for the rest of their careers and lives. Have you ever thought about the responsibility of leadership in this way before? That you might hold on to a responsibility that will echo through those people you lead through their entire lives? This is not some mumbo jumbo I’m coming up with. This is the truth.

More or less each one of us remembers those leaders who crushed it, that made us grow or feel unbeatable. But we also remember those doing the opposite, those who made us feel unappreciated, and not respected, threw us under the bandwagon. And here is the thing. It is your responsibility and up to you as a leader to take ownership of how you want to be remembered.

People will (most often) remember you for how you made them feel. Not how cool you were or how you performed as an individual. They will remember how you took care of the team and each one within the team.

Ask yourself:

How do I want to become remembered?

How would you like to be led by a leader? When you start asking yourself these questions, the rest becomes so much easier. Trust me. But the truth is, at least according to my empirical experience, these forms of questions are less contemplated by many leaders. Too little time is spent on self-reflection and inner contemplation. Why is that?

I think one of the answers to this question is that time is not really invested or sanctioned for leaders to have the time to sit down and reflect. Or the other way around, leaders do not invest the time. In the end, it is up to you as a leader to take ownership of your growth. You do not have the benefit to blame your team for holding you back as a leader. If you are leading you are responsible for taking the time to lead yourself and your team. And if you skip the self-reflection part, I think that growth for you and your team will stagnate at one point. Humans are humans and the needs of your team will change over time. Growth does not take place if things remain the same over time. There needs to be some form of a change that goes in the same direction as the needs of you and your team. Practicing and doing the same thing over and over will most likely not generate new results in terms of growth. Going through change is needed, normal and what will make you and your team progress and mature.

If you have been appointed or chosen to lead I highly recommend you spend time understanding what your team needs from you. A great way to understand your team and each individual is to sit down and listen to the team and each one of your team members. The needs of each individual will most often be slightly different. And you need to conduct this in a continuum. This is not a one-off thing that you do when setting up the team. You need to make sure to stay dialed in with your team and each individual. And this can only happen if you invest the time in these forms of conversations. You lead, you need to listen. You need to understand what your team and the individuals need. You need to coach your team and improve each individual’s self-leadership capabilities. You shall have as a goal to develop and create new leaders. Are you planning for your own succession? If not, it is a good time to start doing so. This is one of those very good exercises for each leader to take on and that directly will translate to that you need to create a “Next Me”.

If you don’t spend time with your team and make them feel safe, trusted, respected, understood, listened to, and fulfilled their expectations and needs you will have a hard time succeeding as a leader. Spend the time and invest in your team and individuals. You as a leader are the product of the collective capabilities and strengths of your team and the people around you.

Link to original article – Click Here
Follow Henrik Parkkinen on LinkedIn – Click Here
Visit HenrikParkkinen.com 

Our editorial team has curated the finest panel discussions from the CISO Platform Top 100 Awards & Annual Conference 2025—India’s first award ceremony that celebrates those making a meaningful impact in the world of security. 

The 16th annual conference was held at Clarks Exotica, Bengaluru, bringing together over 200 attendees for insightful keynotes, engaging panel discussions, and interactive round tables, alongside valuable networking opportunities. The CISO Platform Top 100 Awards is more than just a recognition—it reflects a commitment to advancing the cybersecurity industry and strengthening the broader ecosystem. Over the years, the community has developed and shared 500+ best practices and frameworks as part of this initiative, driving meaningful change in the industry.

Below is the list of the top panel discussions:

1) Implementing DPDPA For CISOs

Speakers:

- Vijay Kumar Verma, Senior VP & Head Security Engineering - BCG (Session Moderator)
- Kabilan RK, Senior Manager - Tamilnad Marcantile Bank
- Sreenivas Vempati, Director IT Governance & Cybersecurity - RR Donnelley & Sons Co
- Manikant R Singh, VP & CISO - DMI Finance Private Limited
- Vidya Jayaraman, Executive Director Information Security & Compliance - AGS Health Private Limited
- Rajiv Bahl, Sr. VP & Field CTO - St. Fox Consulting Pvt. Ltd.

Do you know how the Digital Personal Data Protection Act (DPDPA) differs from GDPR and PDPA? If not, this session is for you. It will cover consent management, data retention, third-party risks, and AI-driven security, helping CISOs craft an effective compliance strategy.

Read More...

2) Evaluating AI Solutions: Understanding The "Real" vs "Hype"?

Speakers:

- Rajiv Nandwani, Global Information Security Director - Boston Consulting Group India Private Limited (Session Moderator)
- Aamir Hussain Khan, Chief Information Security Officer - Tata Power Company Limited
- Dhiraj Ranka, CISO - TATA AIG General Insurance Limited
- Satyanandan Atyam, Chief Risk Officer (CRO) - Tata AIG General Insurance Company Limited
- Dr. Murty Ch A S, CISO - Centre for Development of Advanced Computing (C-DAC)
- Vineet Kumar Srivastava, Associate Director - Detection Engineering, Threat Detection & Response, Global Cyber Defence - CSO - GSK (GlaxoSmithKline plc)
- Natarajan Dhiraviam, Head of Cyber Security & Engineering, Sky plc

Can you distinguish real AI value from hype? If not, this session is for you. It explores how AI is driving real transformations in cybersecurity, insurance, and healthcare while helping you evaluate AI solutions effectively.

Read More...

3) 2025 Top Security Goals For A CISO

Speakers:

- Manoj Kuruvanthody, CISO & DPO - Tredence Inc. (Session Moderator)
- Dr. Ram Kumar G, Cyber Security & Risk Leader- Global Automotive Company
- Dinesh Babu K V, Assistant Vice President Information Security - Equitas Small Finance Bank Limited

Do you know the top security goals for CISOs in 2025? If not, this session is for you. It covers Zero Trust, AI-driven defense, compliance, supply chain security, and simplifying security architecture to stay ahead of evolving threats.

Read More...

4) AI For Bad vs Good: AI Use Cases For Offense and Defense

Speakers:

- Gowdhaman Jothilingam, Global CISO & Head of IT - Latent View Analytics Ltd. (Session Moderator)
- Srinivasulu Thayam, CTO - Aravind Eye Hospital
- Ram Kumar Dilli, Associate VP and Head of IT - SRM Technologies Limited
- Nantha Ram Ramalingam, Global Head of Cybersecurity - Dyson Technology India Pvt. Ltd.

Do you know how AI is being used for both cyberattacks and defense? If not, this session is for you. It explores how AI-driven phishing, ransomware, and social engineering are evolving—and how CISOs can leverage AI for smarter threat detection and response.

Read More...

5) Top Trends In Cybersecurity In 2025

Speakers:

- Arnab Chattopadhyay, Co-Founder & CTO - FireCompass (Session Moderator)
- Rajeevan Kallumpuram, Vice President, Cyber Security - National Stock Exchange of India Ltd
- Vijay Kumar Verma, SVP & Head Cyber Security Engineering - Jio Platforms Limited
- Sandeep Khanna, Director - Unique Identification Authority of India (UIDAI)
- Harshit Lohani, Sr. Sales Engineer (APMEA) & Principal MDR Consultant - Securonix
- Vishak Raman, Vice President for Sales in India, SAARC and Southeast Asia - Fortinet
- Vivian Satyam, Senior Sales Engineer - Manage Engine

Are you prepared for the evolving cyber threats in 2025? If not, this session will help you understand AI-driven attacks, rising nation-state threats, and new compliance mandates. Get actionable insights from top CISOs on building resilient defenses.

Read More...

Our editorial team has curated the finest keynote sessions from the CISO Platform Top 100 Awards & Annual Conference 2025—India’s first award ceremony that celebrates those making a meaningful impact in the world of security. 

The 16th annual conference was held at Clarks Exotica, Bengaluru, bringing together over 200 attendees for insightful keynotes, engaging panel discussions, and interactive round tables, alongside valuable networking opportunities. The CISO Platform Top 100 Awards is more than just a recognition—it reflects a commitment to advancing the cybersecurity industry and strengthening the broader ecosystem. Over the years, the community has developed and shared 500+ best practices and frameworks as part of this initiative, driving meaningful change in the industry.

Below is the list of the top keynote sessions:

1) Orientation: The CISO Platform Community

Speaker: Bikash Barai, Co-Founder, CISO Platform & FireCompass

Do you know how CISO Platform started and why it’s different from other communities? If not, this session is for you. It covers the platform's vision, its global network of 40K+ members, and how it creates real impact through frameworks, task forces, and collaboration.

Read More...

2) Future of SIEM AI Automation & Autonomous Cybersecurity

Speaker: Prajith E P, RSM, India South & Sri Lanka, Securonix

Is your SIEM adapting to AI-driven threats? If not, this session is for you. It explores how AI is transforming SIEM with real-time threat detection, adaptive threat modeling, and cost-effective data management.

Read More...

3) AI As A Deputy CISO

Speaker: Prashant Mali, President & Founder, Cyber Law Consulting (Advocates & Attorneys)

Can AI take on the role of a Deputy CISO in your organization? If you're unsure, this session is for you. It explores how AI can assist in policy management, compliance, and threat detection, helping CISOs streamline operations and reduce errors.

Read More...

4) Building A Resilient Digital India Cybersecurity In The Age Of AI

Speaker: Vishak Raman, Vice President Sales, Fortinet

Is your organization prepared for AI-driven cyber threats? If not, this session is for you. It covers how AI is transforming both cyberattacks and defense, offering strategies to strengthen India's digital resilience.

Read More...

5) Software Supply Chain Security

Speaker: Cassie Crossley, VP - Supply Chain Security, Schneider Electric

Do you have a secure software supply chain strategy? If not, this session is for you. It covers real-world threats, the SolarWinds attack, and key steps to secure your development and CI/CD pipelines.

Read More...

6) Unveiling AI Powered Data Security Posture Management With DPDPA Compliance

Speaker: Thejo Murthy Thota, Lead Sales Engineering, Forcepoint

Struggling with data security posture and DPDPA compliance? This session is for you. It explains how AI-driven DSPM enhances data visibility, automates compliance, and mitigates security risks, helping CISOs strengthen their data security strategy.

Read More...