2023-10-07 –, Track 2
Increasingly, boards looking to better understand how cyber risk impacts their business and are looking to CISOs to provide that context. However, Many CISOs don't possess the skills to effectively translate security into business language. This session will provide actionable guidance and shareable slideware to creating compelling stories around securely enabling business through risk reduction.
This session will begin with the thesis statement that earning buy-in and budget for a security program in a private sector company requires a security leader to articulate the value of their program in the same terms the company uses to define the value of its other business goals. We will explore the fundaments of business that would typically be found in an MBA program. We'll take a moment to understand balance sheets, cash flow, valuations, EBIT, etc. I will provide a sample CFO discussion track for determining a company’s financial goals whether they are IPO/Valuation, Growth (organic or M&A), Share Price, etc. Then explore ways that cyber security programs can be structured to align with each of those different sets of business goals.
After the business language lexicon has been established we will pivot into an explanation of risk quantification techniques. I will provide a talk track to help facilitate board and executive level risk tolerance and appetite conversations and discuss how to determine risk exceedance. We will explore some of the common risk quantification approaches including FAIR, Hubbard, LECs, Monte Carlos, etc. Using the idea of Loss Exceedance, I will illustrate how to use that information to create and populate executive-facing Key Risk Indicators.
The next section will transition into the art of storytelling. The key to any good presentation is a compelling story. I will introduce the ideas of BLUF bottom line up front, Story basics ie: clearly defining the beginning middle, and ending, how to create a story arc with characters, setting, sequence of events, conflict, climax, and resolution, plus making your "ask" clear. We will look at the S.U.C.C.E.S framework and discuss the importance of making an emotional connection.
The session will end with a look at PowerPoint decks discussing best practices for length and content & exploring some examples of ineffective templates to discuss why they fall short. We will then share & walk through a template based on the session guidance to discuss building a repeatable format that illustrates the correlation between security budget and the cost to buy down the business' risk exposure. The deck also provides a storytelling format for past accomplishments and future goals along with a methodology to replace traditional risk scorecards or lists of NIST controls risk findings with loss exceedance data that business leaders can use to make well-informed decisions.
Walt Powell is an accomplished cybersecurity expert and executive coach who specializes in providing executive guidance around risk, governance, compliance, and IT security strategies.
Walt has more than a decade of experience as a cyber practitioner and security leader. He is currently the Lead Field CISO at CDW and a founding member of the CDW Global Security Strategy Office. Prior to CDW Walt was the owner and a vCISO at Left Brain Security. Through these roles, he has had the opportunity to learn from and contribute to hundreds of CISOs and their programs. Walt holds dozens of professional certifications including CISSP, CISM, Carnegie Mellon - Heinz CISO, the Stanford Advanced Cybersecurity Certificate, and many more. He taught CISSP and CISM boot camps for years and is a member of several certification exam development committees. Walt is also an accomplished musician and father who loves to spend time with his kids.