im only just beginning on my cybersecurity journey. This was amazing information. I may not be close to becoming a CISO just yet. but just having knowledge of what it takes puts you so many steps ahead. I was totally unaware that organization's had such a crappy way of simply firing a CISO based of 1 attack because they have such unrealistic expectations. Communication is key as always
Honestly, I was sceptical about this channel with only a few subscribers. I thought the content quality would be meh... Boy was I wrong! I have listened to several episodes and the presentation is concise and super helpful. Thank you for all the work that goes into these videos.
Thanks, Eric I am really impressed with how you explained the position of a CISO and the logic behind firing the CISOs. If I may ask, could we possibly utilize the risk score metric to be an alternate metric for a CISO? The way it works is, 1. Determines an overall system security category for the component, assigns the security control “baseline” (Low/Moderate/High), and calculates the initial risk score modifier. 2. Generate risk profile for the identified components(this requires regular inputs from the systems or stakeholders) 3. The sum of all Component potential risk equals the system potential risk. And possibly reducing the risk score could be the metric to project improvements in the organization's security posture and work of a CISO. Would appreciate your thoughts on this.
Security posture as a metric. Give it a percentage rating. The percentage is made up of: How many attacks per day. How many end points are covered/not covered. (Laptops, instances, etc) Vulnerabilities patched within give windows. I agree the Attacks per day is a great metric, but you can scale that out by measuring security posture as a CISO metric.
If you are in a SaaS type world, I'd even throw in how many pipelines have your SAST, DAST, SCA checks in place. I'd definitely throw in red teaming and purple teaming into a subsection of the attacks per day. For sure those teams catch C level attention.
I am seeing a lot of talk surrounding digital business strategy and as CISO's since we need to understand this and be able to speak to the executive team in terms of a Cybersecurity strategy could you do a Life of a CISO episode.
Just off the top of my head. Give the execs both the number of attempted attacks and the number of vulnerabilities. And give them the ratio value for the month of AA/V. Track that over time and see if that ratio value is changing due to AA or V.
im only just beginning on my cybersecurity journey. This was amazing information. I may not be close to becoming a CISO just yet. but just having knowledge of what it takes puts you so many steps ahead. I was totally unaware that organization's had such a crappy way of simply firing a CISO based of 1 attack because they have such unrealistic expectations. Communication is key as always
Good luck on your journey my Bro, I share your sentiments too esp with only one break people gets suspended just like that
Thanks for the inspiration Eric.
Honestly, I was sceptical about this channel with only a few subscribers. I thought the content quality would be meh... Boy was I wrong!
I have listened to several episodes and the presentation is concise and super helpful. Thank you for all the work that goes into these videos.
Welcome aboard!
Thanks, Eric I am really impressed with how you explained the position of a CISO and the logic behind firing the CISOs.
If I may ask, could we possibly utilize the risk score metric to be an alternate metric for a CISO?
The way it works is,
1. Determines an overall system
security category for the component,
assigns the security control
“baseline” (Low/Moderate/High),
and calculates the initial risk score
modifier.
2. Generate risk profile for the identified components(this requires regular inputs from the systems or stakeholders)
3. The sum of all Component potential
risk equals the system potential risk.
And possibly reducing the risk score could be the metric to project improvements in the organization's security posture and work of a CISO.
Would appreciate your thoughts on this.
Excellent advice and very practical information
Glad it was helpful!
Any company not security specific may make an ciso independent from cio. Any other cooperation that is a hard trend to break
This is a good video. Thanks!
Awesome and an eye opener in setting priorities.
Hi !
Could you please give examples on how find attempted attacks ?
Thanks !
Eric,
How do we measure attempted attacks? Where do we collect data to comeup with attempted attacks?
Do CISOs in the private sector have to take polygraphs?
Security posture as a metric. Give it a percentage rating. The percentage is made up of:
How many attacks per day.
How many end points are covered/not covered. (Laptops, instances, etc)
Vulnerabilities patched within give windows.
I agree the Attacks per day is a great metric, but you can scale that out by measuring security posture as a CISO metric.
If you are in a SaaS type world, I'd even throw in how many pipelines have your SAST, DAST, SCA checks in place. I'd definitely throw in red teaming and purple teaming into a subsection of the attacks per day. For sure those teams catch C level attention.
Oh god, you do go deeper into this at 24:15 haha should have watched the entire video before posting my thoughts.
Eric - these are super helpful!!! I’d love to hear more regarding building out a security program. :-)
I am seeing a lot of talk surrounding digital business strategy and as CISO's since we need to understand this and be able to speak to the executive team in terms of a Cybersecurity strategy could you do a Life of a CISO episode.
Great video. I agree, the CISO should not report to the CIO.
Im a undergraduate student i find this content very helpful and i want to participate in your course class in future insha allah
Have you checked out the Becoming a CISO Masterclass? You might find this useful: safe.secure-anchor.com/nl-web-ciso46668983
Just off the top of my head. Give the execs both the number of attempted attacks and the number of vulnerabilities. And give them the ratio value for the month of AA/V. Track that over time and see if that ratio value is changing due to AA or V.
Great show
Could something like FAIR be of help to find the right CISO Metric?
I got 22 i wanna be a ciso and i like it
Hii, Can you tell me the road map to become ciso after high school ?