The CISO 3.0: A Guide to Next-Generation Cybersecurity Leadership

Cover....2

Half Title....3

Series....5

Title....7

Copyright....8

Dedication....10

Contents....11

Foreword....27

Acknowledgments....29

Author....31

Chapter 1 Introduction....33

1.1 Purpose....33

1.1.1 Target Audience....33

1.1.2 Scope of the Book....34

1.2 Why Write This Book Now?....36

1.3 Motivation and Relevance....37

1.4 Book Structure and Organization....39

1.5 Author’s Background and Perspective....41

1.6 Self-Assessment: Are You Ready for CISO 3.0?....42

Part 1 The Changing Role of the Security Leader....45

Chapter 2 What Is a CISO 3.0?....46

2.1 Introduction....46

2.2 Brief History of CISOs....47

2.3 CISO 1.0....48

2.3.1 Role Tasks of the CISO 1.0....49

2.3.2 Challenges and Limitations of CISO 1.0....49

2.3.3 The Legacy of CISO 1.0....50

2.4 CISO 2.0....51

2.4.1 Role Tasks for CISO 2.0....51

2.4.2 Challenges and Limitations of CISO 2.0....52

2.5 Road to the CISO Role....56

2.6 CISO 3.0....59

2.6.1 Why CISO 3.0?....59

2.6.2 So, What Is a CISO 3.0?....61

2.6.3 How to Become a CISO 3.0....63

2.7 Conclusion....65

2.7.1 Key Takeaways....66

2.7.2 Reflection and Exploration Questions....68

Chapter 3 The Evolving Regulatory Landscape....70

3.1 Introduction....70

3.2 Caremark Lawsuits....71

3.2.1 Defining the Reasonable Standard and Mission Critical Risks....72

3.3 Navigating the SEC’s Cybersecurity Rule....74

3.3.1 Materiality: The Heart of the Matter....76

3.4 Navigating the FTC Safeguards Rule....77

3.4.1 Requirements of the FTC Safeguards Rule....78

3.5 Navigating the NYDFS Cybersecurity Rule....80

3.5.1 Requirements of the NYDFS Cybersecurity Rule....81

3.6 Enforcement Actions and Lessons Learned....83

3.6.1 SEC Enforcement Actions....84

3.6.2 FTC Enforcement Actions....85

3.6.3 NYDFS Enforcement Actions....85

3.6.4 Risk Quantification and Materiality: Cornerstones of Reasonableness....86

3.7 Implications for CISOs: Increased Accountability....87

3.7.1 The Fallout of SolarWinds and Uber....87

3.8 Conclusion....89

3.8.1 Key Takeaways....90

3.8.2 Reflection and Exploration Questions....92

Part 2 Business and Risk Alignment....95

Chapter 4 The Language of Business....96

4.1 Introduction to the Language of Business....96

4.1.1 The Language of Business....97

4.2 The Language of Accounting....98

4.2.1 Three Core Financial Statements....98

4.2.2 Financial Statement Trends to Watch for CISOs....100

4.3 The Language of Finance....102

4.4 The Language of Economics....103

4.5 The Language of Risk....106

4.6 Determining Value and Resource Allocation....107

4.6.1 Common Financial Metrics....108

4.7 OPEX versus CAPEX and Budgeting....110

4.7.1 Lease versus Buy Scenario....111

4.7.2 SG&A and COGS for CISOs....112

4.8 Aligning Cybersecurity with Financial Business Goals....115

4.9 Conclusion....117

4.9.1 Key Takeaways....118

4.9.2 Reflection and Exploration Questions....120

Chapter 5 Ownership and Boards of Directors....122

5.1 Introduction....122

5.2 Corporate Valuations....124

5.2.1 Methods for Determining Value....125

5.2.2 Specific Valuation Methods....126

5.3 Common Ownership Structures....130

5.3.1 Publicly Held Companies....130

5.3.2 Private Equity-Held Firms....134

5.3.3 Venture Capital-Held Firms....139

5.3.4 Limited Liability Companies....144

5.3.5 Family-Owned Companies....146

5.3.6 Sole Proprietorships....149

5.3.7 Public Organizations....152

5.4 Role of the Board of Directors....156

5.4.1 Understanding the Board’s Role....156

5.4.2 The Board’s Primary Responsibilities....158

5.4.3 Key Focus Areas for Boards....158

5.4.4 Board Governance Models....159

5.5 Fiduciary Duties....161

5.5.1 Duty of Loyalty....161

5.5.2 Duty of Obedience....162

5.5.3 Duty of Care....162

5.5.4 Duty of Prudence....162

5.6 Caremark and Legal Precedents....163

5.6.1 Caremark Case....164

5.6.2 Marchand (Blue Bell Ice Cream) Case....164

5.6.3 Boeing Co. Case....164

5.6.4 McDonald’s Corp. Case....165

5.6.5 Sorenson Case....165

5.7 The CISO’s Fiduciary Duty....166

5.8 The Dynamics of Governance: Board Directors versus Executives....167

5.8.1 The BOD: The Legislative Branch....168

5.8.2 Senior Management: The Executive Branch....168

5.8.3 Communicating with the BOD....170

5.8.4 Communicating with ELTs....171

5.9 Conclusion....172

5.9.1 Key Takeaways....173

5.9.2 Reflection and Exploration Questions....175

Chapter 6 Risk....177

6.1 Introduction....177

6.2 Risk Strategy....178

6.2.1 Risk Strategy versus Security Strategy....178

6.2.2 The CISO 3.0 Risk Strategy Framework....178

6.3 Risk overview and Definition....182

6.3.1 Likelihood versus Probability....183

6.4 Risk versus Threat....185

6.4.1 Common Misconceptions in Risk Registers....186

6.5 IT Risk versus Enterprise Risk....187

6.6 Qualitative Risk Analysis....191

6.6.1 Challenges of Traditional Qualitative Approaches....191

6.6.2 Risk Matrix: A Common Tool with Shortcomings....192

6.6.3 Moving to a More Quantitative Approach....194

6.7 Risk Quantification Basics....195

6.7.1 FAIR Framework....197

6.8 Risk Quantification in Practice....200

6.8.1 LECs: Visualizing Financial Risk....201

6.8.2 Inherent Risk on the LEC....202

6.8.3 Risk Appetite: Balancing Risk and Reward....202

6.8.4 Risk Appetite, Tolerance, and Limit on a Loss Curve....203

6.8.5 Determining Risk Appetite....204

6.8.6 Risk Appetite Statements....206

6.9 Risk Treatment Options....207

6.9.1 Risk Avoidance....207

6.9.2 Risk Transfer....208

6.9.3 Risk Mitigation....208

6.9.4 Risk Acceptance....209

6.10 Tail Risk and Black Swan Events....211

6.10.1 Black Swan Risks....211

6.10.2 Cyber Value at Risk....213

6.11 Residual Risk....215

6.11.1 Calculating Residual Risk....215

6.12 Loss Exceedance Example: Vandelay Industries....216

6.12.1 Scenario....216

6.12.2 Defining Materiality in Risk....219

6.13 The Risk Register 3.0....219

6.13.1 Risk and Control Self-Assessments....227

6.14 Integrating Cyber Risk with Enterprise Risk....229

6.14.1 COSO Alignment....232

6.14.2 Integrated Risk Management....233

6.15 DoCRA....235

6.15.1 DoCRA Principles and Practices....236

6.16 Risk for Global Enterprises....238

6.16.1 Challenges in Implementing Risk Quantification....238

6.16.2 Adapting Risk Quantification Strategies for Global Enterprises....239

6.17 Conclusion....241

6.17.1 Key Takeaways....243

6.17.2 Reflection and Exploration Questions....245

Part 3 Risk Treatment....247

Part 3A Transfer, Avoid, and Accept Risk....248

Chapter 7 Cyber Liability Insurance....249

7.1 Introduction....249

7.2 Cyber Risk Buy-Down Investment Mix....250

7.3 Commercial Cyber Insurance....252

7.4 The Changing Insurance Market....254

7.4.1 The Value Proposition of Cyber Insurance....255

7.5 A Framework for Procuring Cyber Insurance....256

7.6 Phase 1: Discovery and Self-Assessment....257

7.6.1 Determine and Understand Your Coverage Needs....259

7.7 Phase 2: Application and Prequalification....261

7.7.1 Cybersecurity Controls....262

7.8 Phase 3: Coverage Comparison and Purchase....264

7.8.1 Understanding Policy Language....265

7.8.2 Understanding Exclusions....268

7.8.3 Negotiate....270

7.9 Phase 4: Claim Readiness....271

7.9.1 Understanding Panel Providers....272

7.9.2 Put Retainers in Place....274

7.9.3 Coordinate with Legal....275

7.9.4 Ransom Brokers and Extortion Payments....275

7.10 Conclusion....277

7.10.1 Key Takeaways....278

7.10.2 Reflection and Exploration Questions....280

Chapter 8 Self-Insurance and Risk Financing....282

8.1 Introduction....282

8.2 Risk Acceptance....283

8.2.1 Business Line CBA for Cyber Risk....284

8.3 Capital Reallocation for Cybersecurity....287

8.3.1 Examples of Capital Reallocation....288

8.4 Self-Insurance for Cyber Risk....289

8.4.1 Pure Self-Insurance....291

8.4.2 Captives for Cyber Coverage....293

8.4.3 Funded Reserves....296

8.4.4 Cyber Risk Pools....297

8.4.5 Bonds as a Cyber Risk Mitigation Tool....299

8.4.6 Surety Bonds....301

8.4.7 Cyber Catastrophe Bonds....303

8.5 Risk Avoidance in Cybersecurity....304

8.6 Determining the Right Mix of Risk Treatment Methods....306

8.7 Conclusion....309

8.7.1 Key Takeaways....310

8.7.2 Reflection and Exploration Questions....312

Part 3B Risk Mitigation....314

Chapter 9 Developing a 3.0 Program Strategy....315

9.1 Introduction....315

9.2 The Role of Risk Mitigation in the Cyber Risk Investment Mix....316

9.3 Continuous Improvement....318

9.3.1 Key Pillars of Continuous Improvement in Cybersecurity....319

9.3.2 Benefits of Continuous Improvement....322

9.4 Program Assessments....323

9.4.1 Assessment versus Audit....324

9.4.2 Common Security Assessments: NIST CSF and CIS-18....325

9.4.3 The Assessment Process....327

9.4.4 Standards versus Frameworks....328

9.5 Layering Risk Quantification into Strategy....329

9.5.1 How to Leverage Risk Quantification for Strategic Planning....329

9.6 Creating a Quantified Roadmap....334

9.6.1 Security Program Strategy versus Security Program Roadmap....334

9.6.2 Leveraging Risk Quantification for Prioritization....334

9.6.3 Building the Roadmap....337

9.7 Earning Budget and Buy-in with the Quantified Roadmap....346

9.7.1 Changing the Discussion....346

9.7.2 Communicating the Quantified Roadmap to Executive Leadership....348

9.7.3 Combining Qualification and Quantification for a Powerful Narrative....350

9.8 Conclusion....351

9.8.1 Key Takeaways....352

9.8.2 Reflection and Exploration Questions....354

Chapter 10 Security Tactics and Capabilities....356

10.1 Introduction....356

10.2 Buying Capabilities, Not Tools....357

10.2.1 Why Buy Capabilities?....358

10.2.2 How to Buy Capabilities....359

10.3 Capability Assessments....360

10.3.1 Assessing Your Team’s Skills....361

10.3.2 Creating a Skills Gap Roadmap....361

10.3.3 Program and Individual Capabilities Assessments....362

10.3.4 Example Assessment Questions....362

10.4 Skills Matrix....365

10.4.1 Example....366

10.5 Capabilities Matrix....367

10.5.1 Understanding the Matrix....369

10.6 The Problem with RFPs....371

10.7 How to Shop for Capabilities Instead....373

10.7.1 Start with the Current State....374

10.7.2 Define the Desired Future State....374

10.7.3 Focus on Positive Business Outcomes....375

10.7.4 Establish Clear Requirements....375

10.7.5 Define Success Metrics....375

10.7.6 Address Current Capabilities and Deficiencies....375

10.8 Conclusion....379

10.8.1 Key Takeaways....380

10.8.2 Reflection and Exploration Questions....382

Chapter 11 Leading Effective Teams....384

11.1 Introduction....384

11.2 Understanding Security Roles....385

11.2.1 The NIST NICE Framework....388

11.3 Insourcing versus Outsourcing: A Strategic Choice....391

11.4 Insourcing....397

11.4.1 Hiring....398

11.4.2 Training....399

11.4.3 Retention....400

11.4.4 Career Pathing and Succession Planning....403

11.4.5 The CISO as a Talent Magnet....404

11.5 Leading through Change....408

11.5.1 Key Tenets of Change Leadership....409

11.5.2 Change Management Models....411

11.5.3 Behavioral Change Management....414

11.5.4 Influence and Persuasion....415

11.5.5 Gamification....415

11.5.6 Building a Positive Security Culture....419

11.6 The CISO 3.0 as a Leader....420

11.6.1 The CISO’s Self-Assessment....422

11.6.2 Assessments and the CISO Wheel....425

11.7 Conclusion....428

11.7.1 Key Takeaways....429

11.7.2 Reflection and Exploration Questions....431

Chapter 12 Security Tactics....433

12.1 Introduction....433

12.2 Identity Centricity....433

12.2.1 Insider Threats....436

12.3 Zero Trust....439

12.4 Continuous Monitoring....449

12.4.1 Continuous Threat Exposure Management....451

12.4.2 CTEM and AI....454

12.4.3 CTEM and the Development of Meaningful KPIs....455

12.5 Cloud-native Protection....457

12.5.1 Cloud Security Challenges....457

12.5.2 Cloud-Native Application Protection Platforms....458

12.5.3 Managing CNAPP....461

12.5.4 The CISO 3.0 and Cloud-Native Security....461

12.6 Data Governance....462

12.6.1 The Data Governance Lifecycle....462

12.6.2 Modern Data Platforms....464

12.6.3 Data Lakehouse....464

12.6.4 Data Security and Protection....465

12.6.5 Data Security Posture Management (DSPM) Platforms....468

12.6.6 The CISO 3.0 and Data Governance....470

12.6.7 Data Privacy....471

12.7 Bringing the Capabilities Together....477

12.7.1 Integrating Capabilities into the SOC: The Fusion Center Approach....479

12.7.2 Alternative to Fusion Centers: The Risk Exposure Center....482

12.7.3 Integrating Identity into SOC Operations....485

12.7.4 Integrating Data Privacy into SOC Operations....487

12.8 Conclusion....489

12.8.1 Key Takeaways....490

12.8.2 Reflection and Exploration Questions....492

Chapter 13 Modern Cyber Resilience....494

13.1 Introduction....494

13.2 Black Swan Risks....496

13.2.1 Antifragility....497

13.3 Cyber Resilience....498

13.3.1 Building Cyber Resilience....499

13.4 Quick Win Steps to Begin Your Cyber Resilience Journey....500

13.4.1 Step 1: Risk Appetite Assessment....500

13.4.2 Step 2: Define the Minimum Viable Company....501

13.4.3 Step 3: Analyze and Document Current Capabilities....502

13.4.4 Step 4: Identify Opportunities for Improvement....502

13.4.5 Step 5: Set Targets and Test Your Plan....502

13.5 Cyber recovery....503

13.5.1 Recovering from Immutable Backup....505

13.5.2 On-Demand versus Continuous Recovery....507

13.5.3 Building Cyber Recovery....510

13.5.4 Breach Simulation....514

13.6 Conclusion....517

13.6.1 Key Takeaways....518

13.6.2 Reflection and Exploration Questions....520

Chapter 14 AI and the Future of the CISO Role....522

14.1 Introduction....522

14.2 AI overview....524

14.3 Security for AI....528

14.3.1 AI governance....528

14.3.2 Policy....530

14.3.3 Regulations....531

14.3.4 Enablement Risks and Technical Challenges....532

14.3.5 Enablement Risk Examples....534

14.3.6 Implementing Controls....538

14.3.7 Third-Party Risk....541

14.3.8 AI Development....544

14.3.9 GenAI in Software Development....546

14.3.10 AI Architecture....550

14.3.11 Securing AI Applications through Threat Modeling....554

14.4 Security with AI....560

14.4.1 Security use Cases for GenAI....561

14.4.2 AI versus Automation....562

14.4.3 Real-World AI Security Uses....563

14.4.4 SOAR and Hyperautomation....565

14.4.5 Leveraging GenAI to Augment SOC Analysts....565

14.4.6 Chatbots in Security Automation....568

14.4.7 Specialized AI Security Tools....569

14.4.8 AI and Automation for the CISO Role....570

14.5 Security from AI....573

14.5.1 Target Attacks....574

14.6 Conclusion....577

14.6.1 Key Takeaways....578

14.6.2 Reflection and Exploration Questions....580

Part 4 Bringing It All Together....582

Chapter 15 Developing Modern Metrics....583

15.1 Introduction....583

15.2 Key Performance Indicators....584

15.3 Key Risk Indicators....586

15.3.1 Leading and lagging indicators....587

15.4 KPIs versus KRIs....588

15.4.1 Real-world example: from KPIs to KRIs....591

15.5 Developing meaningful metrics....594

15.5.1 Developing Meaningful KPIs....594

15.5.2 Common Metric Data Sources....596

15.5.3 Developing Meaningful KRIs....600

15.5.4 KRI Roadmap....601

15.5.5 KRI Identification....602

15.5.6 Example Metrics....605

15.5.7 Project Execution KRIs....606

15.5.8 Security Program KRIs....607

15.5.9 Additional KRI Ideas....608

15.5.10 Metric development Frameworks: DIKW and GQIM....609

15.5.11 The DIKW Pyramid....610

15.5.12 Applying DIKW to Create KPIs and KRIs....610

15.5.13 The GQIM Framework....611

15.6 How to Communicate KRIs....612

15.6.1 Tailoring KRI Communication to Stakeholder Audiences....613

15.6.2 Principles of Effective KRI Communication....622

15.7 Conclusion....624

15.7.1 Key Takeaways....625

15.7.2 Reflection and Exploration Questions....627

Chapter 16 Board-Level Communication....629

16.1 Introduction....629

16.2 Communicating with the Board....630

16.2.1 The Goal of Board-Level Communication....631

16.2.2 Types of Board Meetings....634

16.2.3 Board Focus Areas....636

16.2.4 Targeting Your Message....639

16.2.5 Preparing for Questions....641

16.3 Creating Board-Level Presentations....643

16.3.1 Presentation Matters....644

16.3.2 Crafting a Cybersecurity Story Arch....645

16.3.3 Data Storytelling....647

16.3.4 Correlation and Causation....650

16.3.5 Data Visualization....650

16.3.6 Creating Compelling Data Visualizations....651

16.3.7 Understanding Attention....652

16.3.8 The Triune Brain Model and Beyond....653

16.3.9 Capturing and Maintaining Attention....654

16.4 Creating board-Level Deliverables....655

16.4.1 Board Decks....656

16.4.2 The BLUF Slide....656

16.4.3 The Importance of Editing....657

16.4.4 Deck Content....659

16.4.5 Revenue Generation....660

16.4.6 Cost Reduction....662

16.4.7 Understanding Different Types of Costs....663

16.4.8 Cost Reduction Strategies....666

16.4.9 Cost Reduction Strategy....667

16.4.10 Building a Strong Business Case....672

16.4.11 IT or Security-Specific Balance Sheet....674

16.4.12 Risk Reduction....676

16.4.13 Board Books....679

16.4.14 Crafting Board Books....682

16.4.15 Creating Board-Level Dashboards....683

16.4.16 Creating Executive-Level Dashboards....686

16.4.17 Balanced Scorecard....689

16.4.18 Balanced Scorecard Strategy Map....695

16.5 Conclusion....699

16.5.1 Key Takeaways....700

16.5.2 Reflection and Exploration Questions....702

Chapter 17 Materiality and Disclosures....704

17.1 Introduction....704

17.2 Defining Materiality in Risks and Incidents....705

17.3 Determining Material Risk and Incidents....707

17.3.1 Rate of Change Materiality....710

17.3.2 Forecast Accuracy Materiality....711

17.4 PRIMA: Pre-Evaluated Risk and Incident Materiality Assessment....711

17.4.1 PRIMA Methodology....712

17.4.2 Examples of Risk Scenarios and Vulnerabilities....713

17.4.3 Qualitative Factors and Materiality....713

17.4.4 Rubric for Assessing Risk Criticality and Sensitivity....714

17.5 Disclosures....715

17.5.1 Examples of 8-K Cyber Incident Disclosures....717

17.5.2 The Reporting Process....719

17.6 Conclusion....720

17.6.1 Key Takeaways....721

17.6.2 Reflection and Exploration Questions....723

Chapter 18 The CISO 3.0: The Future of Cybersecurity Leadership....726

18.1 The Future of the CISO Role....726

18.1.1 The Challenges Today....728

18.1.2 Vision of the Challenges Ahead....734

18.1.3 The future of the CISO Role: Leading the Charge....738

18.2 Conclusion....738

18.2.1 What it Means to be a CISO 3.0....739

18.2.2 The CISO Self-Assessment: Revisited....742

18.2.3 Key Takeaways....743

18.2.4 Reflection and Exploration Questions....746

Index....748

This isn’t just a book. It is a roadmap for the next generation of cybersecurity leadership. In an era where cyber threats are more sophisticated and the stakes are higher than ever, Chief Information Security Officers (CISOs) can no longer rely solely on technical expertise. They must evolve into strategic business leaders who can seamlessly integrate cybersecurity into the fabric of their organizations.

This book challenges the traditional perception of CISOs as technical leaders, advocating for a strategic shift toward business alignment, quantitative risk management, and the embrace of emerging technologies like artificial intelligence (AI) and machine learning. It empowers CISOs to transcend their technical expertise and evolve into business-savvy leaders who are fully equipped to meet the rising expectations from boards, executives, and regulators. This book directly addresses the increasing demands from boards and regulators in the wake of recent high-profile cyber events, providing CISOs with the necessary skills and knowledge to navigate this new landscape.

This book isn’t just about theory but also action. It delves into the practicalities of business-aligned cybersecurity through real-life stories and illustrative examples that showcase the triumphs and tribulations of CISOs in the field. This book offers unparalleled insights gleaned from the author’s extensive experience in advising hundreds of successful programs, including in-depth discussions on risk quantification, cyber insurance strategies, and defining materiality for risks and incidents. This book fills the gap left by other resources, providing clear guidance on translating business alignment concepts into practice.

If you’re a cybersecurity professional aspiring to a CISO role or an existing CISO seeking to enhance your strategic leadership skills and business acumen, this book is your roadmap. It is designed to bridge the gap between the technical and business worlds and empower you to become a strategic leader who drives value and protects your organization’s most critical assets.