17 Blog posts found
Medium 16c79c27 8531 4706 ba36 9b540b7b194c

The Real Leadership Challenges around Cyber Security

The security industry needs to pivot away from “talking about things” and why they go wrong, onto “getting things done” and fixing things. This is not a problem which has – or can have – a purely technological solution. Leadership and the profile of the leaders – NOT TECHNOLOGY – are at the heart of the execution paradigm around cyber security in today’s digital world. People trust other people, and you need the right leaders to get things done around security, with the right balance of technical understanding, management acumen, personal gravitas and emotional intelligence.

Medium be348c54 65c5 4b09 b4a1 b3738dbfc85f

The Hard Truth Around Cyber Security Awareness Programmes

Culture and governance are key to drive change around cyber security behaviours, but too many awareness programmes focus simply on superficial technical gimmicks. Stay clear of empirical and ready-made solutions: Start with focus groups, questionnaires, and interviews and measure upfront levels of staff security maturity and engagement with corporate values. There are 3 clichés that have been dominating the security awareness arena for the past decade. And here are 5 key points to build a successful cyber security culture change programme.

Medium 96668e8f 7a78 4e98 978b 3c3e40654067

Towards a New Profile for the CISO

As senior executives turn a page and we enter – possibly – an execution-dominated decade around cyber security, many CISOs are just not equipped to lead. The profile of the chief information security officer  (CISO) needs to change to adjust to the imperatives of the “when-not-if” era:  It becomes essential to start prioritising leadership skills over technical skills and distribute roles across a structured function, instead of looking for “unicorn” profiles: Nobody can be credible on all fronts across all functions and geographies of the business. Those profiles don’t exist and pretending otherwise is just setting the CISO to fail.

Medium be8df6d7 4cfd 4781 aecf 29e3a789f401

Cyber Security: Revisiting the Questions the Board Should Ask

It is hard to imagine a Board member today in any large organisation who would be unaware of cyber threats. Of course, priorities may vary in line with economic conditions or the general health of the business, but “cyber” is on the agenda of all Boards, and consistently rated as a top risk by many. The focus of the Board has shifted towards execution, very often in exchange of significant investments in cyber security, in particular where initial maturity levels were low.

Medium 8ab773bb 61a1 45ff a359 3732718bf2e7

Start-ups: Your Most Valuable Asset in the Long Run Will Be the Trust of Your Customers

Every start-up must understand that the real secret sauce is Trust: In a context of increasing levels of consumer awareness around privacy and data protection, your most valuable asset will be the trust of your customers in your product. Moving fast and breaking things has never created trust. Start-ups must build customer trust from early days by embedding sound security and privacy practices in the products and in their culture. Start-ups must build customer trust from early days by embedding sound security and privacy practices in the products and in their culture.

Medium a360fb30 9770 40d9 9d38 550f6d4eb06c

Why are we still facing so many security products and vendors?

We need to reflect once more on the staggering number of products and vendors active across the cybersecurity space. Many of those products still aim to address security requirements which are as old as security good practices themselves. They should have consolidated years ago and each should be dominated by a few players – in addition to the usual big names – all bound by healthy competition. The situation is often compounded by the fact that many security tools only end up partially deployed, or simply covering a fraction of the estate – functionally or geographically.

Medium 07a32e4b bec9 4051 aa12 0aae3941b1d1

The Business Value of Cybersecurity

It is now becoming crystal clear that cybersecurity – beyond good practice and good ethics – is quite simply good business. Following cybersecurity best practices is a problem. In fact, it is an important reason why the issue is still shifting in and out of most boards’ radars. Gut feeling alone does not make for a strong-enough case: Top executives are increasingly asking to show the data. Being able to show key stakeholders in business terms what exactly is the tangible value-added of cybersecurity will be key in finally anchoring the topic at the right level of organizations.

Medium 2eb079cc a507 4eb3 ad47 cd950394be02

The Two Factors Killing GRC Practices

In many firms, the equation between Governance, Risk and Compliance around cyber security is becoming heavily weighted towards the G, and GRC functions must adjust as a result, both in terms of internal structures and in terms of interactions with other stakeholders. In particular, first line and second line must work together on this. They must trust each other and look beyond absurd and arbitrary “separation of duties” concepts, to produce meaningful data for the business, around which meaningful decisions will be made to protect the firm.

Medium c47f1ebc 9493 456e a9ab 2939b25038ac

The 4 Pillars of a Lasting Cyber Security Transformation

There is no magical technology platform or service provider which can be – on its own – the answer to a fundamental transformative challenge around cyber security. The overarching challenge for the CISO lies in getting senior management to see that long-term change is rooted in a long-term vision and long-term planning which takes time to establish. Simply throwing money at the problem in the hope of making it disappear, without a proper consideration of those matters simply leads to failure and can only aggravate the perception by senior stakeholders that security is just a cost and a burden.

Medium 8f848296 f923 46f6 b6cb 6e2c4158a2b3

Cyber security is becoming a matter of good corporate governance, good ethics, and quite simply – good business.

As every enterprise is becoming more and more data-driven, it is key for the Board to realize that cyber security is becoming a central tenet both of its core business and of its social impact and governance strategies. This should the basis on which the cyber security imperative is cemented at Board level. Right where it always belonged. Here are Key factors for boards and executive management to consider in 2019 around cyber security and privacy.

Medium a7f1d682 b2c5 4b0a 98b7 a82903e21387

What Cyber Resilience is Not About …

At the heart of cyber resilience lies a real application of “defence in depth” principles which have been well established for decades: Acting at preventative, detective, mitigative AND reactive levels, AND across the real breadth of the enterprise – functionally and geographically. It is about the enterprise being enabled by the use of data and technology, whilst remaining protected from active threats. Instead of being treated as another box checking exercise and a quick win, cyber resilience must be embedded into the right corporate structures and used to channel a different culture from the top down around cyber security.

Medium 0593f5b6 0162 494b 9ba2 e7696ff1210a

Cloud-Native Environments: A Challenge for Traditional Cyber Security Practices

In recent years, the development of massive computing and storing capacities in the hand of a few internet juggernauts led to the rise of the cloud economy. Companies of all sizes have been moving their mission-critical servers and operations to the data centers. On the face of it, the development of Infrastructure as a Service (IaaS) should be good news for the state of cybersecurity. In this context, it is easy to believe that moving to the cloud could mean solving many of your cybersecurity issues.

Medium 60d05963 94b5 446c 89ae 4a02d3cf01a8

Cyber Security in the “When-Not-If” Era

Many large organisations now assume that breaches are simply inevitable, due to the inherent complexity of their business models and the multiplication of attack surfaces and attack vectors which comes with it. This realisation changes fundamentally the dynamics around cyber security. Historically, cyber security has always been seen as an equation between risk appetite, compliance requirements and costs. Compliance and costs were always the harder factors. Risk (was always some form of adjustment variable.

Medium 12e5643d df44 4847 917a bea747e55788

The Digital Transformation and the Role of the CISO

Privacy and security considerations are the key ingredients of digital trust and must be at the heart of any industry’s digital transformation. The necessarily transversal nature of security and privacy matters needs to be woven into the fabric of an organisation for the digital transformation to succeed over the long-term. At this junction, the traditional role of the CISO – heavily influenced by a technical bias, tactically-oriented and project-driven in many firms – could become exposed.

Medium 4de1c173 b689 444e 9870 52621754b0ad

Who wants to be a CISO?

Cybersecurity has developed a high profile in many organisations over the past few years. But, who wants to be a Chief Information Security Officer these days? And at which stage in your career should you consider the move? What balance of managerial and technical experience do you need to have?  And where do you go from there? Those would be valid questions for many executive positions but when it comes to the role of the CISO, they seem to acquire a different meaning.

Medium 3a1b7c55 e082 4134 8121 152fb6dc7a67

Towards a new model of data ownership?

In the current business paradigm, replicated since by a number of online platforms, individuals willingly provide their personal information in exchange for a service. Personal data is subsequently repackaged and sold to advertisers and marketers. The unavoidable rise of the Internet of Things will only make the issue more complex, as increasingly more intrusive and personal data will start to be collected about each of us.  This poses new challenges around the issue of consent and privacy: 

Medium fa01147d b863 4fc8 8b7d d4b80b2dd86d

IoT Security: A simple matter of common sense for product developers and investors

IoT security issues arise from ill-advised prioritization and the inherently short-term culture of the tech world. Security should be seen as a fundamental requirement for any IoT product—even MVPs. As the attitude of consumers and regulators shifts around those matters, it's becoming a simple matter of good business. Frankly, given the virulence and widespread nature of cyber threats, the need to take security seriously and embed it natively into IoT products should be seen as a simple matter of common sense for product developers and investors.

The Harvard Innovation Lab

Made in Boston @

The Harvard Innovation Lab