Welcome to Cybersecurity: Where Everything Is Made Up and the Points Don’t Matter

#1676649: Welcome to Cybersecurity: Where Everything Is Made Up and the Points Don’t Matter

Description:	Measuring a CISO’s performance can be tricky. For a while, a company getting breached was a “resume-generating event” for many CISOs. However, as security incidents become eventualities rather than possibilities, a CISO's performance is measured during an incident. How can we best understand a CISO's performance? This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, partner, YL Ventures. Joining us is Mike D’Arezzo, executive director of infosec and GRC, Wellstar Health Systems. The shift left myth The longstanding justification for "shift left"—that fixing bugs earlier is exponentially cheaper—stems from a questionable 1980s IBM think piece, not rigorous research. While it feels intuitively correct, the idea lacks solid economic backing, especially for minor software bugs, as Chris Hughes of the Resilient Cyber Podcast pointed out. True cost escalations occur when foundational design flaws go unaddressed. Additionally, Hughes references a study showing that companies typically recover from breaches quickly, weakening the business case for "shift left" development. However, "shift left" is not without its defenses. It aligns with common sense and efficiency: building secure software from the start empowers developers, minimizes security cleanup later, and keeps engineering focused on delivering features. Reconsidering CISO evaluations Evaluating a CISO's performance can't be reduced to whether a company gets hacked—cyber incidents can still occur despite best efforts. As security journalist JM Porup pointed out, tying a CISO's performance to security incidents makes them a “scapegoat-in-waiting.” The more accurate measure is how well the CISO identifies risks, recommends appropriate responses, and aligns security execution with the company’s risk tolerance and resources. Keep in mind that the CISO's role varies widely across organizations, making a one-size-fits-all evaluation model ineffective. Recognizing “near misses” and celebrating preventative wins fosters better engagement across teams and reinforces the CISO's role as a proactive enabler rather than just a reactive defender. The power of “how” How can CISOs foster more collaborative and creative problem-solving? Start by refaming security conversations from “Can I secure this?” to “How would we secure this?” said Mike Johnson, CISO at Rivian and co-host of this very show. Rather than defaulting to a restrictive “no,” this mindset encourages dialogue that aligns security with innovation, allowing teams to explore safer alternatives without stifling progress. It's an approach that works when evaluating emerging technologies or unconventional proposals, like medical devices with potential security concerns. By shifting from gatekeeping to guidance, security leaders can foster a culture of thoughtful experimentation while still maintaining core safety principles. Building bridges A strong relationship with the CFO is essential for CISOs, especially as cyber investments often lack easily quantifiable returns. Success begins with framing security proposals through clear use cases and estimated costs, then refining those estimates through vendor validation and business context, argued David Ghee on CSO Online. Demonstrating risk reduction and operational benefits helps align with the CFO's priorities. However, if a CISO is going to connect with a CFO, financial literacy is critical. Don't underestimate the value of learning core accounting principles, financial metrics, and how risk is discussed in finance. Overpromising ROI is risky; CISOs should mirror how CFOs assess and communicate uncertainty, like with foreign exchange risk. While mentorship from CFOs can be valuable, what matters most is building peer-level understanding and trust. The relationship is ultimately about integrating cybersecurity into broader business thinking..
More info:	https://ciso-series.beehiiv.com/p/welcome-to-cybersecurity-where-everything-is-made-up-and-the-points-don-t-matter

Description:

Measuring a CISO’s performance can be tricky. For a while, a company getting breached was a “resume-generating event” for many CISOs. However, as security incidents become eventualities rather than possibilities, a CISO's performance is measured during an incident. How can we best understand a CISO's performance?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, partner, YL Ventures. Joining us is Mike D’Arezzo, executive director of infosec and GRC, Wellstar Health Systems.

The shift left myth

The longstanding justification for "shift left"—that fixing bugs earlier is exponentially cheaper—stems from a questionable 1980s IBM think piece, not rigorous research. While it feels intuitively correct, the idea lacks solid economic backing, especially for minor software bugs, as Chris Hughes of the Resilient Cyber Podcast pointed out. True cost escalations occur when foundational design flaws go unaddressed. Additionally, Hughes references a study showing that companies typically recover from breaches quickly, weakening the business case for "shift left" development. However, "shift left" is not without its defenses. It aligns with common sense and efficiency: building secure software from the start empowers developers, minimizes security cleanup later, and keeps engineering focused on delivering features.

Reconsidering CISO evaluations

Evaluating a CISO's performance can't be reduced to whether a company gets hacked—cyber incidents can still occur despite best efforts. As security journalist JM Porup pointed out, tying a CISO's performance to security incidents makes them a “scapegoat-in-waiting.” The more accurate measure is how well the CISO identifies risks, recommends appropriate responses, and aligns security execution with the company’s risk tolerance and resources. Keep in mind that the CISO's role varies widely across organizations, making a one-size-fits-all evaluation model ineffective. Recognizing “near misses” and celebrating preventative wins fosters better engagement across teams and reinforces the CISO's role as a proactive enabler rather than just a reactive defender.

The power of “how”

How can CISOs foster more collaborative and creative problem-solving? Start by refaming security conversations from “Can I secure this?” to “How would we secure this?” said Mike Johnson, CISO at Rivian and co-host of this very show. Rather than defaulting to a restrictive “no,” this mindset encourages dialogue that aligns security with innovation, allowing teams to explore safer alternatives without stifling progress. It's an approach that works when evaluating emerging technologies or unconventional proposals, like medical devices with potential security concerns. By shifting from gatekeeping to guidance, security leaders can foster a culture of thoughtful experimentation while still maintaining core safety principles.

Building bridges

A strong relationship with the CFO is essential for CISOs, especially as cyber investments often lack easily quantifiable returns. Success begins with framing security proposals through clear use cases and estimated costs, then refining those estimates through vendor validation and business context, argued David Ghee on CSO Online. Demonstrating risk reduction and operational benefits helps align with the CFO's priorities. However, if a CISO is going to connect with a CFO, financial literacy is critical. Don't underestimate the value of learning core accounting principles, financial metrics, and how risk is discussed in finance. Overpromising ROI is risky; CISOs should mirror how CFOs assess and communicate uncertainty, like with foreign exchange risk. While mentorship from CFOs can be valuable, what matters most is building peer-level understanding and trust. The relationship is ultimately about integrating cybersecurity into broader business thinking..

More info:

https://ciso-series.beehiiv.com/p/welcome-to-cybersecurity-where-everything-is-made-up-and-the-points-don-t-matter

Date added	April 15, 2025, 9:12 p.m.
Source	ciso-series.beehiiv
Subjects	PodCasts / Webcast / Webinar / eSummit / Virtual Event etc. Security Management/Strategic Security/ROI/ROSI