Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf

The Strategic Leaders’
on Emerging Trends
Perspectives
Source: Imgur

Fore
Word
“Sometimespeoplecomeintoyourlifeandyouknowrightawaythattheyweremeantto
bethere,toservesomesortofpurpose,teachyoualesson,ortohelpyoufigureout
whoyouareorwhoyouwanttobecome.Youneverknowwhothesepeoplemaybe
(possiblyyourneighbour,co-worker,longestfriend,orevenacompletestranger)but
whenyoulockeyeswiththem,youknowatthatverymomentthattheywillaffectyour
lifeinsomeprofoundway.”
CybersecurityCommunitydesperatelyneedsapositiveandwarm-heartedapproachto
confidencebuilding,developingpeople,assistinginraisingawarenessandidentifying
keyissuestosupportacultureofcybersecurity.Itneedsleaders,rolemodelsthat
encourageandinspirefortransformationstobemade.Mr.StéphaneNappoisoneof
theseleaders.
33Top Cyber News MAGAZINE -January 2023 -All Rights Reserved

Innovation in Cybersecurity
Dr.Rudy SNIPPE, Netherlands
44Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
DuringaconferencewhereIwastalkingabout
innovation,Iwasapproachedduringthebreakbya
manwhointroducedhimselfasHenry.‘MayIask
yousomething’,Henryasked,andwentstraighton
withoutwaitingformyresponse.‘Inyour
presentationyoustatedthatlanguageisan
importantbarrierforinnovation,butalsoan
importanttool.Canyouexplainthistomeagain?’
Despitehissomewhatrudeappearance,Henry
seemedlikeaniceguy,soIreplied:
Wow,thisisquiteabroadquestionforashort
break.Languageis,ofcourse,onlythefirst
problemorganizationsfaceindevelopment&
innovation.Thewayinwhichorganizationsare
structuredisanevenbiggerproblem,butlanguage
alsoplaysarolehere.
Iwon'tmakeittoocomplicated.Let'sdoashort
experiment.‘Whenyouthinkoftheword‘secure’
fromyourhistory,whatdoyouthinkof?’
Dr.RudySnippeistheFounderoftheFASSTheory(Strategy&Leadership/ComplexSocialSystems).Founder,
ChiefExecutiveOfficer,PartnerofStocastic.World-StrategicInnovationDynamicsplatform.ThesisResearch
Supervisor(MSc)atNyenrodeBusinessUniversity.
“Wethinkinlanguageandthroughlanguagewe
createourownworldofthought.Thelanguagein
whichwethink,andourownworldofthought,
haveacquiredmeaninginourpast.That'sfine
untilwewanttodevelopsomethingnewandkeep
thinkinginalanguagefromthepast.Inaddition,
everyonehasadifferentpastandthusgivesa
Henrylookedalittlesuspiciousandsaid:
‘Ontrenches,asuitofarmour,defensivewalls,
somethingimpenetrable.’
“Doyouseeanyofthisthinkingintheapproachto
cybersecurity?”,Iasked.Henrysmiled.“Secure
containscure”,Icontinued.“Supposeyouinventa
systemthathealsveryquicklyafteranattack?”
differentmeaning to
languageandideas.Inorder
toinnovateordevelop,we
mustthereforelookfornew
meanings,perhapsevenfor
newwords.”
‘Iworkincybersecurity
development’,Henrysaid.‘As
youknow,cybersecurityis
comprehensiveandcomplex.
Thatiswhyweworkwith
highlydevelopedexpertswho
reallyknowwhattheyare
doing.Cantheseexpertsalso
giveanimpulseto
developmentandinnovation
inourcompanythrough
language?’
“Orimaginethattheconcept
ofsecuredoesnotconsistof
defendingandprotecting,but
thatyoucancontinuetodo
whatyouweredoing?
The(re)definitionofconcepts
iskeyindevelopmentand
innovation.
Youshouldalwaysask
yourselfwhateffectyouwant
tocauseandtrytoputthis
intowordsaswellas
possible.”
Henry,lostinthought,said
‘goodbye’.Wewalkedbackto
theconferenceroom.

Stéphane NAPPO, France
VicePresident,CybersecurityDirector&GlobalChiefInformationSecurityOfficerat
GroupeSEB–globalmarketleader,inthesmallhouseholdequipmentsector,
includingprestigiousbrands:Krups,Rowenta,Tefal,Supor,WMF,Emsa,Calor,
Moulinex…Andpresentin150countries.
StéphaneNappoisaninternationallyrecognizedcybersecurityleaderandasenior
levelcybersecurityexecutivewithovertwenty-fiveyears'worthofexperiencein
internationalfinance,banking,digitalservices,andindustry.
Previously:GlobalChiefInformationSecurityOfficeratSociétéGénéraleInternational
BankingandFinancialServices(responsibleforcybersecurityof40majorbanksin67
countries);GroupInformationSecurityOfficeratOVHCloud–Europeanleaderin
cloudcomputing,withapresencein138countries;HeadofCybersecurityConsulting
dept.forBanking &FinanceatVINCI-worldleaderinconcessions,energy,
andconstruction, in120countries.Throughouthiscareer,Stéphane
hastaught,trained,andworked
withhundredsoftalented
cybersecurityprofessionals.
NamedGlobalCISOoftheYear,
andawardedtheEuropean
ExcellenceTrophyinDigital
Securityin2018,StéphaneNappo
ischosentheGlobalSecurity
ExecutiveInfluencerbythe
prestigiousIFSECGlobal,and
rankedtheTopFiveInfluential
FrenchIT&Cybersecurityexpert
byFORBESfortheYear2021.
Activelysupportingdiversityand
WomeninCyber,Mr.Nappowas
namedAllyoftheYear2021by
theUnitedCybersecurityAlliance
USA.
Passionedforinnovationand
business’digitalprotection,his
leadershipskillshavebeen
recognizedthroughouttheworld.
Hisarticlesandrenownedquotes
arebeingcitedinnumerousbooks
byleadingexpertsandpublishers.
5Top Cyber News MAGAZINE -January 2023 -All Rights Reserved

By Stéphane Nappo
6Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
>>
Everythingisarisk,nothingisarisk…
thedosemakestherisk
Ariskgenerallyresultsfromanunwanted
outcomeornegativeconsequence.Whenit
comestocybersecurity,ariskusuallyrelatesto
thepotentialforacyberattackordatabreachto
occur,whichcouldresultinfinancialloss,
reputationaldamage,orothernegativeimpacts.
Asthezero-riskdoesnotexist,aswellasall
actionsanddecisionscanleadtonegative
consequences,itispossibletostatethat
“everythingisarisk”.
However,astherisksensitivityandappetitecan
varyfromanorganizationtoanother,andtherisk
levelcanalsogreatlyvarydependingonthe
specificsituation,contextorduration,itis
possibletostatethat“thedosemakestherisk“.
Itmeansthelikelihoodandpotentialimpactofan
unwantedoutcomearecloselyrelatedtothe
levelofexposure,vulnerability,andtoleranceof
thetargettothatrisk.
Ahigherlevelofexposure,vulnerability,or
businessintolerancetoariskwillgenerallyresult
inahigherlikelihoodandstrongerimpactofan
unwantedoutcomeontheresiliencecapacity.
“The evident non-tech basics are
fundamental, and quite often overlooked…”
Seeking for simplicity
Cybersecuritycomplexityisskyrocketing,ledby
newbusinessmodels,newtechnologies,andthe
ever-evolvingthreatlandscape.Literally
overwhelmingthecybersecuritycurrentmodel,
attheverymomentweneedit,thistrendhas
fourmaindrivers:Technologieschanges,
Regulatorystrengthening,Operationaltrans-
formation,andCyberthreatssophistication.
Inthiscontext,simplifyingcybersecurityisa
necessitytohelporganizationstobetterprotect
sensitiveinformation,managetheirdigital
ecosystem,complywithregulations,andreduce
evolutioncosts.Itcanalsomakeiteasierfor
employeesandcontractorstoapplysecurity
practices.However,rethinkingcybersecurity
requiresaculturalandstrategiccomprehensive
approachthatgoesfarbeyondthesoleIT
dimension.Tosucceed,wehavetoacceptthat
thesolutiondoesnotlieinmoretechnology,but
incybersecurityphilosophyre-engineering.
To secure or not to secure…
That is the response, not the question!
Cybersecurityisfirstofallaresponse,both
proactiveandreactive,totheconstantly-
sophisticatingdigitalthreatandneedfor
resilience.Itusuallyrelatestotheprotectionof
thedigitalsystems,data,andusers,from
unauthorizedaccess,disclosure,use,
modification,disruptionordestruction.
Tosecureornot,isadecisionthatmustbe
drivenbybusinessstakes,situationandthe
potentialconsequencestodonothing.It’susually
importanttosecurethingsthatarecriticalto
operations,regulation,reputation,etc.However,
insomecases,whenthecostoreffortof
securingmayoutweighthepotentialbenefits,
thenthedecisiontonotsecureandadaptthe
businessambition,maybeappropriateaswell.
to keep pace with threats and digital evolution

7Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
>>
Cybersecuritymustbeconsidereda
businessvalue,ratherthanabalance
due
Nowadays,cybersecuritymustbeconsideredby
businessesasavalue,ratherthanafateorsolely
asacostcenter.
WhetheritcomesforIT,OT,IoT,oronline
services,cybersecuritycanenhance
organization’sreputationandcustomertrust,
whichcanbebeneficialforbusinessgrowth,
companyvaluation,andlong-termsuccess.Itis
notonlyawaytoprotectfromnegativeevents,
butalsotoenhanceoverallperformanceand
reputation.
Conversely,asaresultofcyberattacksleveland
impactseverity,tosimplywaitandsee,or
reactingtoincidentsaftertheyhappen,isfor
longnolongeraprofitableapproach.
Overall,thesituationtodayhighlightsthe
importanceoforganizationstopromptlyadopta
comprehensivecybersecurityapproach,which
maybepositivelydrivenbybusinessambition,
riskmanagement,andrelevantcybersecurity
measuresrelatedsystems,processes,andusers.
Cybersecurityismuchmorethana
matterofIT…
Itencompassesawiderangeoftopics,including
technology,processes,regulations,geopolitics,
andhumanbehavior.Effectivecybersecurity
requiresaholisticapproachthattakesinto
accountthevariousfactorsthatcontributetoan
organization'soverallsecurityposture,including
itsinteractionswithitsbusinessstrategy,andits
ecosystem.
Cybersecurityis,therefore,trulya
matterofresilience.
Theriskmanagementistheprocessof
identifying,assessing,andprioritizingtherisksto
anorganizationorindividualandthentaking
stepstomitigateoracceptthoserisks.
Thegoalofriskmanagementistofindabalance
betweenthecost,theeffortofmitigatingarisk
andthepotentialnegativeimpactoftheriskifit
weretooccur.Ultimately,thedecisiontosecure
shouldbebasedonabalanceofrisk,business
ambitions,andcosts.Intheaimtoeffectively
identify,protect,detect,andespecially“respond
to”and“recoverfrom”,acyberattack.
Oneofthemaincyberrisksistothink
theydon’texist.Theotheristotryto
treatallpotentialrisks…
Pickingbattlesaccordingemergencies,demands,
oraudits,canberisky.Itmayleadtohastyorill-
informeddecisions.Itcanalsoresultin
resourcesbeingdirectedawayfromimportantor
long-termissues.Itisimportanttoconsiderthe
potentialriskdrivenconsequencesandprioritize
accordingly.
“Fixthebasics,protectfirstwhatmattersfor
yourbusinessandbereadytoreactproperlyto
pertinentthreats.Thinkdata,butalsobusiness
servicesintegrity,users’awareness,customer
experience,compliance,andreputation”
By Stéphane Nappo

Cybersecurityisthemostimmediate,financiallymaterial
sustainabilityandESGriskthatorganizationsfacetoday.
Ithasbeenweaponizedbynationstates,andithas
becomeaninvisiblehigh-stakesbattlefield.Covert
operationscanbecarriedoutwithouttheriskofphysical
retaliation,makingcyberattacksanattractiveoptionfor
countriestouseasameansofprojectingpowerand
influence.Inaddition,cybercrimehasbecomeahighly
profitableandgrowingcomponentofGDPforsome
nationstates,whilethechancesofhackersbeingcaught
areextremelylow.AccordingtotheWorldEconomic
Forum2020GlobalRisk,only.05%ofcrimesare
detectedandprosecuted.Inaddition,thereportingof
cybercrimesremainslow,makingithardtoassesshow
bigcyberriskhasbecomeacrosseveryaspectofthe
connectedworldweliveintoday.
Asahuman-createdrisk,itseemslogicalthatcyberrisk
shouldalsobeamanageableriskcomparedtonatural
disasters,andyettheentrepreneurialnatureof
motivatedhackersrequiresamorepro-activeapproach
toprotectconnectedorganizations.Theinternet
connectivity,dataanddistributedsystemsthatpower
enterpriseshavebecomeanintegralpartofmodern
society.Distributedworkforcesutilizingavarietyof
personaldevicesacrosscorporatenetworks,make
managingcorporatenetworksevenmorechallenging
thanever.
Regulatorsacrosstheglobeareenforcingthereporting
ofcybercrimesandbreachesbypassingnewlawsthat
imposefinancialfinestoencouragetimelydisclosures
andactivedefenseandmanagementofcorporate
networks.TheUnitedStatesCybersecurityand
InfrastructureSecurityAgency(CISA)hasissued
guidance,whilemanystateshavepassedlocallaws
requiringorganizationstoreportcyberincidents.The
EuropeanUnionGeneralDataProtectionRegulation
(GDPR)introducedagroundbreakingdirective,andthe
financialimpactofthefinesalonecouldimplodea
company.Thesefinespresentasustainabilityriskthat
couldbankruptcompaniesthatprovidecriticalservices
tosociety.
“What greater sustainability risk than cybersecurity
risk does an organization face today?”
Cybersecurity is Critical for Sustainability
Cristina Dolan, Global Head of Alliances, NetWitness
8Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
SustainabilityandESGhavebecomepopulartopicsfor
investors,andyetmostinvestorslackthevisibilityor
understandingofcyberrisk.Regulatoryrequirementsfor
publiccompaniesareincreasing.Corporatedirectorsare
nowexpectedtounderstandcyberrisksinthecontextof
corporatesustainability.Thedisclosureofmanagement
practices,controls,audits,andpolicieswillberequired
infinancialreportsandregulatoryfilings.
“Will 2023 be the year where cybersecurity risk is
finally viewed by investors, executives and leaders
and the most immediate and financially material risk
that organizations face today?”
CristinaDolan,GlobalHeadofAlliances,
NetWitnessandco-authorofTransparencyinESGand
theCircularEconomy:CapturingOpportunities
ThroughData

by Stéphane Nappo
The Swarm Cybersecurity
Frequentlyassociatedtooexclusivelytothe
subjectivevalueoftrust,cybersecurityismainly
aresponsetotheneedofresilienceanddigital
developmentofnationsstates,organizations,
businesses,andindividuals.Inthisrespect,farto
beabalancedue,cybersecurityisapilarforthe
creationofvalueandsustainability.
Cybersecuritypractitionerformorethan25
years,Ihaveprofoundrespectforpeersand
professionalpracticesinthisverychallenging
discipline.However,Istronglybelievethat
cybersecurityandresilienceparadigmshaveto
evolveinshapeandstrategytokeeppacewith
thethreats’Darwinianevolutionandthefactthat
theyareboxingwithnorules.
Thetraditionalsecurityapproachaims,inmost
cases,torelyinfineonacentralauthorityor
system,tomanageandcoordinatethedefense
againstthreats.Increasinglyerodedbythedigital
transformationandtheconstantthreatevolution,
thistraditionalmodelleadstotwogrowingmajor
challenges:1.ifthecentralauthorityorsystemis
compromised,theentiresecuritysystemcanbe
defeated;2.thistraditionalmodelcanhardlydeal
withinformationsystemsopeningtothird
parties,SaaS,Cloud,andoutsourcingtrendsthat
impactBusiness,IT,andSecurityactivities.
9Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
a way to repurpose & strengthen resilience?
Afterdecadesofpurecompetition-based
modelforcompanies’andindividuals'
development,the“togethernessasapack”isa
realculturalchallengetoaddressfor
cybersecurity.Inparallelthe(outdated)vision
ofthecybersecurityasataboostillmakes
manyactorsreluctantto“unitetodefend”.
Overandabovethat,theinabilitytoactasa
Swarmisalsotheweaknessusedbycyber
threattoattackonebyoneitspreys.
Ofcourse,theinterestofcommunitiesisnot
new,neverthelesstheswarmmodelaimsto
shareaction(detection,reaction,recovery…),
farbeyondtoonlyshareinformation.
Toactasapackincreasessynergiesandcan
leveragealotofefficiencyrelyingonthe"less
ismore"modelforreal.
Finally,theswarmmuststrengthena“versatile,
organicandmodular”cybersecurityswarm,
withattentiontonotcreatenewsystemicrisks.

Onekeyadvantageofusingaswarmapproach
tocybersecurityisthatitcanbehighlyscalable
andconsistentwiththetodayoutsourcedand
delegateddigitalecosystem.Asthenumberof
devicesintheinformationsystemsincreases,
thecapacityofdetection/reactionoftheswarm
alsoincreases.Additionally,becausetheswarm
elementsaredecentralized,itcanbemore
difficultforanattackertotargetaspecificdevice
orcompromisethesecurityoftheentire
system.
Anotherbenefitofswarmcybersecurityisthatit
canbemoreadaptableandresponsivetofast
evolvingthreats.Becausethedevicesinthe
swarmcancommunicateandcoordinatewith
oneanother,theycanshareinformationabout
potentialthreatsandworktogethertorespond
totheminreal-time.Thiscanbeespecially
usefulindetectingandrespondingto
sophisticatedcyberattacksthatmaybeableto
evadetraditionalsecuritymeasures.
Asusual,thefirstchallengeistosupportthe
ideathatitcanbepossibletoachievemorewith
manyexistingthings.(Icanhearnowsome:
“thereisnothingnewinthis”,“andsowhat!?”,
…;-)
Whenindoubt,dorememberthatcyber
attackersaresignificantlyaheadregarding
swarmecosystems.Crimeasaservice,Dark
Marketplaces,Botnets… Areeffective
demonstrationsoftheirabilitytofederateself
organizedandheterogenoussystemsto
convergetowardacollectivepurpose,withan
adaptativeresiliencetodealwithtechnology
evolutionsandfightbackmethods.Iftheycan
doitfor-offence-,socanwefor-defense-.
Theswarmcybersecuritynotionreferstotheuse
ofalargenumberofelements(tools,people,
processes)orother"swarms"toprovide
enhancedsecurityforanetworkorsystem.
TheseelementscanbeanythingfromITwith
computers,serversandnetwork,toOTwith
industrialrobotsandspecifics,IoTdevicessuch
asconnectedproducts,securitycamerasor
smartthermostats,aswellasteamsandexperts.
Theideabehindswarmcybersecurityistocreate
adecentralizednetworkofmeansthatcanwork
togethertodetectandrespondtosecurity
threats.
Asanadjuncttocurrentpractices,theSwarm
Cybersecurityisoneinterestingapproachto
consideranddrilldownthataimstoaddress
thesechallengesbyusingadecentralized
networkofinterconnectedorganizationsor
devicestodefendagainstthreats.
Overall,thegoalofswarmcybersecurityisto
createanetworkthatishighlyresilienttocyber
threats,andabletoquicklyandeffectively
respondtoanyattacksthatdooccur.
10Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
By Stéphane Nappo

11Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
By Stéphane Nappo
How to swarm
1.Thinkdifferent,envisionthewholevalue
chain&itsunitybeyondboundariesor
interoperabilitygaps:
•Shiftthescopefromsupplychain,toend-to-
endvaluechain,includingthirdpartiesand
outsourcedservices.
•Encouragethesystemsthinking.This
disciplineishelpfultoquicklyandefficiently
encompassthecybersecurityneeds.
2.Adoptaswarmmodelwhereverpossible,
startingfrominsideyourorganization:
•Strengthencybersecuritybydesignwitha
systematicfirstlevelofselfdefense,alerting,
ormonitoringforeachitem(software,
equipment,processes,projects,products…).
•ImplementthezerotrustaswellasSASE
principlesmustbeasystematicreflexandrule
inyourorganization(configurations,access
rights,administrationlevels…).
•Breakthesiloswhenitcomestosecurity
especiallybetweenIT,OT,IoTdimensions.And
doremember,thefirstsilotoremoveisthe
falseimpressionthataperimeterfence
protectionstillexists.
•Doremember,Swarmisnotincompatiblewith
segmentation.Quitethecontrary!
3.Unite,andaimtohyperconvergewithyour
fellowbeings
•Althoughyoumaythinkotherwise,thischange
isanywayunderway.Yourorganizationis
hyperconnected,withInternet,digitalbusiness
processes,andyousharealotofassetsand
stakeswiththeCloud,SaaS,etc.Then,tryto
benefitfromit.Share,share,share!Alerts,
bestpractices,forcesconjugation,redbutton
procedures,cybersecurityagreements,
requirements.
•ThegoalofSwarmisnottotarget
completeness,buttocovereachandevery
win-winpossiblemesh.
4.Defineandenforceasetofcoordinated
“behaviors”toprotectyourfundamentals
beyondyourorganization’sboundaries.
•InvestinbehaviorsbeyondITsystems,is
important.Thiscanincludecommunication
protocols,do’s&don’ts,decision-making
algorithms,triggersstatus,anddetection,
reaction,recoverytechniques.
•Additionally,youwillneedtodevelopa
systemformonitoringandcontrollingthe
swarmproperfunctioningbypartsand“asa
whole”,suchasadecentralizednetwork.
5.SecureatholisticANDindividuallevels,
using“primalorganicself-defense”principals
•Yourenemyisincreasinglyautomated,then
defensemustrespondaccordingly.Attacked
byro-bots,wecannotfightbackonlywith
humans,SOCs,andcomputermouses.
•Theprincipleofprimalorganicselfdefenseis
key.Itmustrelyonsimple,butautomatized
alerts,proactionsandreactions.Itmustbe
coordinated,butalsoabletocontinuetoact
individuallyincaseofisolation.
Manythingshaveyettobethoughtthrough,
refinedandbuilt.TheAIisalsoworkingonthe
SWARMmodel,andIthoughtitwasimportant
tosharethisapproachwithyou.Afterall,
SWARMisaboveallaboutsharing,without
waitingtobuildtogethermoreandbetterco-
operativemodelsrelyingonSwarmprinciples.
Let’sswarmouropinionsandsuggestions!
. . .

12Top Cyber News MAGAZINE -January 2023 -All Rights Reserved

StéphaneNappoisoneofthemainreferences
whentalkingaboutCybersecurity.Withacareerof
morethan25yearsinwhichhehassuccessfully
demonstratedthatthebestwaytofight
cybercriminalindustrializationisthedigital
transformationoftechnologicalenvironments,heis
alsointernationalkeynotespeaker,author,PhD
researcherandkeyopinionleader…Heisalwaysa
leadershipexampleofpayingitforward.
Itisundeniablethatpeoplemattertohim.Ihave
beenfortunateandhonoredtoknowhimoverthe
years.
Heisanexcellenthumanbeing,ahumanistic
leaderfullofqualitieswhobuildsteamsinhigh-
performanceenvironmentswherecommunication,
flexibilityandactivelisteningareanaxiscapableof
makingeveryoneshareacommonvision:a
purposeandahorizontonavigatetowardstogether.
Alwaysattheforefront,itoffersusanopenand
honestvisionthatgoesbeyondwhatwesee,that
makesusthinkoutsidethebox,thatinvitesusto
growasprofessionalsandpeople,reachingevery
dayourbestversiontoofferittoourteamsand
collaboratorswithoutqualms.
AsaCISO,whatIhavealwaysadmiredandwhat
hasalwaysstruckmeabouthisvisionisthatheis
notaslavetofads.Infact,innovationisthemain
axisofhisdecisions,hehasalwayshadan
excellentriskcontrolandaproactivityfocusedon
benefitsthathasledhimtobeapioneerinthe
fieldofcybersecurity.
Stéphane’spermanentdesiretolearnandprotect
makesachatwithhimtotallyenriching.
Thereisfreedomtodiscussdifferentstrategic
visions,andthatenvironmentofcreativityleadsto
thebestgainsinthefightagainstcybercriminals.It
isaprivilegeandanhonortobeabletointerview
him.
In Search of Excellence -Talent, Made in France
Interview conducted by Isabel María Gómez,
Global Chief Information Security Officer. Madrid, Spain
1313Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
Ihopeandwishtoofferavisionthatallowsallofus
whooncechosetodedicateourselveswith
dedicationtocybersecurity,todiscoverasource
andareferencethatbringsuslightonsometimes
unmarkedpaths,andthatmakeaCISOduringthe
fogtofindalightthatisareferencetobringthe
shiptoagoodport.What'snext?Let'sdiscover
together“TheJourney”andthenewdirectionof
cybersecurityforthecomingyears...
GlobalChiefInformationSecurityOfficer,IsabelMaría
GÓMEZhaslongtestedexperienceinsecurityand
informationtechnologies,andinthecourseofhercareer
hasspecializedinseveralareasrelatedtosecurity.Some
ofthemare:RiskManagement,Cybersecurity,Continuity
andResilienceIT,Privacy,ComplianceandDigital
Transformation.Shehasalsoawidespreadlegal,
regulatory,technical,andfinancialbackgroundlether
manageandcoordinateefficientlydifferentlegaland
technicalareas.Previously,Isabelhashadvarious
executiverolesreportingdirecttoCEOininformation
securityinleadingcompaniesintheirrespectivelinesof
business,suchasAtento,SegurCaixa,Bankia,and
Medtronic.

“The Journey”
[IsabelMaríaGómez]Cybersecurityisa
vocationalchoiceofdeliveryandservice
thereisnodoubt.Whatwasitthatdrove
youtodedicateyourselftoit?
[StéphaneNappo]Cybersecurityisnot
onlyachoiceofcareerorajob,buta
choiceofalifeandservicespirit,thata
fewmightwanttoliveorexperience.Often
peopleaskmehowandwhereItaketime
tolivemylife,tocreateafamily,tobuilda
house,plantatreeoragarden.Inmy
thoughts.Theninreality.ThisishowI
usedtooperatewithmytime,mystrategic
objectives,knowledge,anddesires.
AmIalwaysright?No!WouldIchoosea
differentlifestyle?Maybenot.DidIgiveup
onmyjob,mycolleagues,myprojects,
companieswhotrustedmewith
cybersecurityandhighlyconfidential
businessandpersonalissues?Neverdid.
Neverwill.
Likeanyonethesedays,Iamadigital
citizenofourworld.Mypeers,colleagues,
friendsandfamilycan,anddorelyonmy
experienceandexpertise.Ihighly
appreciateandtreasurethistrust.Ibuild
onthisinterest.Itryeverydaytoinnovate,
strategizeandlivethistrust,thatisin
realityhopeofopenedheartsand
connectedmindsforourlives.Inthis
respect,globalCISOisreallyamission
thatIamproudof.
Iamgratefulforcooperationandsupport
ofmypeers,colleagues,followersand
partners,intheworldandamongthevery
dynamicFrenchSECinFrance.
Interviewconducted by
IsabelMaríaGómez,Global
ChiefInformationSecurity
Officer.Madrid,Spain
14Top Cyber News MAGAZINE -January 2023 -All Rights Reserved

15Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
[IsabelMaríaGómez]Allofuswhoworkin
cybersecurityknowthatourday-to-dayworkis
goingtotakeplaceinachangingenvironment
thatrequiresalotof“resilience”.Wearealways
goingtobefarfromacomfortzone.Whatare,
inyouropinion,theskillsandvirtuesthathave
helpedyouthemostthroughoutyourcareerin
cybersecurity?
[StéphaneNappo]Thankyouforthisquestion,
Isabel.Thetruthis,weareallbounded,
sometimesblindedbyagreements,legalor
personalandmotives,moreoftenthanwewould
wishfor.Themostdifficultmomentsarethose
whenwehavenocrisissituations;whenour
mindsandoursensescanandmusthave
tranquillityandserenity.
Thecybersecurityprofessionrequiresand
expectsthedevotedprofessionalsto‘never
logoff’.AmIdifferent?No.DoIordidIpaythe
priceformydecadeseverconstantfocusand
neverrestingsenses?IdidandIdohave,like
anyhyper-committedprofessionalmyfairshare
ofthe‘professionallycreatedpricetopay’.
Obstaclesincybersecurityactivities,have,like
lifeitself,the‘colours’thatwegivethem.Itryto
choosethebrightandinspiringcoloursand
tunesforthemusicIplay.
[IsabelMaríaGómez]Whathasbeenthe
innovationthathasinspiredyouthemost?
[StéphaneNappo]Inspiredfirstbymytwosons
andpeoples’cultures,butalsoelectroandpipe
organmusic-myforeverfirstloveandtwenty
fiveplusyearsofactivecontribution,isin
performingaswellaspossibletomakedigital
placesassafeaspossible.
Inlife,whattookfirstmyabsoluteattentionwere
theengineeringdrawingsofLeonardodaVinci.
Yes,thismemorygoeshalfacenturyback…
NotonlydidIcreatemyowndrawingsof
motors,airplanes,andpowerplant,butI
collectedtoolsandmaterialsfromlittlebricks
andtinyseashellstowheels,andcompasses.
Frommorerecentinnovations–Internet,and
appliedArtificialIntelligence,ofcourse.
Likemanyprofessionalsaroundmyage,Igrew
upwiththecomputers’emergenceinourlives,
andIreceivedasecondbirthwitharrivalof
Internet.Andfinally-digitalphotography.Photo
artcouldprobablybecomparedtoartof
painting.Mymasterpiecesare,ofcourse,
amazingpicturesofmytwosonsandsome
momentsoflife.ThisistheStéphaneNappothat
mycolleaguesneverknewandcouldonly
imagine…
Interview conducted by Isabel María Gómez>>

[IsabelMaríaGómez]Oneofyourreference
phrasesis"Knowledgeistheonlymatterthat
growswhenweshareit".Incybersecurity,we
sometimeserronthesideofsecrecy.Whatare
theforumsyourecommendmosttobreakthis
tendency?
[StéphaneNappo]Exactlyandpreciselythe
pointthatIalwaysamplifywhenspeakingatthe
conferences,digitalandliveevents,meetings
withpeersandfollowers.InFrance,wehave
professionalforums(ANSSI,CampusCyber,Le
CESIN)andspecialisedconferences(FIC,Les
AssisesdelaSécurité,Hacktiv’Summit…).
Cybersecurityisinterconnectedandcanbea
complexmatter,weallmustteach,trainand
learn.Thisiswhatbringsusalltogetherasa
community.Thisiswhatmakesthe
Cybersecuritycommunitysospecialandvalued
amongprofessionalcircles.Incredibleopenand
freeplatformistheemergingphenomenonof
TopCyberNewsMAGAZINE,whichIhighly
supportandrecommend.
[IsabelMaríaGómez]Allofuswhoworkin
cybersecurityknowthatourday-to-dayworkis
goingtotakeplaceinachangingenvironment
thatrequiresalotofresilience.Wearealways
goingtobefarfromacomfortzone.Whatare,
inyouropinion,theskills,virtuesthathave
helpedyouthemostthroughoutyourcareerin
cybersecurity?
[StéphaneNappo]Fromtheveryfirstmemories
thattakemetomybelovedProvence,inFrance,
allmyfuturelifedecisionsandactions,I
developed,spiritofmission,senseofeagerness,
justice,respectandquestforpositiveand
devotedfaithinlifepurpose.Thisleadsme
throughallthedifficulties,momentsofsuccess,
doubtdispelling,andhappiness.Assecurity
pathfinder,boardadvisor,businessenablerand
strategist,IbelieveeachCISOmustactasa
guidewithstrongleadershipanddeep
pedagogy.EachCISOhastofaceunpredictability
andtakeresponsibilityforhis/herdecisions
andactions.
Interview conducted by Isabel María Gómez>>
16Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
”CISOs Need Strategic Thinking to Be Effective”
Emilio IASIELLO for Top Cyber News MAGAZINE
October 2022 edition
TheChiefInformationSecurityOfficer,orCISO,isfast-becomingoneofthemoredifficult
C-Suitepositionstofill.TheCISOrolehasbeenplaguedwithturnover,theaveragetenure
lastinganywherefrom18to26months.Thisdoesn’tcomeasasurpriseastheCISOis
inundatedwithanarrayofchallengesthatincludeanonstopbarrageofdiversecyber
threatsseekingtoexploittheenterprisehewatchesover,internalcompetitiontosecure
budgetaryresourcestoaidinhisdefenseefforts,lackofauthoritytoinstilnecessary
change,andconvincingthelargerC-Suiteastowhycertainsecuritymeasuresareneeded
regardlessoftheircost.Indeed,inmanyways,themodern-dayCISOisthecybersecurity
equivalentofSisyphusstrugglingtoprotectthenetworkenterpriseonlytoseeanother
incidentsethimbackonprogress.

[IsabelMaríaGómez]Oneofyourgreat
passionsissharingyourknowledgethrough
writingandpublicspeaking,givingconferences,
forexample.Wherewillwebeabletolistento
youin2023?
[StéphaneNappo]Thankyouforthisquestion,
dearIsabel.My2023andbeyondplansare
continuouslyindeliberatedevelopmentand
change.Itwillverymuchdependofmany
factorswheretheroleoftheglobalCISOwill
change;developingmepersonally,while
planningandstrategizing.
Fromthegoodnews:InFrance,wehavepaid
vacations.Ioftenusethistime…daysand
weeks…topre-schedulemyspeaking
arrangements.Inthelastfiveyears,forexample,
Ideliveredkeynoteaddressesorparticipatedin
paneldiscussionsinParis,Zurich,Dubai,Beijing,
Moscow,Prague,Berlin,NewDelhi,Amsterdam,
NewYorkCity,Montreal,Porto,Monaco,
Deauville-Normandie,Brussels,Miami,TelAviv,
Casablanca,Nairobi…
[IsabelMaríaGómez]Haveyoueverbeen
temptedtoleavetheworldofcybersecurityand
redirectyourcareertoanotherdiscipline?
[StéphaneNappo]Whentimesarechallenging
likethesedaysandintheforeseeablefuture,I
willbeveryopenandhonest.Iwillneverletmy
personalsuccessordifficultiestoprevail.
[IsabelMaríaGómez]Oneofthemain
responsibilitiesaleaderhasistoworkonhisor
herownskills.Sometimeslookinginthemirror
ismorecomplicatedthanitseems.Whatadvice
wouldyougiveustokeepevolvingforthe
benefitofourteams?Whatdoyouthinkarethe
keystowork,forexample,withthenew
generationsofcybersecurity?
[StéphaneNappo]Learnfromyourheart.Give
andshareyourknowledge.Whenchosen,follow
yourownchoicesanddecisions.When
impossible…Doremember..Nothingis
impossible.
Thereisprobablymoreunknownunknownsto
exploreandunlock.Iseemoredevotion,more
enthusiasm,moreaspiringactionsandstrategic
leadershipinmyyoungercolleaguesthanI
couldimaginejustafewyearsago.
Betterunderstanding,communicationand
preparedtalentsarethefutureofCybersecurity
workforce.
17Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
Ichoosetogivemyknowledgeandexpertiseto
myemployer,mycountry,myEuropeanand
internationalcolleaguesandpeers.Forcollective
success.
Forgreaterthanpersonal,fordevotedand
desiredsecurityandsafetyfortheworld.Iama
globalcitizenandIgivemyalltoworkwell.
Interview conducted by Isabel María Gómez>>

“One of the main cyber-risks is to think
they don’t exist. The other is to try to
treat all potential risks.”
“It takes 20 years to build a
reputation and a few minutes of
cyber-incident to ruin it.”
“If you think you know-it-all about
cybersecurity, this discipline was
probably ill-explained to you.”
“Even the bravest cyber defensewill
experience defeat when weaknesses
are neglected.”
“Education has always been a profit-
enabler for individuals and the
corporation. Cybersecurity education
is a part of the digital equation.”
“The five most efficient cyber
defenders are: Anticipation,
Education, Detection, Reaction and
Resilience.
“IoT without security = Internet of
Threats.”
“Threat is a mirror of security gaps.
Cyber-threat is mainly a reflection of
our weaknesses.”
“Technology trust is a good thing, but
control is a better one.”
“Digital freedom stops where that of
users begins... Nowadays, digital
evolution must no longer be offered
to a customer in trade-off between
privacy and security.”
“Privacy is not for sale, it's a valuable
asset to protect.”
Do remember: "Cybersecurity is much
more than a matter of IT.”
18Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
Renown quotes by Stéphane Nappo>>

Top Cyber News MAGAZINE -January 2023 -All Rights Reserved 19

20Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
Let'sfaceit,CISOsarethemostsought-afterexecutives
incybersecurity.Fromstart-upstobigcompanies,they
allwanttogettheirproductsinfrontofandwinthem
overasachampion.Theoldwayofattemptingtobuild
relationshipswiththeCISOsaretheeventssuchas
CISOdinnersthatonlyallowforafewhoursof
interactionthatresultin2-3meetingsandpossiblyone
closeddeal.Theseeventsarelosingtheireffectiveness.
CISOsseeknewwaystoconnectwithinnovative
cybersecurityandinformationsecurityvendors.Thenew
approachistocreateaCISOAdvisoryBoardconsisting
ofsecurityexpertswhoprovideadviceonthevendor's
direction,products,marketing,roadmap,andunbiased
advice,astheseadvisorsarenot"drinkingthekool-aid."
ThepurposeoftheCISOAdvisoryBoardistohelpthe
cybersecurityorganizationgainnewinsightsandadvice
tosolvebusinessproblemsorexplorenew
opportunitiesbystimulatingrobust,high-quality
conversations.ACISOAdvisoryBoardactsasa
soundingboardforthecybersecuritycompanyto
bounceideasoffandgetaccesstoexpertisethatmight
notordinarilybeavailable.CISOAdvisoryBoards
provideacompetitiveadvantageandhelpbuildthe
company'svisibility,credibility,andrevenues.Aproperly
constructedandexecutedCISOAdvisoryBoardwill
fosterlastingandmeaningfulrelationshipswithkey
prospectsandcustomersofthebusiness.
Thevendorisnottheonlyonereapingbenefitsfroma
CISOAdvisoryBoard.SinceanadequatelybuiltCISO
AdvisoryBoardcomprisessecurityspecialists,
informationsecurityexperts,generalists,andcritical
thinkersfromdiversebackgrounds,theCISOadvisors
gainknowledgeandinsightsfromtheirpeers.Enabling
theCISOadvisorstobringbackvaluableinsightsto
theirownorganization.
Noorganizationistoobigorsmalltobenefitfroma
CISOAdvisoryBoard.Foracybersecuritystart-up,itcan
bethedifferencebetweensuccessandfailure.CISO
AdvisoryBoardsarenotpartofmostsecurity
organizations'overallcorporatestrategy,eventhough
theinputfromaCISOAdvisoryBoardcanoffergame-
changinginsight.
BrookeCookhas20+yearsinthecybersecurity
executiverelationshipbuildingandeventspace.Witha
backgroundinbusinessandpsychology,Brookehas
masteredthenicheofbuildingtrustinanauthenticway
withexecutivesaroundtheworldandtreatingthemto
first-classeventexperiences.AstheCEOandCo-
FounderofSecuritySistersNetwork™,Brookebrings
herpassion,industryknowledgeandtenacitytohelping
hernetworkofover15,000+CXOrelationshipsstayat
theleadingedgeoftheirbusiness,cultivatetheirdesire
tolearnaboutnewproductsandsurrounding
themselveswiththeirpeergroupforthebenefitoftheir
ownnetwork.

Troels Oerting, Chairman Of The Board at BullWall. Denmark
QvoVadis (Cyber) Security?
First,myrecommendationistoavoidhypeand
fearmongering.Humanitywillsurvivethe
Internetandweshouldnotuseorpromote‘fear’
asadriverforsaleofsecuritysolutions.We
shouldinsteadinstigate,defendandpromote
‘hope’ofasaferInternetanddigitalfutureand
leadthewayforwardwithanoptimistic
approach.
Secondlynosuchthingas‘absolutesecurity’
exists.NotinthephysicalWorldnorinthe
Digital.Securityneedstobedrivenbyproper
riskassessmentknowingthatnoone‘silver
bullet’doesthetrickandsecuritycanbebroken
frommultipleangelsandfrominsideoroutside
ofthenetwork.So,wemustberealisticinour
securitylevelandadapttothelevelthatsecure
what’simportantwithoutlimitingi.e.,privacyor
dataprotection.Moresecurityoftenmeansless
privacyandusabilityandthebalanceneedsto
berightanddecidedafterariskassessment.
Theentryinto2023marks43yearsanniversary
ofmestartingintoLawEnforcement,Security
andCybersecurity.
Alothashappenedduringthesemanyyearsand
thedevelopmentinspeedandcomplexity
increased.
OntheothersideIhavealsonotedthatthe
Worldisstillstandinganddespiteloadsof
crises,challengesanduncertaintywetendto
overcomethemajorityofproblemsandmove
on.
Lookingbackthemanyyears,knowingthatmy
generationofsecurityexpertswillbereplaced
bynewenthusiasticonesIfindthetime
appropriatetosharesomeofmylearningsand
insightwiththecominggenerationsofsecurity
experts.
21Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
“We, in security,
should not promote fear,
but protect hope.”
~ Troels Oerting

by Troels Oerting>>
Andthenyoushouldtrainandexercisethisplan
andadjustitaccordingtoreality.Doatabletop
exerciseandtestiftheplanworksandtakeall
relevantintoconsideration.Andrulenumberone
–makenotesofwhatyoudoduringanattack.
Fromthefirsttothelastsecond.Weforgetand
youneedtobeabletorememberifinsuranceor
regulatorsask.Shortly,ifyoufailtoplan,you
plantofail.
Finally.Makesecurityattractive.Forthe
companyandthestaff.ToomanyCISO’sare
undertoomuchpressure.Cybersecurityisnot
theenemyofinnovation,marketingorusability.
Itshouldbeanassetinstead.Highinformation
securityisapositivesalesargumentandthe
tonefromthetopshouldbethatsecurityis
importantforcompaniesholdingprivateand
sensitiveinformation.
DespitewarinEurope,inflation,increasing
pricesandinterestrates,deadlockintheUS
House,covidincreaseinChina,geopolitical
tensionandotherglobalchallengeswewill–
together–improvecybersecurityandshare
moreinsightfaster.Iamconfidentofthis.
“HappyNewYearandIwishyouallin
securityagreat2023andthankeachand
everyoneofyouforyourservice.”
Thirdlytheoverallsecuritygoalshouldbe
resilience.Idefineresilienceinthisway:Cyber
resiliencereferstoanorganization'sabilityto
preparefor,absorb,respond/adapttoand
recoverfromanadversesituationwhile
continuingtofunctionasintended.Astrong
cyberresilienceframeworkshouldbeadaptable
andaccountforunknownvariables,likenew
typesofattacks.Byfocusingonresilience,the
organizationisforcedtopromoteamoreholistic
andinclusivesecuritystrategyinvolvingstaff,
training,HR,legal,communicationsandother
functionsimportantforsecuringthatthe
organizationquicklyrecoversfromacyber
incidentandgracefullycontinuewiththemain
business.Ifsomebodyfromtheoutside,aska
memberofanorganizationleadershiporBoard
‘whoisresponsibleforcybersecurityinthis
organization’andtheansweris:‘theCISO’–they
havegotitwrong.Therightanswerobviouslyis:
‘weareallresponsibleforcybersecurity’.
Fourthadviceistoprepare.Wewillallget
hackedatsomepoint.Weneedtoplanforhow
wewilloperateduringsuchanincident.Whois
inthecrisesmanagementteam?Dowehave
playbooksonalltypesofincidents?Dothese
playbooksoutlineacommunicationsstrategy,a
pressstrategy,alegalstrategy(isitlegaltopay
ransom?)etc.Allorganizations,regardlessof
size,needtodevelopasecuritystrategyand
discussanddecidewhattodowhenyouget
compromised.
22Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
TroelsØrtingJørgensen,ChairmanatBullwall,ExpertMemberatINTERPOL
Mr.ØrtingisagloballyrecognizedCyberSecurityExpert.Hehasbeenworkingin
cybersecurity‘firstline’forover4decades.Throughoutcareer,Mr.Ørtinghasbeenworking
withgovernmentsandcorporationstoadviseonhowtheyreacttotheincreasing
internationalcyberthreats,andworkedcloselywithlawenforcement,intelligenceservices
andcybersecuritybusinesses.
Formerly,withtheDanishNationalPolice,firstasDirector,HeadoftheSeriousOrganised
CrimeAgencyandthenasDirectorofOperations,DanishSecurityIntelligenceService;
DeputyHead,ICTDepartmentandDeputyHead,OCDepartment,Europol,EU’sPolice
Agency;HeadofEuropeanCybercrimeCentreandHeadofEuropolCounterTerroristand
FinancialIntelligenceCentre.2015-18,GroupChiefInformationSecurityOfficer(CISO),
Barclays.ChairedtheEUFinancialCybercrimeCoalition,ofwhichmostbanksarepartners,
andhasverystrongexperienceincybersecurity.Since2018,HeadoftheCentrefor
Cybersecurity,WorldEconomicForum.ChairmanoftheBoardofWorldEconomicForum
CentreforCybersecurity(C4C).

Francis West, Chief Executive Officer at Security Everywhere. England
Why Your Anti-Virus Is Like The Yellow
Pages -Old School And Out Of Date
Tobefair,wecan’tpainteveryonewiththesame
brushandweknowtherearesomeIT
companiesthathavedonejustaswedidand
wenttotheircustomersandsaid“wehave
discoveredoursolutionisnolongerfitfor
purpose,andthereisabetteronesuitedto
today’sneeds”.Thisapproachprobablycost
themsomecustomers,astheyclearlyhadhigh
appetiteforriskanddidn’tthinktheprotection
wasnecessaryfortheadditionalcost.
Someofourclientssaid“Okay,great.Thank
you”,whileotherssaid“Wedon’treallylikethe
priceandarehappierwithlessprotectionand
lowercost”.Otherssimplysaid“No,wearenot
goingpayanymoreandwewillbelookingfor
anothersupplier”Thisisthemainreasonwhy
mostITcompanieswillnottellyoutodothe
rightthing–theyarescaredoflosingcustomers
andrevenue.
Wedohaveanswers,oneofwhichisavery
short,bluntandnotparticularlypolitically
correctanswer.Andthenofcourse,thereisthe
answerthatwewouldwrite!
Sofirst,let’sbeblunt.
TheansweristhatyourITadvisorsarelikelynot
cybersecurityexperts,andsoarenotontopof
themarket,orspendyearsinthecybersecurity
markettofindthebesttoolforthejob.
Theyareverylikelytohavebeensupplyingan
antivirusprogramtotheircustomers,probably
fromawell-knownvendor,andit’snotintheir
interesttogoandtelltheircustomersthatitis
notgoodenough.Inmanycases,theyprobably
arenotevenawarethatit’snolongerfitfor
purpose.
Thisonlyleavesthemwiththeoptionoftelling
theircustomersthattheantivirusisprotecting
themandofcourseitisgoodenough!Afterall,
theywouldlookabitstupidiftheywenttothe
customerthatthey’vesoldtheantivirustoand
said,“Weknowourantivirussolutionisabit
rubbish”.
23Top Cyber News MAGAZINE -January 2023 -All Rights Reserved

So,whyisitantivirusnotgoodenough?
Alllegacyantivirusisreliantondoingdatabase
lookupstoidentifyanythreats.Everysingletime
itdoesascan,ithastoeffectivelypickupthe
YellowPages(listofvirusesandthreats)andgo
throughtheentirebooklookingforamatch.Ifit
findsamatchittosomethinginthere,it’slistsit
asthreat.Ifitcan’tmatchittoanythinginthe
book,thenit’snotathreatandletsitgo.
Theissuethatyellowpagesisgrowingatthe
rateoffournewentriesasecond.Bythetime
it’sprinted,shippedout,andeverybody’sgot
theircopy,it’soutofdatebythousandsor
hundredsofthousandsofentries,asthereare
345,600newthreatsaddedeverysingleday,and
it’snotdecreasing!Thisbasicallyleavesyouwith
asolutionthatjustnotfitforthepurposeof
protectingyouagainstneworunknownthreats,
nottomentionitisnotveryeffectiveasitrelies
onconstantlylookingthethreatsupeverytime.
But,yousay,itdoesprotectmeagainstmillions
ofknownthreats,doesn’tit–surelythatis
betterthannothing!?Theproblemwefaceis
thatthehackersaren’tstupid.Whywouldthey
useoldthreatsthattheyknowmostsolutions
canblock?That’swhythey’rebuildingnewones
everyfoursecondsbecausethey’relookingfor
waysaroundexistingsecurity.Whatyouactually
needisasolutionthat’sgoingtolookfor
patternsofbehaviourratherthandoingalookup
inanantiquatedsystem.
Forwantofabetterexample,it’slikethe
differencebetweenusinglivefacialrecognition
toidentifythreatsratherthanrelyingon
someonewalkingaroundwithaphotoand
puttingitupnexttoeverybodytodecidewho’sa
threatandwho’snot.Orevenworse,havingto
useamultiplemassivelibrariesofphotosif
you’retalkingaboutapropercriminaldatabase.
Inshort,yougetwhatyoupayforinlife–cheap
canbenasty,andiftheadviceisnotcoming
fromaconfirmedexpertorauthorityonthe
subject,makesureyoutakealookaroundand
askwhatisthemotivationforthemactually
supplyingyou.Andremember!Antivirusis
usuallysoldasaproductandproperCyber
securityissoldasamanagedservice!
by Francis West>>
FrancisWest,ChiefExecutiveOfficeratSecurity
Everywhereisonamissiontoinformandadvisea
millionbusinessownersonhowtostaycybersafe
sotheycanmaximisetheadvantagesoftechnology
whilstminimisingtherisks.Havingstartedhiscareer
intheAfricanArmy,FrancismovedtotheUKand
builtamillion-poundITsupportcompany.Inboth
professions,hismotivationhasbeentoprotect
othersfrompotentiallydestructiveanddevastating
threats.
SuccessesinthatfirstITbusinessincluded
redesigningabespoke,cloud-based,global
recruitmentplatformandcontributingtothedesign
andlaunchofaremotedesktopsolutionfor
Randstad.Whilstprovidingmanagedsecurity
servicesforlargeenterprises,Francisrealisedthere
wasalackofinformationandsupporttailoredto
SMEs.In2010,helaunchedWesttekSolutionsto
educateSMEsoncybervulnerabilityandprovidea
completesecurityservice.
ThiswasfollowedbySecurityEverywherea
partnershipwithGraemeIson.TheyprovideSMEs
with5easy,affordableandcomprehensivelayersof
CyberProtection,within24-hours.Francis’expertise
inhisfieldiswidelyrecognised.Hesitson5Cyber
SecurityPanelsandistheCyberSecurityNational
LeadfortheFSB(FederationofSmallBusinesses).
AsamentorforCompTIA,heisalsoinvolvedin
educatingthetechnologygurusofthefuture.
24Top Cyber News MAGAZINE -January 2023 -All Rights Reserved

by Allan Alford
25Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
Oneofthepivotalmomentsinbecominga
leaderincybersecurityoccurswhenthenewly
mintedleadermakesthedecisiontopostpone
addressingaparticularfindingfromtheteam
duetoreasonsofbudget,schedule,business
priorities,etc.Thiscriticalmomentseparates
successfulpractitioners(whoshouldadvocate
toaddresscybersecurityrisks)fromsuccessful
cybersecurityleaders(whoshouldadvocatefor
doingtherightthingfortheorganization-
whichmightwellincludedeprioritizingagiven
cybersecurityrisk).
Ifthismomentispivotalintheinitialtransitionto
cybersecurityleadership,thenperhapsitserves
toestablishatrendforfutureleadershiprolesin
cybersecurityaswell.Asonerisesinleadership
ranks,oneshouldinherentlybecomemore
awareofthesurroundingenvironment,ofthe
needsanddriversofpeerdepartments,andof
higherorderobjectivesandgoalsfortheentire
organization.Ifsuchknowledgeisexpectedofa
cybersecurityexecutive,thenthatsamemoment
wherethefreshcybersecurityleadermakesthe
calltonotaddressagivenriskduetohigher
orderconcernsshouldoccurmorefrequentlyas
theleadergainsmoreperspectivesonthe
greaterorganization.Toputitanotherway,
CISOsshouldtakemorerisksthandirectors,
whotakemorerisksthanmanagers,whotake
morerisksthanindividualcontributors.
“Without risk there is no business.
Take the smart risks and profit.
Take the wrong risks and lose. ”
Itcanbearguedthatbusinessisnothingmore
thantakingrisks,hopingtheyarethesmartest
risksvs.yourcompetitors,vs.timeitself,and
vs.marketdemand.Takethesmartrisksand
profit.Takethewrongrisksandlose.
Investmentisrisk.Further,allbusiness
innovationisalsobydefinitionrisk.Whatifthe
newnessofagivenproductorserviceprevents
itsbeingunderstoodoradopted?Ingenuity,as
withallbusinessmoves,requireswilfulrisk.Itis
importantforCISOstorememberthisasthey
diveintotheir2023riskmanagementplans-
thatwilfulriskisnotjustacceptable,butintegral
andnecessarytothesuccessofthe
organization.
CISOsdebateoftenaboutwhoownsanygiven
cybersecuritybusinessriskasidentifiedbythe
CISO’steam.MostCISOswilltellyouthatthe
CISO’sroleistopointouttherisk,toclarifyit,to
adviseonitsdispositionandlet“thebusiness”
owntherisk.Onecanargue,however,thatthere
isanintrinsicflawinthatargumentasindicated
byitsnomenclature.“Thebusiness”isnot
somethingthatexistsovertherewhilethe
cybersecurityteamisoverhere.Torefertothe
restoftheorganizationas“thebusiness”isto
divorceoneselffromone’svitalleadershiprolein
thebusiness.Themantraisnot“Enablethe
business!”Themantrais“Bethebusiness!”To
thisend,CISOsneedtobearmoreownershipof
riskdespiteconventionalapproaches.
Taking Ownership of Risk

by Allan Alford
TheCISOshouldthenstatethat,“Itismy
recommendationthatwe…”Beingfirmon
dispositionwhileencouragingmutualownership
beginstheprocess.Notethatthisapproachcan
neverbeembraceduntiltheCISOhas
internalizeditandappliedittotheirown
personalcareerrisk:
“I am accepting and owning some
career risk with each business
decision I make. This is the price of
executive leadership, and I will not
let it worry me as I charge forward in
my role.”
Thevitalaspectofthismethodistwo-fold:First
theCISOisnotshirkingordodging,avoiding,or
placingthemselvesinapositionofhelplessness.
TheCISOisdemonstratingauthoritybypublicly
declaringaccountability.Authorityisgivenfar
lessthanitistaken,andauthorityisrarely
successfullyheldbythosewhodonotpublicly
owntheoutcomesofauthority,bothgoodand
bad.FortheCISOwhoembracesthisphilosophy
andapproach,StepTwomanifestsintwoways:
One:Authorityhasgrowntomeetthe
accountabilitythattheCISOledwith.Two:
Careerriskisactuallydiminished,notincreased,
duetotheCISO’sdemonstratingrealleadership,
realownership,realbusinesssavvy,andreal
accountabilityfromabusinessstandpoint.To
demonstratethesequalitiesistoweatherat
leastmoststormsthatmightblowinwhena
givenrisk-takingdecisionbackfires.Weallare
capableofgamblingonthewrongoutcome.
Doingsowithauthorityandaccountability,doing
sowiththemutualrespectofpeerswho
recognizethataccountabilityhasbeen
maintained,mostlikelyresultsincommiseration
ratherthantermination.
To paraphrase the common saying,
“Accountability is everything.”
Ifthismodelisvalid,thentheCISO’sownership
ofrisksandofspecificriskacceptanceshould
growcommensuratewiththeawarenessofthe
greaterorganization.Bythetimeonehas
achievedtheCISOrank,oneshouldseeoneself
firstandforemostasavitalco-leaderofthe
business,asapeertootherbusinessleaders
fromotherdepartments,andassomeonewhois
wellinformedastothoseotherleaders’goals,
driversandobstacles.The“Chief”in“Chief
InformationSecurityOfficer”mandatesbusiness
leadershipovercybersecurityleadership.
GettingbacktotheCISOdebateastorisk
ownership,theconclusionthatunfoldsregarding
thecybersecurityleadershiptrajectoryisthatthe
CISOisasmuchariskownerastheirfellow
executivebusinessleaders,andnolessso.
Onecannotbethebusinesswithoutinheriting
riskownership,inotherwords.Thatownership
issharedacrossallthebusinessleaders,and
theCISOdoesnothaveaninherentrightto
claimanadvisory-onlyrolewithregardstoany
givenrisktheyhaveidentified.Theownershipof
riskismutualandmandatedforallexecutives.
TheCISOjobishard.Thehoursarelong,the
stakesarehigh,andthestresslevelsseldom
dissipate.OftenCISOsarescapegoated,being
summarilydismissedwhenarisktheypointed
outtothebusinessmonthsagoturnsintoan
activeincident.
CISOsareheldaccountableandblamedfor
thingstheyoftenhavenoauthorityover.Every
CISO,nomatterhowcompetent,devotessome
portionoftheirthinkingtoafearofanuntimely
endtotheirrole.Giventhisclimate,howcan
CISOsembraceriskownership?Partofthe
solutionisinaddressingthisnotionof
accountabilitywithoutauthority.
StepOneisfortheCISOtodowhattheyhave
(presumably)alwaysdone:identifyingand
categorizingriskstosurfacetotheirfellow
businessleaders.Nottothebusiness,butto
theirfellowleaders.TheCISOshouldthenhave
arecommendationatthereadyfortherisks
beingaddressedandshouldfirmlyandclearly
statethatrecommendation.
26Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
>>

CISOandCybersecurityConsultant,Mr.AllanAlfordhasledsecurityfunctionsincompaniesfrom5employees
to50,000andexecutesarisk-basedapproachtosecurity,aswellascompliancewithmanyframeworks.
WithMasterofInformationSystems&SecurityandaBachelorofLiberalArtswithafocusonLeadershipand
twenty+yearsininformationsecurity,AllanhasservedasCISOfivetimesinfourindustries,withastronghistory
intechnology,manufacturing,telecommunications,litigation,education,cybersecurityandmore.Heparlayedan
ITcareerintoaproductsecuritycareerandthenultimatelyfusedthetwodisciplines.Thisuniquebackground
meansthatAllanapproachestheCISOrolewithahighlybusiness-alignedfocusandanunderstandingofan
organization'sgreatergoals,drivers,methods,andpractices.
AllanAlfordgivesbacktothesecuritycommunityviaTheCyberRanchPodcast,byauthoringarticles,speakingat
conferences,teaching,mentoring,andcoachingaspiringCISOs
AboutAllanAlfordConsulting
Mr.Alfordlaunchedhisboutiquecybersecurityconsultingpracticein2022,withtheintentionofhelping
organizationsefficientlyimplementandmanagesecurityprogramsandprojects.Allankeepsthepracticesmall,
bringinginahand-selectedteamofsubjectmatterexpertsonlyasrequired,toforgelong-termrelationshipswith
eachclientandtointimatelyunderstandandfulfileachorganization'suniqueneeds.
27Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
Allan Alford,United States

by Steve King
Cybersecurity Leadership
cooperationthatisnotalwaysforthcoming.The
relationshipbetweentheboard,C-suiteandthe
CISOisoftenill-suitedtotheexecutionof
actionableprogramsasthedefinitionsof
accountabilityandresponsibilityaresoft-peddled
andgenerallyignoredbytheseniorparty.This
translatestoresponsibilityandeven
accountabilityonpaperbutnotextendedinfact
ordownrightwithheldinpractice,leadingto
mis-trustandaninordinateamountofanti-
productivemeetings,analysisandproposals.
Myexperienceisthattheboardsimplydoesnot
trusteithertheITorSecurityleadership;they
don’ttrustthateitherteamunderstandsthe
businessnorcouldmaketherightexecutive
decisionsweretheyincharge,andasa
consequence,theboardwillnotrelinquishthe
reinsofleadershipoutsideoftheirdomains.The
CISOdoesn’tseemtobeabletograspbusiness
basicsorunderstandforexamplethenotionof
risktransfer.
Wehearfrequentlythat99%oftheglobal
businessleadersclaimcyberriskisthegreatest
riskfacingoureconomyandwhenFedChairman
JeromePowellsaidon60Minutesthatthe
greatestrisktotheeconomyiscyberrisk,we
assumethatourbusinessleadersareallonthe
samepage.Theydon’tworryaboutinflation,
anotherfinancialcrisisoranotherapandemic
—theyworryaboutcyberrisk.
TheWorldEconomicForum(WEF)GlobalRisk
Report2021,tellsusthatthetopthreeshort-
termriskstotheworld,asdefinedbyitssurvey
of650WEFleaders,areinfectiousdisease,
incomeinequalityandextremeweatherevents.
Thefourth,iscybersecurity.Nearly40%ofWEF
leaderscitedcybersecurityasa“clearand
presentdanger”totheglobaleconomy.While
wehaveseensomedegreeofglobal
cooperationaroundthefirstthreeissues,we
havenotseenthatsamelevelofcooperation
aroundcybersecurity.
Givenmybackground,Iempathizewith
Cybersecurityleadershipandcan’timagine
tryingtodothejobatcurrentexpectationlevels
duringthestorminwhichwefindourselves.The
competitionbetweenbusinessunitowners
drivingtowardthe4thindustrialrevolution,
pocketsofshadowITrunningunknown
quantitiesofcloudsessions,increased
dependenciesonsupply-chains,open-source
everywhere,newheightsofnetworkcomplexity,
alackofavailableresourcestofillthegaps,and
increasedsophisticationandsmarterattacks
fromcyber-criminalsalongwithpromisesof
safelyandsecurityfrom4,000pointsolution
vendorswoulddriveanyonecrazy.
IfyouhaveaCISOwhoappearstobekeeping
thelightson,makesures/heishappy.Forevery
competentCISO,theremustbeadozenwho
aren’t.
ButCISOleadershipisnotlimitedtotechnology
choices,maturityprograms,operationsand
governanceandtheprovisioningofadequate
detectionandprotectioncapabilitiestoassurea
computingenvironmentissafefrombadguys.It
isresponsibletothecompanyandshareholders
todoeverythingpossibletoassuremaximum
protectionandtheimplementationandsupport
ofwell-thoughtoutandcarefullydesignedlayers
ofdefense,leveragingthebestandmost
effectivetechnologytools,theoptimaluseof
availableresources,theappropriatelevelsof
educationandtrainingdeliveredtotheright
peopleattherighttimeandcommunicationwith
C-suiteandBoardmembersatalevelwhere
bothsidescanoperatefromthesamepageof
theplaybook,atalltimes.
Inaddition,inmostcorporateITenvironments,
therelationshipsbetweentheITleadersand
thesecurityleadersappearopposedoroperate
withasubstantialamountoffriction.One
requirestheabsolutecooperationwiththeother
toenabletheirprogramsandachievetheirgoals,
28Top Cyber News MAGAZINE -January 2023 -All Rights Reserved

by Steve King
“WhatweneedisfortheCISOtostepinto
thebreach–toembraceatrueleadership
role–whichtranslatestodefiningapath
forwardthatwillminimizetheprobabilityof
acatastrophicevent.Itisnowtimeforthe
CISOtoreportdirectlytotheCEOorthe
BOD.Weareswimminginanewoceannow
andifweexpectCISOstobeheld
accountablewithpersonalliabilityand
fiduciarycareduty,thens/heneedstohave
theappropriatereportinganddecision
authorityaswell.”
FollowingtheJoeSullivanverdict,Iwillbe
surprisedifournextshortageisn’ttheCISOrole
itself.Wouldyourisk8yearsbehindbarsto
defendadysfunctionalcompany’sassetswithout
controlsorauthorityfor$500Kyear?Ofcourse
notandwhenSullivan’ssentencingbecomes
realforfolks,therewillbefewwillingtotake
thatrisk.
Trueleadershipmeanshavingthecourageto
architectandpromoteanalternateapproachto
layered,defenseindepthsecuritymodels.It
meansembracinganenterprise-wideZeroTrust
strategy.Onethatbeginswiththirdparty
assessment,arigorousidentificationofcritical
assets,anisolationoftheseassetsthrough
micro-segmentationandaccessprotection
throughgranularidentitymanagementand
policyengineswithafullysaturatedmonitoring
oflateralactivitybeyondinitialentrythroughto
behaviorwhileonthenetworksandupon
sessionexits,thededicationoffullystaffed
cybersecurityhygieneprograms,andthe
disciplinetoadheretobestpracticesthroughout.
Itmeanstranslatingthatstrategyintolanguage
thattheboardwillunderstandand
contextualizedoutsidethestandard
threat/consequencematrix,sothatprofessional
riskdecisionmakerscanmakedeterminations
alignedwithrealitiesthattheycannow
understand.Wemaynotbeabletofixleadership
issuesatthenationalorinternationallevels,but
nothingstopsusfromdoingsowithinourown
domains.Otherthanfear.
TheConventiononCybercrime(AKAthe
BudapestConvention)hasbeenratifiedby65
nations,butfocusesprimarilyonnationstates
assistingeachotherintheprosecutionof
cybercrimes,notaddressingtoday’snation
statesattackingprivatesectorcompaniesatwill.
Are65companiesasleepatthewheelorhave
theyallsignedupforChineseprotectionunder
theBRIinitiative?
Eventhoughwehaveseentheseattacksin
actionnowforyears,westillhaveno
Convention-liketreatythatestablishesrulesof
engagementfornationstatesincyberspaceand
providesalegalframeworkfortheinternational
prosecutionofviolators.
Andasaconsequence,nothingwillchangethe
globallandscapeforprivateorpublicleadership
withregardtocyber-crimeandcyber-attacks.
Withoutmodernizedlawsatawholeofglobal
governmentlevel,itisimpossibletoimpress
uponthedecisionmakersinprivatecompanies
tobreakfromthepack.
RisktransferwillremaintheSleepezeforboard
membersunlessanduntilourCISOleadership
communitydeterminesthatitistheir
responsibilitytoforcerealityintotheir
presentationsinawaythattheboardcanboth
grokandunderstandthedetailsofliabilityas
theyrelatetotheirfiduciaryresponsibilities.Or
untilCyber-insurancedisappearsasarisk-
transferoption.Untilthen,businessasusual.
Asaresult,withoutchangingthewaythat
CISO’smanagewithintheirorganizations,the
lackofleadershipwillalwaysbeoneofthe
greatAchilles’heelsoftheCybersecurity
space.Itistheequivalentoflawsthatprotect
retailcriminalsfromprosecutionifalltheysteal
isvaluedatorunder$950.
Asevencasualobserverswillrecall,itonlytook
Colonialonedaytodecideona$5million
ransomwarepayment,inspiteofaggressive
FederalandLawEnforcementadvicetothe
contrary.Thatisrisktransferinactionanditdid
nothingtohelppreventanotherattack,eitherto
Colonialoritsbrethren’spipelinecompanies
worldwide.
29Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
>>

30Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
Mr.SteveKINGistheFoundingBoardMemberandManagingDirectorofCyberEd.io,theleadingCybersecurityEducation
On-lineLearningprogramintheworld.Hisotherday-jobishelpingCybersecurityclientsgettheirbrandstory,positioning
statementsandmessagingsquaredtotheappetiteoftheirtargetedaudience,asManagingDirectorofCyberTheory,afull
servicedigitalmarketing,brandingandadvertisingcompany.BothorganizationsarepartoftheISMGglobalmediafamily,the
largestmediagroupfocusedonlyonCybersecurityintheworld.EducationinCybersecurityisSteve’spassionandhefeels
luckytohavethisamazing,broad,popular,farreachingandactiveISMGnetworktopromoteandadviseontheirwaytoward
CyberEd.io’sNorthStar,whichistoCLOSETHEGAPinCybereducation.
StevegothisstartinInfoSecurityasaco-founderoftheCambridgeSystemsGroup,whichbroughttomarket,ACF2,the[still]
leadingdatasecurityproductformainframecomputers–CambridgesoldtheirproductsuitetoCAbackinthe1980s.Inthe
year2000,asbusinessesstruggledtogettheirmessageouttotheweb,Stevestartedafewbusinessestohelpmakethat
easier.FromESI,adigitalbrandingbusinessthathelpedcompanieslikeHarley-Davidson,AbercrombieandFitchandLucky
Brandsgettothedigitalmarkets,toBlackhawkSystemsGroup,anearlyplayerintheSIEM/SOC/MSSPspace.Blackhawkand
itspartnersaggressivelypursuedtheChinesemarketsbetween2012and2017settingupofficesinBeijing,Shanghaiand
Shenzhen.ManyconsiderSteveanexpertinChineseCybersecurityasaresult.PriortothefocusonCyber,Steveservedas
CIOforalarge,internationalComputerandStorageSystemsmanufacturingcompany,withresponsibilityforbothITandOT.

People Are The Crown Jewels
Anne Leslie, Cloud Risk and Controls Leader Europe at
IBM Cloud for Financial Services
AnneLeslieisCloudRiskandControlsLeaderEuropeat
IBMCloudforFinancialServiceswhereshefocuseson
supportingfinancialinstitutionstosecurelyaccelerate
theirjourneytothecloudandtransformtheir
cybersecurityoperationstoadapttoahybridmulti-cloud
reality.Anaccomplishedpublicspeaker,Anneisa
passionateadvocateforupskillinginitiativesrelatedto
cybertalenttransformationandapplyinghuman-centered
approachestosomeofthemostwickedproblemsfacing
cybersecuritypractitioners.IrishbynatureandFrenchby
design,AnneliveshappilywithherthreechildreninParis,
Francewhichhasbeenherhomenowforovertwenty
years.
31Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
Inthecontextofcybersecurity,peoplearefrequently
referredtoasanorganization’sbiggestvulnerability.And
whilethereisanelementoftruthtothatassertion,itisa
framingthatnegatesthehugelypositiveimpactthat
harnessinghumanenergy,engagement,and
commitmentcanhaveonanenterprisecybersecurity
program.
Thetruthisthat,withtherightenablementand
environment,peoplewillnaturallywanttocontribute
becauseashumanswearemotivatedbybeingof
serviceandunitedinsomethingthatisbiggerthan
ourselves.
Cybersecurityprofessionalsareoftencharacterizedby
aninnatedrivetoprotect.Tomanypractitioners,
informationsecurityismuchmorethanajob;it'sa
causetheywanttodefend.Themostprogressive
organizationsareexploringhowtoleveragehuman-
centredmethods,suchasdesignthinking,asawayof
identifyinghowtodesignsecurityprogramsthatchannel
thebestofwhatmakesushumanandcomplement
thesecapabilitieswithprocessesandtoolingthat
augmentspeople’sskillsinsteadofhinderingthem.
Suchanapproachinvolvesinteractingwithcybersecurity
practitionersandenquiringofthem,“Howmightwego
aboutmakingyourdaygobetter?Howcouldwego
aboutallowingyoutohavemoreimpact?Whatmightwe
beabletodototakeobstaclesoutofyourway?”
Again,theseareseeminglysimplequestions.However,
rarearetheorganizationswheresuchquestionsget
askedandwheretheanswersaregenuinelyactedupon.
Whilemanycybersecurityprofessionalsstartoutintheir
careerswithapowerfuldesiretoserveanddefend,the
weightoforganizationalbureaucracy,misaligned
objectives,andexecutivedisinterestcanendupdiluting
eventhemostrobustresolve.
Leaderswhoareauthenticallyseekingtoenable
theircybersecurityteamtoachieveabigger
collectiveimpactforthebusinessandmore
individualfulfilmentshouldneverunderestimate
thepowerofconsistentlyshowingthattheycare
abouttheirpeople.

Scott D. Foote
Managing Director at Phenomenati Consulting
Introducing Risk Level Agreements™(RLA)
for the C-suite and the Board
strategicRiskProfileandthedecisionsmade
regardinghowthoseRiskswillorwillnotbe
addressed.
Phenomenatireferstotheseas“agreements”
becausetheycodifythesharedawareness,
assessment,negotiation,anddecisionsbetween
theorganization’sleadershipandits
infrastructureproviders(bothinternaland
external),withrespecttothebalanceofbenefits,
costs,andRisksinanyaspectofthebusiness.
TheRLAthenbecomesaformalbusinessrecord,
persistingthecontextandtradeoffsofcritical
businessdecisions,acrosschangesinthe
organization,untilsuchtimeasanydecision
needstoberevisited.
Typically,developmentofRLAswillincludea
seriesofquarterlyExecutiveteammeetingsthat
employhigh-levelRiskScenariostosupport
cross-functional,collaborativedecisionmaking
regardingwhethertheleadershipteamAccept,
Reject,Mitigate,and/orTransfereachidentified
strategicRisk.
WhiletheseRLAsgreatlyimprovestrategiclevel
planningandreporting,theyalsoprovidevery
clearcorporaterecordswhichconcretely
demonstratetheDueDiligenceandDueCare
appliedtotheorganization’soverallRisk
Managementefforts.
EachRLAincludesdiscussionof6keytopics,
discussedbrieflybelow:
32Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
ofacilitatediscussionsbetween
executiveteamsandtheirboards,
Phenomenatihascreatedtheconcept
ofRiskLevelAgreements™(RLAs)
(www.risklevelagreements.com)which
concretelydocumentanorganization’s
RiskTolerance("Appetite")
EachPhenomenatiRLAbeginsbydocumenting
theorganization’scurrentbenchmarkforRisk
Tolerance.
TheU.K.’sInstituteofRiskManagementdefines
RiskToleranceorAppetiteas“theamountand
typeofriskthatanorganizationiswillingtotake
inordertomeettheirstrategicobjectives”.
theorganization’sRiskTolerance,Risk
Scenarios,InherentRisk,Recommended
Controlstomitigaterisk,RiskMitigation
Decisions,andremainingResidualRiskthatis
eitheraccepted,transferred,oravoided.

by Scott D. Foote>>
•e.g.,athreatactorattemptstostealcustomer
records,4-5timesperyear.
Next,acrosstheorganization,anyVulnerabilities
relevanttothatThreatareidentified.Thisshould
includetheSeverityoftheVulnerability.
•e.g.,useofsingle-factorauthentication[weak
passwords]onaccountswithbulkaccessto
customerrecords.
Finally,thepotentialImpactofspecificThreats
exploitingspecificVulnerabilitiesischaracterized
intermsofConsequencestothebusiness(e.g.,
potentiallosses).TheseConsequencesshouldbe
assessedbothqualitativelyandquantitatively.
•e.g.,apossible$xMinregulatoryfines,apotential
20%lossofcustomers,andpotential35%dropin
revenuesduetoreputationdamage.
ToeffectivelycharacterizeeachRiskintermsof
numeric“amounts”,Phenomenatiapplies
conventionalRiskAssessmentdiscipline
includingbothQualitativeandQuantitative
assessmentofeachRiskScenariothathasbeen
identified.DeeperexplanationofRisk
Assessmenttechniquesisatopicforanother
article.
Aqualitativeapproachtocharacterizingan
organization’sRiskTolerance/Appetitemightuse
asubjectivespectrumfrom“RiskAverse–to
RiskNeutral–toRiskSeeking”.
Aquantitativeapproachtocharacterizingan
organization’sRiskTolerance/Appetitemightuse
anobjective,numericalthresholdtodescribe
specificlevelsofacceptableloss(e.g.,%of
revenuelost).Inpractice,mostorganizationsfind
thattheirRiskToleranceissituationally
dependentuponthecircumstancesofeach
specificRiskScenariothathasbeenidentified.
So,asingle“threshold”valueisoften
impractical.
RiskScenarios
Anyseriousdiscussionabout“Risk”must
transformabstractconceptsintoconcrete
expressionsusingconceptssuchasthe“Risk
Scenarios”mentionedabove.A“RiskScenario”
beginswithidentifyingaspecificThreatthatis
directlyrelevanttospecificAssetsofthe
organization(e.g.,businesssystemsorbusiness
information).DiscussionofThreatsshould
includetheLikelihoodoranticipatedfrequencyof
eachThreatmaterializing.ID Risk Type Threat Metric Vulnerability Metric Consequences Metric SLE ARO 0 - 25
Annualized Loss
Expectency
(SLE x ARO = ALE)
R0001
Legal, Reputational
(Cyber)
Criminal Theft / Extortion 5
Need to improve Data Loss Prevention.
Do not adhere to Least Privilege principle.
Need to improve Segregation of Duties.
End-point Protection on cloud assets.
Monitoring & Detection on cloud assets not well
integrated into Security Ops (Sophos 24x7 SOC
service).
Need to review the protections on DevOps pipeline.
4
First Party Privacy Breach - Loss of Client
Confidential material
5 4,000,000$ 0.25 22.5 1,000,000$
33Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
Figure 1 -Example “Risk Scenario”
Theexample“RiskRegister”inthediagram
belowincludesashortsetofexampleRisk
Scenarios(rows)whereeachhasbeen
QualitativelyandQuantitativelyassessed.
ThoseaggregateRisk“scores”appearin
columnstotheright,andareusedtoprioritize
theoveralllistofRisksaswellasinform
subsequentBusinessCases(e.g.,Cost-Benefit
Analyses)regardinginvestmentinadditional
Controls.
InherentRisk
InherentRiskistraditionallythoughtofasthe
“untreated”riskinaprocessoractivity.Meaning
nothinghasbeendonetoeitherreducethe
“likelihood”,ormitigatethe“impact”,ofpotential
threats.InPhenomenati’sRLAs,theInherentRisk
iscapturedasthecollectionofpotential
ConsequencesfromtheRiskScenariosthathave
beenidentified.Effectivemethodsfor
communicatingthesetof“InherentRisks”toan
organizationinclude:atabular“RiskRegister”,
and/orasimple“RiskMatrix”diagram.

5 10 15 20 25
4 8 12 16 20
3 6 9 12 15
2 4 6 8 10
1 2 3 4 5
Current Aggregate Risk:
Risk Landscape
10,940,000$
Impact
Likelihood
ACTUAL
R0001R0002R0003
R0011
R0004
R0005R0010
R0006R0007
R0009
R0008
R0012R0013R0014R0015R0016R0017R0018R0019R00200
1
2
3
4
5
6
0 1 2 3 4 5 Theveryfamiliarexampleofa“RiskMatrix”
inthediagramaboveillustrateshowthe
QualitativescoresforeachoftheRisk
ScenariosfromtheRiskRegistercanbe
plottedalongthetraditionalattributesof
“Likelihood”and“Impact”.Riskstothe
upperrightoftheriskmatrix(intheyellow,
orange,orredcells)aretypicallyconsidered
tohaveInherentRiskthatisabovethe
organization’sRiskTolerance.
Belowthematrix,the“CurrentAggregate
Risk”sumsuptheQuantitativemonetary
valuesofthecurrentRiskScenariosfrom
theRegister.Presentingthisvaluealong
withthetraditionalRiskMatrixhasprovento
beapowerfulcatalystfordiscussionamong
ExecutiveLeadershipteams,aswellaswith
Boards.
by Scott D. Foote>>Risk Level Agreements™ (RLAs)
QualitativeQuantitative
ID Risk Type Threat Metric Vulnerability Metric Consequences Metric SLE ARO 0 - 25
Annualized Loss
Expectency
(SLE x ARO = ALE)
R0001
Legal, Reputational
(Cyber)
Criminal Theft / Extortion 5
Need to improve Data Loss Prevention.
Do not adhere to Least Privilege principle.
Need to improve Segregation of Duties.
End-point Protection on cloud assets.
Monitoring & Detection on cloud assets not well
integrated into Security Ops (Sophos 24x7 SOC
service).
Need to review the protections on DevOps pipeline.
4
First Party Privacy Breach - Loss of Client
Confidential material
5 4,000,000$ 0.25 22.5 1,000,000$
R0002
Operational, Legal,
Reputational
(Cyber)
Ransomware 5
Need to improve Data Loss Prevention.
Do not adhere to Least Privilege principle.
Need to improve Segregation of Duties.
End-point Protection on cloud assets.
Monitoring & Detection on cloud assets not well
integrated into Security Ops (Sophos 24x7 SOC
service).
Need to review the protections on DevOps pipeline.
4
Loss of Availability of the SaaS platform leads to
Reputation damaage (loss of Trust, Credibility) and
Lost Business (clients, revenue)
5 2,000,000$ 0.5 22.5 1,000,000$
R0003
Operational, Legal,
Reputational
(Cyber)
Compomise of Service, Injection of Malicious
Software into the SaaS offering
4
End-point Protection on cloud assets.
Need to review protections on DevOps pipeline.
Need to expand/improve Application Security
Testing (AST) (e.g., scanning of all sw
dependencies.
5
Loss of Integrity in SaaS Infrastructure leads to
loss of either Client or Company Intellectual
Property (IP) damages valuation.
5 5,000,000$ 0.2 22.5 1,000,000$
R0011
Legal, Reputational
(Cyber)
High Expectations of Security & Privacy from
Prospects
5
Overall Information Security & Privacy Program
has not yet been certified.
4
Lost revenue opportunities.
Losses to valuation in financing rounds.
4 1,000,000$ 4 18 4,000,000$
R0004
Operational, Legal,
Reputational
(Cyber)
Insider Threat 3
Administrative Controls need improvement: e.g.,
background checks for privileged staff w/ "Need to
Know"; more specific policies on Data
Classification, Access Control, Data Handling,
Data Retention; add'l NDAs; special access
training; team experienced with Insider Threat
Investigations.
Technical Controls need improvement:
Need to improve Data Loss Prevention.
e.g. No monitoring of Annotators while in system.
e.g. No monitoring of engineering and operations
staff w/ full privileged access.
e.g., No UAM/UBA platform to tune monitor User
Behavior effectively.
Physical Controls TBD
4
Loss of Client Confidential intellectual property,
leads to Reputation damage (loss of Trust,
Credibility) and Lost Business (clients, revenue)
5 4,000,000$ 0.5 17.5 2,000,000$
Risk Levels
Qualitative Assessment Quantitative Assessment
Figure 2 -Example “Risk Register”
3434Top Cyber News MAGAZINE -January 2023 -All Rights Reserved

SomecontrolswillattempttoreducetheImpactofa
possiblecompromise..e.g.,useofbackupsor
replication,orobfuscation/tokenizationofcustomer
information.EachControlisassessedforpracticality
baseduponBenefits(e.g.,reductioninLikelihoodor
ImpacttoreducetheRisk)relatedCosts,andany
additionalRiskuseoftheControlmayintroduce.
RecommendedControls
ForthehighestpriorityRiskScenarios,Controls(also
calledcountermeasures)whichmaydirectlyimpact
eachscenarioareenumeratedandassessedfor
practicality.Somecontrolswillattempttoreducethe
LikelihoodofaspecificThreatexploitinga
Vulnerability.e.g.,useof2FAforprivilegedaccounts.
35
ForeachRiskScenario,Phenomenati’sRLAcapturesthecurrentinventoryofRecommendedControlsusinga
simpletablecalleda“ControlMatrix”.TheexampleinthediagramaboveillustrateshowControlsmightbe
proposedandcommunicatedtoanon-technicalaudience,insupportofanRLAdiscussion,forthecommon
RiskScenarioof“InsiderThreat”(InT).NotethateachControlisplacedinthematrixbasedupontheControl
Type(Administrative,Physical,orTechnical)andtheControlObjective(Preventative,Detective,orCorrective).
ThetotalCostsoftherecommendedControlsareestimatedandthenaddedtotheevolvingRiskRegister(see
thediagrambelow)tosupporttheCost-BenefitAnalysisoftheproposedinvestment(ref.thefarrightcolumns).
Simplistically,quantitativereductionsinRiskthatoutweightheassociatedCostofadditionalControlsare
consideredagoodinvestment.AdeeperdiscussionofthisCost-BenefitAnalysisisoutofscopeforthisarticle.
Figure 4 -Example “Control Matrix”
by Scott D. Foote>>Risk Level Agreements™ (RLAs)
QualitativeQuantitative
ID Risk Type Threat Metric Vulnerability Metric Consequences Metric SLE ARO 0 - 25
Annualized Loss
Expectency
(SLE x ARO = ALE)
AdministrativePhysicalTechnical
Annualized
Cost
R0001
Legal, Reputational
(Cyber)
Criminal Theft / Extortion 5
Need to improve Data Loss Prevention.
Do not adhere to Least Privilege principle.
Need to improve Segregation of Duties.
End-point Protection on cloud assets.
Monitoring & Detection on cloud assets not well
integrated into Security Ops (Sophos 24x7 SOC
service).
Need to review the protections on DevOps pipeline.
4
First Party Privacy Breach - Loss of Client
Confidential material
5 4,000,000$ 0.25 22.5 1,000,000$ 100,000$ -$ 100,000$ 200,000$ 5.00
R0002
Operational, Legal,
Reputational
(Cyber)
Ransomware 5
Need to improve Data Loss Prevention.
Do not adhere to Least Privilege principle.
Need to improve Segregation of Duties.
End-point Protection on cloud assets.
Monitoring & Detection on cloud assets not well
integrated into Security Ops (Sophos 24x7 SOC
service).
Need to review the protections on DevOps pipeline.
4
Loss of Availability of the SaaS platform leads to
Reputation damaage (loss of Trust, Credibility) and
Lost Business (clients, revenue)
5 2,000,000$ 0.5 22.5 1,000,000$ 100,000$ -$ 300,000$ 400,000$ 2.50
R0003
Operational, Legal,
Reputational
(Cyber)
Compomise of Service, Injection of Malicious
Software into the SaaS offering
4
End-point Protection on cloud assets.
Need to review protections on DevOps pipeline.
Need to expand/improve Application Security
Testing (AST) (e.g., scanning of all sw
dependencies.
5
Loss of Integrity in SaaS Infrastructure leads to
loss of either Client or Company Intellectual
Property (IP) damages valuation.
5 5,000,000$ 0.2 22.5 1,000,000$ 100,000$ -$ 100,000$ 200,000$ 5.00
R0011
Legal, Reputational
(Cyber)
High Expectations of Security & Privacy from
Prospects
5
Overall Information Security & Privacy Program
has not yet been certified.
4
Lost revenue opportunities.
Losses to valuation in financing rounds.
4 1,000,000$ 4 18 4,000,000$ 300,000$ -$ 500,000$ 800,000$ 5.00
R0004
Operational, Legal,
Reputational
(Cyber)
Insider Threat 3
Administrative Controls need improvement: e.g.,
background checks for privileged staff w/ "Need to
Know"; more specific policies on Data
Classification, Access Control, Data Handling,
Data Retention; add'l NDAs; special access
training; team experienced with Insider Threat
Investigations.
Technical Controls need improvement:
Need to improve Data Loss Prevention.
e.g. No monitoring of Annotators while in system.
e.g. No monitoring of engineering and operations
staff w/ full privileged access.
e.g., No UAM/UBA platform to tune monitor User
Behavior effectively.
Physical Controls TBD
4
Loss of Client Confidential intellectual property,
leads to Reputation damage (loss of Trust,
Credibility) and Lost Business (clients, revenue)
5 4,000,000$ 0.5 17.5 2,000,000$ 100,000$ -$ 5,000,000$ 5,100,000$ 0.39
Risk Levels
Cost/Benefit
Analysis
Qualitative Assessment Quantitative Assessment Controls
Figure 5 -Example “Risk Register” Including Simple Cost-Benefit Analysis

approvedorrejectedbyseniorleadership.
Baseduponthisduediligence,theleadership
teamwilldocumenttheirdecisionsonwhetherto
Accept,Reject,Mitigate(throughadditional
Controls),and/orTransfer(e.g.,toinsurance
underwriters)theInherentRiskwithineachof
theRiskScenariosthathavebeenidentified.
Thesedecisionsregardinginvestmentin
additionalControls,includingtheResidualRisks
foreachRiskScenario,completethe
organization’sRiskLevelAgreements(RLA).The
executiveteam(andboardasappropriate)
documenttheiragreementregardingwhat
investmentswillbemade(ornot),includingwhat
ResidualRiskwillbeaccepted(ref.theadditional
columnsonthefarrightinthediagrambelow).
ResidualRisk
Finally,any“ResidualRisk”(thoseRisks
remainingunaddressed)areclearlydocumented,
oftenusingthesameRiskRegisterdescribed
above.TheResidualRiskisthencomparedtothe
overallRiskToleranceoftheorganization.Where
ResidualRiskstillexceedstheorganization’sRisk
Tolerance,additionalRiskMitigationsmaybe
considered,ortheResidualRiskshouldbe
explicitlyAcceptedorTransferred.
RiskMitigationDecisions
WithintheconstraintsofbothBudgetandRisk
Tolerance,theControlswiththemostoptimal
Benefit/Cost/Riskbalanceareselected,
recommendedforimplementation,andeither
Figure 6 –Example “Risk Register” Including Executive Agreements
OurteamatPhenomenatihopeyoufindthisconceptofRiskLevelAgreementstobeasusefulaswe
haveinimprovingstrategiclevelplanningandreportingbetweenyourExecutiveTeamsandyourBoards.Risk Level Agreements™ (RLAs)
QualitativeQuantitative
ID Risk Type Threat Metric Vulnerability Metric Consequences Metric SLE ARO 0 - 25
Annualized Loss
Expectency
(SLE x ARO = ALE)
AdministrativePhysicalTechnical
Annualized
Cost
Avoid AcceptMitigateTransfer CEO COO CSO CTO Product Eng
India
GM
Date DecidedLast Reviewed
Next
Review
R0001
Legal, Reputational
(Cyber)
Criminal Theft / Extortion 5
Need to improve Data Loss Prevention.
Do not adhere to Least Privilege principle.
Need to improve Segregation of Duties.
End-point Protection on cloud assets.
Monitoring & Detection on cloud assets not well
integrated into Security Ops (Sophos 24x7 SOC
service).
Need to review the protections on DevOps pipeline.
4
First Party Privacy Breach - Loss of Client
Confidential material
5 4,000,000$ 0.25 22.5 1,000,000$ 100,000$ -$ 100,000$ 200,000$ 5.00 X X AB CD EF GH IJ KL MN 2022-02-012022-02-012023-02-01
R0002
Operational, Legal,
Reputational
(Cyber)
Ransomware 5
Need to improve Data Loss Prevention.
Do not adhere to Least Privilege principle.
Need to improve Segregation of Duties.
End-point Protection on cloud assets.
Monitoring & Detection on cloud assets not well
integrated into Security Ops (Sophos 24x7 SOC
service).
Need to review the protections on DevOps pipeline.
4
Loss of Availability of the SaaS platform leads to
Reputation damaage (loss of Trust, Credibility) and
Lost Business (clients, revenue)
5 2,000,000$ 0.5 22.5 1,000,000$ 100,000$ -$ 300,000$ 400,000$ 2.50 X X AB CD EF GH IJ KL MN 2022-02-012022-02-012023-02-01
R0003
Operational, Legal,
Reputational
(Cyber)
Compomise of Service, Injection of Malicious
Software into the SaaS offering
4
End-point Protection on cloud assets.
Need to review protections on DevOps pipeline.
Need to expand/improve Application Security
Testing (AST) (e.g., scanning of all sw
dependencies.
5
Loss of Integrity in SaaS Infrastructure leads to
loss of either Client or Company Intellectual
Property (IP) damages valuation.
5 5,000,000$ 0.2 22.5 1,000,000$ 100,000$ -$ 100,000$ 200,000$ 5.00 X X AB CD EF GH IJ KL MN 2022-02-012022-02-012023-02-01
R0011
Legal, Reputational
(Cyber)
High Expectations of Security & Privacy from
Prospects
5
Overall Information Security & Privacy Program
has not yet been certified.
4
Lost revenue opportunities.
Losses to valuation in financing rounds.
4 1,000,000$ 4 18 4,000,000$ 300,000$ -$ 500,000$ 800,000$ 5.00 X AB CD EF GH IJ KL MN 2023-02-012023-02-012024-02-01
R0004
Operational, Legal,
Reputational
(Cyber)
Insider Threat 3
Administrative Controls need improvement: e.g.,
background checks for privileged staff w/ "Need to
Know"; more specific policies on Data
Classification, Access Control, Data Handling,
Data Retention; add'l NDAs; special access
training; team experienced with Insider Threat
Investigations.
Technical Controls need improvement:
Need to improve Data Loss Prevention.
e.g. No monitoring of Annotators while in system.
e.g. No monitoring of engineering and operations
staff w/ full privileged access.
e.g., No UAM/UBA platform to tune monitor User
Behavior effectively.
Physical Controls TBD
4
Loss of Client Confidential intellectual property,
leads to Reputation damage (loss of Trust,
Credibility) and Lost Business (clients, revenue)
5 4,000,000$ 0.5 17.5 2,000,000$ 100,000$ -$ 5,000,000$ 5,100,000$ 0.39 X X AB CD EF GH IJ KL MN 2022-02-012022-02-012023-02-01
Risk Levels
Cost/Benefit
Analysis
DECISIONSQualitative Assessment Quantitative Assessment Controls Authorities Dates
by Scott D. Foote>>
AbouttheAuthor:
CISO,CPO/DPO,CybersecurityExecutive,Board
Advisor,CISSP,CCSA,CCSP,CISM,CDPSE,CIPM,
CRISC,CISA,currentlyaManagingDirectorwith
Phenomenati,ScottFooteisagloballyrecognized
thoughtleaderandsubjectmatterexpertwithmorethan
35yearsoftechnologyleadershipexperiencein
cybersecurityandthebroadersoftwareindustry,Scott
isanexperiencedcybersecurityexecutive,designing
securityandprivacyintodigitaltransformationinitiatives
forhisclients.Scotthasanacuteabilitytounderstand
andmaporganizationalneedstosecuritymodels,
architectures,solutions,andtechnologies.
36Top Cyber News MAGAZINE -January 2023 -All Rights Reserved

https://intelligence-sec.com/events/
t. +44 (0)1582 346 706 | e. [email protected]

“Cybersecurity, like life,
has the colours that you give it”
Stéphane NAPPO
38Top Cyber News MAGAZINE -January 2023 -All Rights Reserved

“KNOWTHYSELF”
39Top Cyber News MAGAZINE -January 2023 -All Rights Reserved
TheAncientGreekaphorism"KnowThyself"(Greek:γνῶθισεαυτόν,transliterated:gnōthi
seauton;also...σαυτόν…sautonwiththeεcontracted),isoneoftheDelphicmaximsand
wasinscribedinthepronaos(forecourt)oftheTempleofApolloatDelphiaccordingtothe
GreekwriterPausanias(10.24.1).Thephrasewaslaterexpoundeduponbythe
philosopherSocrateswhotaughtthat:“Theunexaminedlifeisnotworthliving”
Anunexaminedbusinesstransformationstrategyisnotworthimplementing.Tofacilitateand
maintaintheconfidentiality,integrity,andavailabilityofdataandbusinessoperations,consider
creatingroadmapstodigitaltransformation;designingareliablesystem,whereyoursecurity
strategyisapartofyourdigitaltransformationstrategy.Peopleareanimperativepartofthe
system.
Inessence,automationshouldNEVERcreateafunction.Intheaimofpreservingcorporate
identityanduser/customerexperience,automationmustbedrivenbyaclearfunctionalneedand
relevantcomplianceknowledge.Forautomation(justatool)toprovideaglobalvision,monitoring,
interoperability,traceability,orchestrationandsteeringfeatures,NEWholisticandstrategicvision
isrequired.Topreservecorporateidentityandadequateuserexperience,automationmustbe
drivenbyaclearfunctionalneedandrelevantcomplianceknowledge.
Astrulysuccessfulbusinessdecision-makingreliesonabalancebetweendeliberate&instinctive
thinking,sodoessuccessfuldigitaltransformationrelyoninterconnectedness&interdependence
ofthestate-of-the-arttechnologies.Ininformationandcybersecurity,toidentifyadversaries,to
findunknownsecurityvulnerabilities,toreducecyberrisksandenvisionpotentialfuturethreat
landscapeiscrucial.Tounderstand,developandcultivateremarkableresilienceisvital.Havein
placeanever-evolvingcyberresilienceblueprint.Armyourbusinessinthefaceoffuturecyber
threats.Mindthesystemicnatureofacyberthreatlandscape.'Knowthyself'toincreaseyour
cyber-resilience.Strivetoinformandeducate.Educationhasalwaysbeenaprofit-enablerfor
individualsandthecorporation.Education,bothconceptionanddelivery,mustevolvequicklyand
radicallytokeeppacewithdigitaltransition.Educationisapartofthedigitalequation.
Ten Recommendations for Cyber Resilience Strategy:
Identify,Protect,Detect,RespondandRecover(NISTCSFdomainsformanagingcyber
threats),remainfundamentalsteps,thentheraceison.And,therefore,itiscrucialfor
anorganisationtoadheretothesetenrecommendationswhileaimingahighlevelof
cyberresilience:
•Aligninformationandsecuritystrategywithbusinessdigitaltransformationstrategy.
•Adoptacomprehensivecyberriskmanagementattitude.
•Identifythemostcriticalinformationandassets.
•FindandManagevulnerabilities.
•Reducecyberrisksinprojectsandproduction.
•Optimizestrategicallychosensystemsreliability.
•Evolveyoursecuritytoaprevention-basedstrategicarchitecture.
•Pledgetoemploythestateoftheartdigitalanddefencesolutions.
•Regularlyinstructyourteamstoempowerandstrengthentheirresilience.
•Scaleyoursuccessbysharingtheknowledgeandintelligence.
By Stéphane Nappo

MAGAZINE
Human Centered Communication Of Technology, Innovation, and Cybersecurity
TOP CYBER NEWS
AN AWARD-WINNING DIGITAL MAGAZINE
ABOUT PEOPLE, BY PEOPLE, FOR PEOPLE
Ludmila Morozova-Buss
Editor-In-Chief
Doctoral Student
Capitol Technology University