A Successful Security Strategy Is All About Relationships. Here’s How to Build Them.
Security efforts are not limited to security teams. High impact strategies need to engage everyone from employees to the board of execs, DevOps teams and IT. Learn how how to become not just an effective partner but a trusted advisor across an organization.
Your Legacy Phishing Solution Isn’t Enough to Protect Your Organization
CISO Josh Yavor explains why legacy phishing solutions aren't effective in preventing successful attacks, and what you can do about it.
9 Things I’ve Learned Writing Phishing Emails
Ethical hacker, Craig Hays, explains why copywriting, timing, and context are all essential "ingredients" in crafting a phishing attack.
Employee Burnout Will Probably Cause Your Next Data Breach
Understanding how stress impacts cybersecurity behaviors could significantly reduce the chances of people’s mistakes compromising company’s security.
Stateful Machine Learning is Our Best (And Only) Bet
Traditional machine learning methods that are used to detect threats at the machine layer aren’t equipped to account for the complexities of human relationships and behaviors across businesses over time. There is no concept of “state” — the additional variable that makes human-layer security problems so complex.
How Easy Is It to Phish?
You don't have to be tech savvy to become a "hacker". This blog outlines how to create a phishing campaign, and was designed to help security leaders protect their organizations.

Explore Human Layer Security.

Learn About Our Mission
Subscribe to our newsletter
Explore Me
Read More
Podcast Security Culture

Less Talking, More Listening: The Power of Paying Attention in InfoSecurity

Bobby Ford
12.08.2021
Share

Illustration by Pete Gamlen

Bobby Ford, CSO at Hewlett Packard Enterprise and former CISO at Unilever, shared what he has learned from his career so far, and why he believes that listening is the key to keeping our data safe.

Listen to the full podcast here, or read on for Bobby’s top three takeaways.

Mature security programs happen at the intersection of business intelligence and threat intelligence

When building a security program at a new company, you have to recognize that every company is different. Every board is different, every CEO, every manager is different, and if you go in there with some preconceived idea of what they need based on your previous experiences, then you’re setting yourself up for failure. So the first thing you have to do is listen. And that is one of the things that I believe most professionals get wrong – they come into an organization and initially, do more talking than they do listening. 

So, what does a good listening plan look like?

At its core, a good listening plan follows three steps:

  1. Identify the stakeholders
  2. Plan questions to ask them
  3. Let the conversation go where they want to take it (i.e. listen)

Once you’ve devised a plan and you’re engaging in these conversations, it is important to understand that what you’re really listening for is business intelligence.

  1. How does this organization make its money?
  2. What are the strategic imperatives for this organisation?
  3. What are the geographies that they really want to be in?
  4. What are the user behavior and user appetite like?

Once you have gathered that business intelligence, you layer threat intelligence on top. It’s that simple, and it is at this intersection where the best security programs are born.

The function of the CISO is to enable the organization to take risks

I believe that the function of the CISO is to enable the organization to take risks – they’re not meant to be the captain of the ‘no police’. If the organization didn’t take any risk, then they wouldn’t need anyone to manage these risks!

Now imagine you have hired me to provide security services. If you told me: ‘Hey, I wanna go to Tel Aviv’ and I said: ‘You can’t go there, it’s too dangerous’. So, you say: ‘What about Bagdad? Or Manchester?’. If my response each time is: ‘No, it’s too dangerous’, at some point you are going to say: ‘Bobby, that’s not why I hired you!’. 

‘I hired you because I want to take risk. I don’t need you telling me where I can’t go, I need you to gather threat intelligence so that when I identify the places I want to go, you can equip me with the controls I need in order to go there.’ 

That, for me, is the role of a CISO – to enable the organization to take risks while putting the right controls in place to reduce risk as much as possible.

Securing edge devices is now more important than ever, but it is no easy feat

I believe that it becomes more important to secure the edge when working from home. When people work in an office and they’re sitting at a desk with their colleages around, there are certain sites that they may not visit because of the additional scrutiny.

Now that people are working from home, they may feel more inclined or more comfortable visiting these sites, where the security is not as robust as we would like. What that means for me as a CISO is that I have to have controls in place that allow you to do that while keeping the work environment secure.  

So, I think that looking forward we are going to have to think differently about edge devices and how we can secure them. But this is no easy task, and we are going to have to get pretty creative.

For more from Bobby Ford and his take on cybersecurity today, listen to our Tessian Podcast episode, here.

Share this Article