The Voice of Cyber®

Episode 128: Chirag Joshi
First Aired: September 07, 2022

Chirag’s ambitious goal is simple—to enable human progress through technology. To accomplish this, he wants to help build a world where there is trust in digital systems, protection against cyber threats, and a safe environment online for communication, commerce, and engagement. He is especially passionate about the safety of children and vulnerable sections of society online. This goal has served as a motivation that has led Chirag to become a sought-after speaker and advocate at various industry-leading conferences and events. Chirag is respected as a thought leader in cyber security with keynotes and presentations at forums in United States, Australia, and Asia. His podcast features insights from distinguished professionals in a wide range of disciplines including media, entrepreneurship, executive leadership, and futurology.

He is the author of the highly successful book “7 Rules to Influence Behaviour and Win at Cyber Security Awareness” which has been purchased in over 11 countries across the world and became an Amazon Australia Best-Seller in its category.

During the course of his career spanning across multiple sectors and countries, he has built, implemented, and successfully managed cyber security, risk management, compliance, and awareness programs. The success of these programs was a result of unyielding focus on business priorities, a pragmatic approach to cyber threats, and most importantly, effective stakeholder engagement. Chirag has held senior leadership positions in large, complex organisations and excels at the art of translating business and technical speak in a manner that optimises value.

Chirag has also conducted several successful cyber security education sessions for executives and non-technical audiences in diverse industries such as finance, energy, healthcare, and higher education. He has led teams, managed multi-million-dollar budget and transformation programs. He has experience in both IT and OT environments, and leading cyber security through de-mergers and divestments.

Chirag has extensive experience with a wide range of standards, frameworks and regulations including NIST CSF, APRA CPS 234, AESCSF, PCI DSS, Health Insurance Portability and Accountability Act (HIPAA) and ISO 27001/2.

Chirag’s academic qualifications include a master’s degree in telecommunications management from Oklahoma State University and a bachelor’s degree in electronics and telecommunications engineering from the University of Mumbai. He holds multiple certifications, including Certified Information Security Manager, Certified Information Systems Auditor, Certified in Risk and Information Systems Control, and Certified Data Privacy Solutions Engineer.

His areas of expertise include strategic cyber advisory to executives, cyber risk management, cyber strategy and architecture, security and technology governance, cyber transformation programs and security awareness training.

Get a copy of 7 Rules to Become Exceptional At Cyber Security: A Practical, Real-world Perspective For Cyber Security Leaders and Professionals on Amazon and Chirag’s website.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Introduction (00:15) You're listening to KBKast, the cybersecurity podcast for all executives cutting through the jargon and hype to understand the landscape where risks and technology meet. Now here's your host, Karissa Breen. Karissa (00:29) Joining me today is Chirag Joshi, author of Seven Rules to Become Exceptional at Cybersecurity. Chirag is also a board director of ISACA within Sydney. Now, today, we will be discussing the new release of your book. So, Chirag, welcome to the show. We're excited to have you here today. Chirag (00:46) Thank you so much, Karissa. I really appreciate the opportunity and hello to your listeners as well. This is something I'm looking forward to a conversation we'll have. Karissa (00:55) And it's interesting because, look, I know you well online, but then I think it was only recently we actually spoke on the phone. I'm familiar with your work, what you've been doing. I know that you've written a previous book, so I'm keen to jump into the specifics of why you wrote the book. What's in the book, what can people learn from it? So maybe start with a bit of a synopsis. So what's the book about and what can people expect? Chirag (01:25) Yeah, look, so really, if you think about it, I'll first start with just the way I think about cyber security and that helps explain why I wrote the two books. So really, for me, cybersecurity is about human progress. It is about enabling human progress through trusting technology. Technology which has helped accelerate the progress of us as a civilization. Technology which helped keep businesses alive, maintain our sanity through entertainment, collaborate, communicate with people, even in the midst of the pandemic we found ourselves in. So I value a lot what technology has done for us as a collective, but really for us human beings, to be able to trust it and use it. That's where cybersecurity comes in. So my really guiding principle has been around thinking about cybersecurity, first, as a human issue. Second, align with the business. It exists to enable business and organisations to deliver services and for people to benefit from them. And then finally, it's about the technical controls or technologies that is involved in cybersecurity. So really, that's how I thought about it. And that is where both my books derive their guiding principle from. Now, my current book, which we are talking about, which is called Seven Rules To Become Exceptional At Cybersecurity, really, that book in synopsis, it's about bridging the divide between CyberSpeak and cybersecurity and the business. Chirag (02:51) Because as we look at the world today, we see that the awareness around cyber security has never been greater. People know that cybersecurity is important. Ten years back, we had to explain, but I think now, largely, people understand that it's a topic of conversation at the board level, at the executive level, it's a topic of conversation in everyday lives, thanks to documentaries on Netflix and other streaming services. So people generally see the value. And I think now when people know about it, people do want to understand how they can help and they want to understand how their organisations are protected and how their data is protected. So while that is great, we are starting to see a rise in cyber threats that correspond to it. Right? Because let's be honest, cybercrime is a very profitable endeavour and the barrier to entry is much lower than other forms of crime and the prosecution attribution of cybercrime is much harder. So where money goes, typically crime follows, right? So that is where we are starting to see a big rise in cyber crime. We are starting to see heightened activity with nation states because obviously the reliance on technology is so much more and the interconnectedness of our physical and cyber systems is becoming more prominent. Chirag (04:09) So with that in mind, you start to see a lot more activities from nation states, from criminals, insiders who might be disgruntled. So when you have a rise in cyber crime and cyber threats, and people are acknowledging the importance of it, you are starting to see investments flow into cybersecurity, which is great, which is what was needed. However, what we are still seeing now is a bit of a gap where if you talk to executives and board directors, they're not completely comfortable or understand how the investments are being geared. If they're investing appropriately, are the organisations just right in terms of the protection? And if you talk to the cyber folks, they are faced with increasing workloads, they are faced with increasing demand on their time. You are seeing a high level of burnout in the cyber community, which is a problem. You're seeing a skills shortage, which is coming to four as well. So you see these two different challenges emerge. And really, the book which I wrote was a perspective on how do you bridge them, how do you communicate in a way that you can get value from cybersecurity? People who invest in it get confidence and people who are trusting technology get confidence. Chirag (05:21) So that's really the idea and the way the book is structured. And both of my books, I try to keep them short and concise. Unless people are doing degrees or pursuing certifications, I think there is very little appetite to read large textbooks. So I try to keep my books less than 200 pages, something where somebody should be able to retake the book and finish that in a couple of days at the most, and get some value out of it and then be able to leverage resources to learn more if they were desire. So that's really the idea on how I write these books. And for my current book, there are seven rules and five of them are more focused on really the cybersecurity aspects of things. Right, so the strategies, the approaches that our professionals need to take and develop. But the last two rules are more around the mindset and other complementary skills which are equally, if not more important than the core cyber skills. So that is where I wanted to create a simple, straightforward, short, concise book where you could pick it up and understand what was needed for you to be an effective cyber security career professional. Chirag (06:25) I call them exceptional, restarting, effective. And the more you do it, the more exceptional you get. But also if you are an executive or if you are a business leader or you're a board director and you want to understand what does good look like from a cyber perspective, you can read this book and get a sense of what you should be asking your teams to do and guiding them in that direction and enabling them to work on their challenges. So hopefully that helps in terms of explaining kind of the drivers for the book, what the book wants to address. And then as we get further in the conversation, happy to talk about specific rules as well. Karissa (06:58) So do you think, from your perspective, people out there that are perhaps not cybersecurity professionals or business leaders, do you think they know what good looks like? And then I guess a follow up question to that is it depends on who you ask. People have got different versions of what looks good. How do you get a good barometer on that? Chirag (07:16) That's a really good question because what would look like would depend. However, now we are starting to see some regulations emerge. So if you pick Australia, for example, and you pick the financial services sector APRA CPS 234 introduced a lot of good guidance and requirements that essentially laid down expectations for executives and board directors to be aware of the cyber risks and be comfortable with the controls, the countermeasures, the investments that are being made to manage the cyber risk. So I think having an understanding of your cyber risk environment really is the first step for you to identify what it looks like, because good cyber risks relate to business risks. It depends on the kind of business you're running. If you are running an ecommerce business, something that relies heavily on internet channels, your risk profile is fundamentally different than if you just have a static web page and a lot of your operations are offline. And furthermore, it could be different if you are running an operational technology environment, such as energy sector telecommunications or some other areas where there is operational technology involved, not just It systems. So what business you run essentially dictates the cyber risks you have and that should dictate the investments, the controls, the measures you put in. Chirag (08:31) So I think having that mindset and knowing what you're doing for these things is what good can look like if you are an executive, if you are a director and all you get from your cyber team and your cyber leaders are a bunch of technical statistics that you don't understand completely and you are not really sure of how we are contributing to bringing down risk. Well, that's a problem and I think that's where I say that what good looks like needs to start with the one at the top and needs to start with expectations you set. Karissa (09:02) Do you think that's a common problem that we have? Chirag (09:04) Yes, I think so. I think so. It is a common problem to the extent that because now cyber security is becoming so much more prominent and it is now starting to get visibility at the board level. Traditionally you didn't have board directors necessarily with the cyber expertise, you didn't really expect that traditionally. I think that's a problem. Even today have a common definition of what a Chief Information Security Officers role should look like. It depends on organisation the sizes and that's a challenge, right? Because if you see the title of a Chief Financial Officer, the CFO, you can largely figure out what role they should perform. It's been established for a long time, but as a CISO it could mean different things to different people. And some CISOs are a lot more focused on the conversations that we are having, an executive board level where some sizes are technical practitioners. So I think there is no clear definition there. And which is where from a perspective of executive board level, I think you need to create some common guidelines and some common established practises on how you can get value from it. When you're investing money into something, when you're overseeing the obligations that you have, how do you get comfort that they are being met? Chirag (10:16) And I think that's an emerging area where it's going to get more and more attention. So in the past you could see, you could cite a report coming from your cyber team and cheque a box off. That's not going to be very helpful going forward. You're starting this regulations all over the world where there is an expectation that you know more than that. In fact, even things like mergers and acquisitions, cybersecurity is becoming very prominent in things like environmental, social governance, which is getting prominent. Cybersecurity is becoming really key in those things as well. So the world is changing, the expectations from the executives is changing, expectations from sizes are changing and I think that is where we need to adapt to this new world and it's a problem we are all collectively trying to solve. Karissa (10:55) So there are seven rules in the book. So maybe trigger if you could start from one down to seven, if you could list them out, that would be great. Chirag (11:03) Yeah. So the first rule really is what we started talking about. It's develop a business aligned mindset, right? So I'll first walk you through the rules and then we can perhaps talk through them. So the rule one is develop a business aligned mindset. Rule Two is recognising that cyber security is a risk management exercise. Rule Three is called Measure It, and it talks about why you need to measure and how we need to measure the success of your cyber programmes to give confidence to people who rely on. Rule four is addressing the human factor, because we know for a fact that most studies put the human factor at approximately 80% of all cyber security incidents and breaches. So eight out of ten security incidents and breaches could potentially be avoided if people did the right thing, follow the right processes, did not fall for social engineering scams and so forth. Rule Five is about understanding the design and execution of cybersecurity strategies. So no matter what your role is in the organisation, you need to understand Holistically How does cyber strategies get formulated and run, because then you can play an effective role in that entire lifecycle and find your home in that process. Chirag (12:10) Exceptional cybersecurity professionals need to see the big picture. It's not just about running your tool, running your process, doing a risk assessment, it's understanding how does that factor in the big picture. Rule Six, this is an interesting one because it's about master the art of differentiating skills. So I don't call them soft skills, I'm calling them differentiating skills, because if you put two people with similar technical acumen together, differentiating skills will determine to me who has a better chance of succeeding and moving up either organisational ladder as running successful businesses or being good entrepreneurs. So it's not of differentiating skills, which to me is super important and finally is about building an authentic brand. And brand building is not just for marketing. Brand building is establishing your personal, your team, your professional brand, so people can trust you when you show up to present something. They trust you when you take charge of a project or initiative. They trust that you will do the right thing by them, because you build up a brand that is grounded in authenticity, grounded in some reality. And it also addresses a challenge that we face in industry, where a lot of smart cyber people are still reluctant to come forward with sharing the thoughts more publicly for whatever different reasons. Chirag (13:23) Imposter Syndrome, not being comfortable, not thinking much of promoting well, promotion, when done right and for the right reasons, is really powerful. So those are the seven rules that are distracted, happy to kind of walk through them, depending on the interest area. Karissa (13:38) Yes. I'm curious, how did you get to selecting these seven rules? What was your journey to arrive at the seven and why these seven? Chirag (13:48) Yeah, so, for me, I looked at it from a perspective of a cyber securityleader who's trying to operate in different environments and trying to execute successful cybersecurity programmes. And when I looked at it that way, I put myself at the centre of all the different things that need to happen. And I've been fortunate in my career that I've worked in many different industries. So that's given me some insights into the challenges that are unique to industries but also the common challenges that exist regardless of the industry. And because I've had rules that go all the way from being hands on technical cybersecurity person to all the way now being executive and leading teams, I've seen the journey. So I put myself at the heart of everything and put it from a perspective of somebody who has learned from the good things, learned from mistakes and they come up with the rules. But I wanted to create and I picked these seven rules because I truly believe that there is plenty of collateral out there in the marketplace, works, podcasts, courses that teach people cyber security to and that teach people business leadership. But there is very little in the ways of some practical advice that combines them. Chirag (15:10) So it's something which I am very passionate about is how do you combine the actionable, practical things that people can do from a cyber perspective but also be comfortable in the leadership skills. So hence I arrived at these rules and I tried to fit in what I thought was the most relevant. So for example, when I talked about the rule number one is develop a business line mindset. Because to me it all starts with the business and it all starts with what you're trying to protect, what you're trying to serve and who you serve. So the product services, your quarterly updates, the market trends, your competitors, how your customers benefit and how they engage with you, all of that is so relevant to anything we do in cybersecurity. In the context of daily grind of cybersecurity, there is so much that happens on a daily basis that you can lose that you can lose that thinking sometimes and that becomes a problem because then you are perceived as a blocker, you are not perceived as an enabler. And the way to get investments, the way to get value delivered is through being an enabler, being a partner. Chirag (16:13) But I also called out things in the rule number one which talks about why exceptional cyber leaders and professionals need to have an adequate level of understanding of how finances work, of our procurement works, because these things are material. When you talk to business executives, they understand the language of risk and finances. That's something that they've been doing for decades. It's not new. So when you can put your suggestions, your thoughts, your initiatives, your activities in the context of finances, in the context of risk, I think that gives you a lot more credibility. But also talked about in rule number one as to how you practically run into challenges because I've seen that myself and I work towards addressing them is how does cybersecurity get funded? And once you understand how it's funded, you understand how business thinks of you and the sourcing models, the funding models, operating models, the importance of all of those need to be reflected, which is where I put these things align with the business mindset, align with the strategies. So really my goal with the first five rules was around somebody should pick this up and understand how they should think about cybersecurity, how their executives think about cyber security, and start building bridges towards addressing those factors. Chirag (17:32) But it's also then I went into some detail around the common threats we see in the world today, and the biggest one that we're starting to see is ransomware. Another big one is around third party supplier security. So I did just want to leave it at a high level, but wanted to go into some specifics on what you can do to address these areas, but also what you can do as a small business, because you might not be able to do everything that I'm suggesting that you can. So what can you, as a small business take and run with that can help you in your unique circumstance? So I think that's where the first five rules came from. And the second two rules were like the last two rules were around how do you operate? And that's where I think it's really important, is being a good operator requires certain skills that most people may not naturally relate to, at least in the cyber circles, right? The art of good writing, the art of putting options on the table, the art of thinking about execution, the art of storytelling, which is so powerful. And storytelling isn't just about grand presentations, it's daily lives. Chirag (18:38) It's actually things when you communicate with your teams, with your customers, how do you embed those? How do you think about your own mental health and well being, your physical health and well being? How do you set yourself for success in those factors? Because no matter how skilled you are, no matter how great of presentation skills you have, if you don't have the right energies and if you don't have the right tools at your disposal to take care of yourself, it's kind of moot point. So I think those things also needed to factor in. And like I said, the final rule was around brands because people do business with people they trust, and sometimes you don't have time to trust everybody. So that's where social proof comes in. And to build a good social proof, you need to have something which is a tendency behind it. So I think that's where these rules were derived from and that is really why I wanted to restrict it. Look, it's always a challenge when you're trying to write a short book and not write a really long book. It's always a challenge on what you want to focus on. Chirag (19:33) I could have written ten more rules, but then you end up writing a textbook and which is something which I really wanted to stay away from. Karissa (19:40) Yes. No, you're absolutely right. I think it's good. Short, sharp and succinct. So I want to focus on six and seven. So maybe let's start with number seven, building out a great brand. So do you think, I mean, you sort of touch on it before, but why are people afraid to talk about their thoughts and their insights? I mean, this is probably part of the reason I started the podcast originally. It was like so many great people like yourself out there that have really good insights and really good knowledge, that have been working in the field for a long time. And so if they come on the show, it looks maybe less self promotion. So I think people will happily come on here and talk, but they won't do it just on their own accord. Why is that the case, though, from your perspective? Chirag (20:24) I think there are a few reasons. Right. For me, I think one of the challenges I do see and because through my work with ISACA, through my work with all the initiatives that I've involved with, even the organisations I lead, I see there is a couple of things. One is Imposter Syndrome is a really big thing. We're even really smart people are not completely sure that what they're going to say is going to be useful. And then again, the question is, who am I to say this anyway, right? So I think the Imposter Syndrome is a big time problem. The second problem is also, and I'm not sure if this is unique to a lot of technologists, because when cybersecurity now, I think it's an open field, there is room for no matter where you come from, what your education is, there is room for you in cybersecurity marketing, accounting, finance, whatever background you have, there is room for you. But a lot of cybersecurity professionals initially did start in more technology focused rules. They were more technical in their learnings, in their teachings, in their initial work. And for a lot of those people, promotion and self promotion weren't necessarily pursued in the right light or thinking of it as the right thing. Chirag (21:38) I think we need to change what promotion and self promotion mean. I mean, culturally, for some people too, it's a problem where culturally it's been told that we shouldn't try to shine too bright, otherwise you have problems. So there are all these barriers that people put in front of themselves and there is one common barrier also is how do I get started? I don't even know where do I start? Because I posted something on LinkedIn, but I got two likes and I did that twice and now I don't think I get engagements, I'm going to stop doing it. Right. So these are the things that people don't use. This stuff is hard. I don't think it's easy. Karissa (22:15) Takes years, though, as well. Years. Chirag (22:18) It takes years, to your point. Exactly. Like, I'm grateful now that I get good engagement when I post something or when I share something. But I look back six years ago, I don't even think I got one or two life from any post. And that's okay. And that's why I tell people it's okay. When you start out, it's okay. But that's where the rule comes in. It's not just about the why, it's about the how as well. And to me, the how comes from not taking a scattered approach, not trying to share everything and not getting distracted by everything. It's really start with what you're doing today. What are you going to focus on? I think the easiest thing to do is sharing about something that you are working on today, or work recently completed a project, obviously within the bounds of keeping your work confidential to the degree is required. You can still share general learnings. If you read an article online you find fascinating, don't just share that. Don't be lazy. Take time to write two or three key takeaways that people can benefit from. And I think if you start with the desire, if you start with the desire of actually, you're not doing this promotion just for the sake of promoting yourself, but actually helping people. Chirag (23:23) That to me is the most powerful aspect, is when you have a desire to serve. And what makes me the most happy is when I get messages from people who I don't know, who I've never met and who have never even engaged with my content, but they reached out to me saying, he actually see the stuff you post. And it has helped me kind of break through some of my own mental barriers. Now I'm presenting something well, that makes you really happy. And I think people underestimate how many people are passively engaging with the content that you share. So I think that to me, is really powerful. So I think you need to start with that. But even within your own organisations, as cyber folks are now becoming, they need to get out of the shadows with their comfortable working and they need to be more visible. They are business partners, and for them to be meaningfully successful in their careers, they need to be comfortable talking to business audiences. I think this is where brand is important. I think you need to be able to position your team brand as well, not just your personal brand. Chirag (24:24) How will your team be perceived? Do people understand what your team does? Is your team known for doing what they say and saying what they do? I think I wanted to inculcate that sense of just breaking aside the old barriers of thinking that branding is just marketing speech. It's not a marketing speech, it's a real thing. And psychological value is equally powerful as physical value. How we value things doesn't necessarily come from what they are, it's how we perceive them. You could get a really nice meal prepared by the best chefs in the world, but if it's served in an environment which is run down pretty shoddy, your perception of that meal will not be the same or meal if it was a slightly lower quality, but served in a really nice setting, good music, good ambience, good lighting, pursue that more. And which is why we see value assigned to things. So the idea of psychological value comes from a brand and it comes from working it through. So that is something which I really wanted people to focus on. Cybersecurity folks sometimes, and again, I am one of them. I think we need to keep this in mind as we work and as we grow. Chirag (25:33) And that's why title is exceptional. If you just want to be good enough, that's fine, don't worry about this. But if you want to be exceptional, if you want to be something that truly stands out, well, then you need to have these things in the back of your mind. Karissa (25:44) Yeah, I love those points. I think you took the words out of my mouth around people don't like and engage. The other thing is as well with social media, which we're seeing, and I've seen massively on LinkedIn, it's algorithm, right? So it depends on the day and the time or what you put. Like, I don't know, I don't have it all worked out. But some things get better engagement than others. It's not a reflection on the value that you bring. But I've often seen this. Why? Because I do this for a living and people do one or two posts and they're like, oh, I didn't get you've got to keep showing up and do it for years and years and years and you might not get engagement. And sometimes people will engage and sometimes people won't. I think, like you said, people do sort of lurk from the shadows a lot. So I think that's a key point here, because people are so focused on metrics and numbers and vanity stats. I don't think that that matters. I think it's just if you believe in what you're writing about or what you're posting about, then keep doing it, because even if it impacts someone, then I think then it's done its job. Karissa (26:47) The other thing I want to sort of talk to you a bit more about is rule number six, master the art of differentiating skills. Now, one thing that's interesting in our space is you touched on, you know, soft skills and all of that, but I still believe that people don't like this aspect, like, oh, you know, soft skills. There still seems to be a negative stigma attached to it. And I want to know from you, why is it the case? Chirag (27:15) Yeah, no, absolutely. I'll just say one thing before we answer that question, and that's something curious that you did. I forget how long back, but I think you did something which was really cool, where you posted a video every day. For I don't know how many months. And I remember that still because I thought there was somebody who was just being persistent, consistent and sharing your thoughts. So a big shout out to you. I think that was really good stuff that you're doing. And I know you do lots in the space. Karissa (27:44) Oh, wow, that was long time back. KB on the Daily. That was cool. This is like 20, 17, 18 days. Chirag (27:50) See, sometimes when people do good things, you remember them no matter how long ago it was. Karissa (27:55) That's awesome. Well, I'll go show a good branding. Chirag (27:59) Yeah, exactly. So back to your question. Firstly, I think the word soft skills can be a problem for people, right, because they assume this is some fluffy stuff. It's not really core to what I'm doing here. I am trying to design a secure solution here. I'm trying to run some tooling which is helping us manage threats, monitor logs, deal with real time incidents. And you're talking to me about this flaw, right? So I think we need to change the perception of soft skills. And which is where I deliberately didn't use that term, I called them differentiating skills. Now, here's an example for our listeners, right? The art of good writing and the art of thinking and options. You can say that's a soft skill, right? Well, it's a soft skill. I don't need to write, I don't even think options. But here's a question. When you are trying to present something to your executives or to your business leaders. Where you need some investments. Or you want to renew a service that is a cyber service. Really expensive. But you want to renew it because it's the right thing for you. And you're running in a cost constrained environment with a recession looming. Chirag (29:03) For example. How would you communicate that if you don't have good writing skills. How would you communicate that to a business leader? If you can't put that in two or three different options, that helps them understand what you're asking them to do and what are the options that are available to them. So I think these are real live day to day activities where if you can't solve these problems, if you can't influence people, if you can't influence executives, if you can't inspire confidence, you won't get the outcomes you want. It's that simple. So soft skills are not just some fluffy stuff, they are material to everything that you want to do. Another example which I have in the book is around storytelling. Storytelling, again, it's not just for marketers, for people trying to sell stuff or people who want to be on tet tops it's every single day. If you're running an awareness function, people are going to get tired of the same old fishing related messages and same old password related messages. They want to understand more, they want to engage effectively. Good storytelling is about passing down meaningful, difficult messages in a format that is consumable to people. Chirag (30:15) Ultimately, we as cyber professionals, are trying to serve people in our organisations and people rely on us. We are not here, just locked away in some room somewhere trying to work on some tools, because I think that's something we got to break out of, because more and more currently, we are seeing investments in cybersecurity, right? But if history tells us something, it tells us that all initiatives, all programmes, all successes can be cyclical. And when you hit the downturn. Where you'll potentially have recessions. When investments will be tied. Where transformation programmes have run out of money. What will make the difference between good and exceptional or average and exceptional. Will be these ideas of being able to align with the business. Being able to talk the language. Being able to convince people. Being able to tell stories. Being able to learn and grow as a professional. And that's where networking comes in. You can call that as a soft skill or as a nice to have, but networking to me is foundational to everything I've done in my career and people who I have seen is a bit successor than their career. And networking isn't just about getting some sales going or that's not the idea. Chirag (31:23) Networking is about you connecting with people with an open mind that helps you grow as a person professional and helps them grow as a person and professional, and that helps foundations for happy coincidences and good events. It could be job searches, could be the next big idea you want to launch, it could be the next big thing you should learn, a skill you should acquire. How do you know these things unless you talk to people? Right? So I think that's where to me, we need to take the stigma away and stop talking over them as soft and nice to have skills. These are foundational skills, these are differentiating skills. Karissa (32:00) So if you had to sort of wrap the seven rules together so that people could sort of digest this and apply these seven rules, how would you sort of summarise the seven? So people can sort of have like tangible outcomes based on what you're saying? Chirag (32:17) Yeah. So I would summarise them as, firstly, look at different our audience could have different types of cyber folks, other folks, technology folks, executive. So firstly, just see where you are in the organisation, right? But regardless of where you are, the rules start making you think about what the role you should play and it starts, which I mentioned, which if I summarise it, is understand what your organisation is in the business of doing. And that is simple to say, but really hard to do. And then figure out, okay, this is what my organisation does, this is how my organisation makes money, or this is how my organisation actually serves people, how does my work link with them, how does what I do every single day when I show up to work, open my laptop or walk into an office. How does it relate to it, the money that is being spent on cybersecurity and the investments I'm trusted with? Because bear in mind, an investment in cyber securitycurity is an investment that would have been made into a new product or a service, or enhancing a product or a service, right? So when money is invested in something that you do as a security function, are you giving it the best justice, are you giving confidence to the people who rely on you? Chirag (33:34) And how do you give that confidence? How do you think about cybersecurity holistically that you can manage the different threats and the technology speaker on vulnerabilities around patching? How do you translate that to people who actually can understand better and can give you the support you need so you're not frustrated, you're not getting burnt out? The problem with Burnout is sometimes you got to communicate while you're burning out and communicate the challenges that you face. And I think that's a problem. So if I had to summarise it, this is how it summarise it. This book should give you actionable rules to derive value from cybersecurity and maximise value from cybersecurity. And it should give you a sense of how to build and run holistic cyber securitycurity strategies because that's really important. It's the kind of stuff where stuff which you learn when you go through it, it's not what books can teach you. And that's what I've been trying to do, is if I forgot everything I knew about cybersecurity, one day if I write my own book, I should be able to get 70% there. So that's what I'm hoping people get out of it. Chirag (34:37) They get valuable nuggets of information out of this and then they can look at the resources section and do more detailed reading in the areas that they're interested in. Karissa (34:44) So where can people get a copy of the book? Chirag (34:47) Well, they can do it in multiple ways. So they can go to Amazon and they can find my book there, both in paperback and ebook formats. They can go to my website,, and buy the book that way because they have links to different portals. There is also ebooks where they can find them through my website, things like other channels beyond just Amazon. So I suggest go to Amazon or go to my website should I, and you'll be able to get the book. Karissa (35:19) We'll make sure that we link copies to the book in the show notes. So really appreciate your time today, Tree, and sharing a little bit more about your book, what it covers and how this can apply to business leaders and subsequent executives. Thanks very much for your time today. Chirag (35:35) Many thanks, Karissa. I really appreciate the opportunity. Thank you. Karissa (35:39) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. Introduction (35:50) This podcast is brought to you by Mercsec, the specialists in security, search and recruitment solutions. Visit to connect today. Karissa (36:00) If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI.Digital. Introduction (36:11) This podcast was brought to you by KBI.Media, the voice of Cyber.
Share This