Dr. Ivano Bongiovanni [00:00:00]:
I’m a big fan of the data governance concept. Sometimes I think that it’s important to, to invest in cybersecurity controls, but what about the foundations? Oftentimes we kind of patch the top of the pyramid and we forget about what’s happening at the foundation. I think somebody once said before trying to change the word, get aroused in order. I think that is absolutely applicable to the cyber world these days.
Karissa Breen [00:00:41]:
Joining me today is Avano Bongiovanni, general manager from AusCert. And today, we’re discussing how to get the most from maturity based and risk based approaches in the cybersecurity arena. So, Avano, thanks for joining, and welcome.
Dr. Ivano Bongiovanni [00:00:58]:
Thanks for having me, Karissa.
Karissa Breen [00:01:00]:
Okay. So I wanna start at a high level, then we can sort of get into the details. So it’s, like, set the scene. So what would be your approach to getting the most from maturity based and risk based approaches to cybersecurity? Because, I mean, look, I’ve interviewed so many people on the show. Everyone has different versions. I’m keen to hear yours.
Dr. Ivano Bongiovanni [00:01:18]:
That’s a bit of a hot topic at the moment in the GRC space. Right. It’s something that people have been discussing for a while and probably also with a bit of a dichotomy type of approach, if I can use that term, in the sense that there’s a tendency to kind of compare and contrast them. Say, well, either you do maturity based or you do risk based. The reality is probably that to get the most of these approaches, you need to actually complement them. So my suggestion would be not just get and get stuck into a maturity based approach, but at the same time, not think that a risk based approach, which is probably something that is a little bit more recent, in the cybersecurity space. And don’t think that just risk based can really help you with doing things. You get the most when you manage to kind of balance them.
Dr. Ivano Bongiovanni [00:02:07]:
Now, there is also a bit of a conversation that probably needs to be had around maturity, size and budget of organizations. At a starting point, probably when when a company doesn’t really add much in the space of documented process to control cyber risks, probably a maturity based approach makes a lot of sense because without really worrying too much about what you are protecting, you can go through this quite basic checklist type of perspective where it’s almost like it’s almost like a recipe, right? You you you can get a sense that you’re on the right track if you tick all of the boxes of the maturity based model. So from a starting perspective when, you know, companies don’t really have anything in place, I think that is that is a good approach. Obviously, as as an organization gets a little bit more sophisticated, for example, their maturity and their cyber resilience goes up, then possibly a risk based approach makes sense, especially when we talk about larger entities that have a lot of cyber risks, that have a lot of potential vulnerabilities, that have complex infrastructures, human factor being a big thing there, then probably a risk based approach is, a, more realistic and can potentially be more bang for buck. Again, the the big question there is being able to complement them. How do you do so? How do you really make sure you get the most of both approaches? Which in my opinion is really what should be should be the focus for for organizations really regardless of their of their size and their industry. Now it’s also important to say that there is industries where an approach rather than another is is kind of mandated. So, government actually asks organizations to adopt a maturity based approach.
Dr. Ivano Bongiovanni [00:04:01]:
But again, overall, there’s a lot of choice, and there’s a lot of freedom for organizations to decide what best is and what, is the most fit for purpose approach for them.
Karissa Breen [00:04:11]:
Okay. So there’s a couple of things in there which is interesting. So I wanna go back to you said people are comparing them. So they’re comparing them because they’ve got differences of opinions on how things should be done, or they don’t understand the difference between the 2. What would you say that comes down to in your experience?
Dr. Ivano Bongiovanni [00:04:27]:
I do believe that it’s a little bit of a mix of all other reasons you gave before. I want to say that people don’t really understand that because they’re both actually quite, quite intuitive. So I do feel like in the GRC space in particular, there is a good understanding of what does it mean to adopt a maturity based approach or what does it mean to adopt a risk based approach. Probably when when you talk to organizations, it it’s natural, especially in the cyber world, considering that it is very difficult for us to establish what best practice looks like to go and ask peers, hey, what are you doing in this space? And, and if you wanna look and boil everything down to 2 big umbrella approaches, that’s actually maturity and risk based. Also, it’s important to consider that possibly organizations don’t or haven’t really managed to combine the 2, complement the 2 together because, you know, let’s also be honest, it can be it can be a significant investment that you have, that you have to do as an organization. And we all know that in the world of cyber risk management, we’re talking about loss prevention. Now from a business perspective, that is not a great area to be playing with because, you know, companies are about growth, are about increase of share price or about of increase of markets. And so you wanna invest money towards growth.
Dr. Ivano Bongiovanni [00:05:47]:
And as as do you wanna invest the least amount of money in loss prevention? So considering also the budgetary constraints that that the cyber and the risk people in general have to face this, there has been a tendency to say, well, we either do this or do that. Now, the value of a maturity based approach is quite significant. When, as I said before, you don’t really know what best practice, looks like because it’s almost like it takes the thinking away a little bit. Right? You have your your baseline assessment. You look at how you’re faring. You set up the different controls. It’s always a matter of quantity as the more controls and the more sophisticated the controls, the more mature you are. But oftentimes it is.
Dr. Ivano Bongiovanni [00:06:35]:
So from an implementation perspective, it’s a relatively straightforward process that you have to follow. Obviously, you’re still gonna need to take time and resources in making sure that you get those controls, those prescribed controls right. It doesn’t really require the same level of assessment that a risk based approach requires. So they do tend to differentiate quite a bit from that perspective, but that doesn’t mean that you cannot do them both.
Karissa Breen [00:07:04]:
Do you think people are very black and white towards this? So like you said before, do this or do that. Whereas you were saying earlier, you can sort of harmonize them and they can complement one another.
Dr. Ivano Bongiovanni [00:07:13]:
Yeah. I think people tend to be a little bit black and white when it comes not just to cyber risk, but it comes to our risk in general. Okay? Because obviously, it is a little bit like, well, either you’re covering for your risk or you’re not. Then obviously there’s different degrees in which you can mitigate either the likelihood or the consequences of your of your cyber risks. But it’s a little bit like, well, either you do it or you don’t. The other piece that makes people a little bit black or white is that it is very difficult to obtain solid evidence to make assessments when it comes, for example, to our risk based approach. Our risk based approach is just as good as the quality of the inputs that you utilize to assess your likelihood, to assess your consequences. Or if you’re adopting a more quantitative model to really come up with the numbers that make your model function and at the end spit for you an understanding of whether, hey, you are investing enough, b, you are reducing your risk by an adequate amount.
Dr. Ivano Bongiovanni [00:08:19]:
So it is certainly more, I would say still more an art than science. We’re getting there. There’s a lot of a lot more conversations in this space. And look, even the fact that we’re having these type of conversations, I mean, it’s something that probably 10, 15, 20 years ago, we wouldn’t really worry too much about. I mean, back then, cyber risk was probably just IT risk more more in general. These days, obviously, it it has entered boardroom conversations. It has become something that together with your workplace health and safety risks, your other operational risks, your financial risks, board members, and executives and organizations have to take into account.
Karissa Breen [00:09:02]:
Okay. So you made a great point around, you know, the quality of the inputs that are there because things get missed. So give me can you give me an example of something? I mean, it doesn’t have to be, It could be a real basic one, like even, like, driving or something like that. Just to paint the picture of by the imports and things not having all the details, how things could easily be missed.
Dr. Ivano Bongiovanni [00:09:21]:
A 100%. Look, we know that in the cyberspace consequences, obviously, when you adopt a risk approach, you need 2 variables. You need to take into account 2 variables, right? Likelihood of an event to occur, say of a cyber attack to eventuate and be successful and the expected consequences. And usually, obviously, you tend to calculate those consequences in monetary terms. Okay. It could be the fines that you got if you are compared by by abiding by some specific legislature. It could be the business downtime. Unfortunately, in some cases, this could be also physical damage to people as a result, for example, of a cyber attack.
Dr. Ivano Bongiovanni [00:09:58]:
And unfortunately, in the last couple of years, we’ve seen instances like that. So the consequence side of things, I’m not saying that it’s easy to quantify, but it’s certainly easier because if you think, for example, okay, well, how much would it cost our organization if we add, say, a 2 hour business downtime? You can you can kind of estimate all of that and come up with, you know, some numbers that give you an understanding. And if you cannot, you can actually, if you really want to be sophisticated, utilize tools such as Monte Carlo simulations that actually pretty much calculate all of the possible scenarios and give you a rough idea of where your monetary consequences should be. With the likelihood, that’s where we really struggle because we mainly assess likelihood of something happening based on factors such as as it happened to us before, yes or no. As it happened to somebody else in our industry? Yes or no. Are there, I would say, systemic dynamics currently occurring that could increase the likelihood for something happening? I’ll give you the the, you know, very, very simple example that we’ve been using for a while. The Russia Ukraine conflict has increased the likelihood for cyberattacks to Australian organizations because of all the geo geopolitical implications associated to that. Now as you can really understand, it is still, I would say, a rough estimate.
Dr. Ivano Bongiovanni [00:11:25]:
And, again, that impacts the quality of the the inputs that that you have. In the physical world, we used to talk about black swans, which are those events that despite all of our efforts in trying to predict the likelihood of an adverse event or estimated consequences, they’re kind of nobody could expect them. Nobody could really think that that would eventuate. Now black swans are becoming more frequent with increasing complexity of the social technical systems, which we rely on. I don’t wanna use a kind of mouthful type of term, but it is really the mixture of technology, complex technology with human actions that create that overall complexity that increases the chances for unexpected events to occur. So, obviously, all of this all of this picture really gives an understanding of the fact that it is difficult to to assess likely the consequences of cyber risks attached with cyber risks.
Karissa Breen [00:12:30]:
Okay. So there’s one thing I wanna focus on. You said likelihood. So I agree. So I’ve worked in a GRC role before historically. And sometimes when you go in these risk meetings and depends on who you’re talking to, TechRisk has a very different version of risk than business risk, for example, as you would know. So sometimes when you’re getting into the likelihood stage, there seems to be very difference of opinions, as I just mentioned. What business risk would be is likely is very different to what tech risk would think as likely.
Karissa Breen [00:12:57]:
So So how do people sort of find the equilibrium? So for example, like you mentioned before about Russia, Ukraine, historically, that may never been as likely, but now it’s, you know, a little bit more prolific. It’s happening more. So people have changed their you know, changing their mindset. But some people may think, well, this could be a huge risk. The likelihood may not happen, but therefore, they’re discrediting other risks that perhaps that aren’t as have doesn’t have as much of an impact, but they’re a little bit more frequent. So how do you sort of piece all of this together? Because there’s so many variables to this as well.
Dr. Ivano Bongiovanni [00:13:28]:
Yeah. Look, I think there’s probably 2 answers to your question. The first one is the fact that we got to acknowledge that there is a significant component of subjectivity when we assess things such as likelihood and consequences. Again, even think think of something as simple as a GRC specialist working in an organization that has been affected by a cyber attack, that has gone through all of the pain that that entails moving into another organization or visit that and then having to do a similar type of assessment in the in the pre event stage. Right? So that person, obviously, is gonna take with themselves a significant amount of, I wouldn’t say bias, but a significant amount of experience and knowledge that will shape the way in which they assess the likelihood of a specific event. I mean, if I’ve seen it before, I’m probably more prone to think, well, this could actually happen again in another organization. So there is certainly that level of subjectivity. The second bit and, again, I’m not gonna get into personal biases because we would probably open Pandora’s box, and we would need a couple more podcasts just to unpack all of that.
Dr. Ivano Bongiovanni [00:14:38]:
And and and besides, I’m not an expert in in in human psychology. But the way to kind of, make sense of all of it is to try and stay as objective as possible. How do you do that? A, you cannot rely on a single piece of evidence. You need to get as many sources as possible. Now I know that if a CFO heard me, that would immediately translate into costs and expenditure, which could be, for example, don’t just go and do or or base your assessment on whatever your single vendor is telling you, but try and get as many sources as possible. But, but again, it is important to kind of rely on, on solid, solid evidence. The problem, as I said at the beginning, is that it is very difficult to get, solid evidence around events that are very difficult to predict. So as as an individual, I think GRC specialists in particular and risk people in general, you really need to be inquisitive.
Dr. Ivano Bongiovanni [00:15:41]:
You really need to be someone that wants to go down and and deep deeper and really don’t stop at the symptoms, but really look at the root causes of, of, events. Really never stop trying to learn as much as possible. So, you know, listen to to podcast like like this one. Try to get yourself some some solid solid evidence from multiple sources, and then you can maze you can base your judgment on that. Now perfect judgment does not exist in cyber risk, unfortunately. What we can do is to try and get as close as possible to the best amount of evidence to make our decisions and and base our assessments.
Karissa Breen [00:16:24]:
So then on that note, you said try to get as many sources as you can. So how many sources you think you were talking? I know you said it’s hard to obtain, but is there, like, an ideal number to get more of a well rounded sort of approach? Like, what what does that look like?
Dr. Ivano Bongiovanni [00:16:37]:
I I don’t think it’s it’s something I mean, I can’t really attach a number to something like that because it really depends on the circumstances. And and, again, Karissa, we need to be realistic at the end of the day. If we had unlimited resources, you could probably take a long time to prepare your preliminary inputs on the concept of establishing the context. For those of you that are familiar with with with ISO, that’s really getting data, getting information internally to the organization because a lot of your assessment is written by things such as the budget, the overall risk appetite of the organization, and the staffing, and things such as the organizational chart as well. Right? And outside the organizations, which is where you get your tracked intelligence feeds, you get your advisories in. You also look at, you know, macroeconomic and other broader systemic factors to look into it. At the end of the day, it’s a project. Okay? So in most cases, you have a limited time, a limited budget.
Dr. Ivano Bongiovanni [00:17:36]:
You’re going to have a deadline, especially if, you know, you’re doing all of this because of compliance reasons. So it’s important to also be realistic. You can’t go on and on forever. But the important thing at the granular level is never stop having a critical perspective on the evidence that you’re looking at. And that’s why I think, you know, a lot of people that work in the risk space have this bit of a, of a researcher type of approach to things. And even consultants that that out there, there is that kind of ability to consume vast amounts of information in a relatively short time, but obviously using that in a pragmatic realistic way so you don’t keep going on and on and on.
Karissa Breen [00:18:21]:
Okay. So you said before in terms of the variables, you wanna get multiple sources to get different different views on how things look to get more of a, oh, I guess, an objective approach. But then isn’t it a double edged sword because you’re dealing with so many then variables and sources and that. And like you said, you can’t keep going on and on. But as you would as you’re introducing more sources, which I get the intention for, but then isn’t it like, well, this is gonna go on for longer because now I started with 20 sources and now I’ve got 70, and it just it can start to go on and on and on. So how do you find that balance between not overdoing it, but then also you’re not undercooking it?
Dr. Ivano Bongiovanni [00:18:53]:
Yeah. I I believe it is probably not not just a man matter of numbers. I mean, you you could probably reduce it to the number of sources if they are good quality sources, then you actually don’t need to keep going on and on. It’s needless to say that sometimes budgets drive all of that. So if you if you treat a cyber risk assessment exercise as a project, you’re gonna have roughly a dedicated budget, which is important to establish upfront. And obviously you’re gonna need to you can’t keep buying reports from outside because it’s gonna cost you money. The other bid that is important to remember is that this is not solo exercise. That is why it is very important for for cyber risk teams to work with other constituencies in the organization, be it that risk owners, be it that the risk department, in itself, be it that IT, be it that HR to really create the right containers for the production of solid inputs and solid evidence.
Dr. Ivano Bongiovanni [00:19:59]:
And and again, I I don’t think that is tasking an individual to go do the research, put together a a risk register, assess your likelihood and consequences, produce a heat map, and then reporting back on that. I mean, I know that unfortunately, the reality in terms of, you know, budgetary constraints often makes organizations do so. That is that is certainly not the best approach. The the best approach in this is a collegiate approach, a collaborative approach where a lot of subject matter expertise is is brought into the conversations. And look, I think, it’s the issue is probably not so much the lack of subject matter expertise is more like creating the right containers. So having that person that does an oversight of the whole process or the whole project, if you want to call it that way, that knows when to mobilize the different subject matter experts that knows when it’s time to go offline and produce, that knows how to collect feedback, that knows how to communicate the different stages of the process. I mean, ISO 27,000, which is probably the best practice when it comes to risk management. And, again, ISO 27,001 is is literally ISO 31 1,000 that is the risk management physical risk management as well type of standard.
Dr. Ivano Bongiovanni [00:21:22]:
So it it kind of 27,000 applies the the the risk more than in the risk process that is originally from 31,000. The standard is very clear on the need for constant communication with all of the different stakeholders. Now you probably can argue that that is gonna increase the time spent in the exercise. But unless you have that internal buy in and unless you take some time to get everybody’s inputs and the different voices, the risk is really to not do a good job in the ad.
Karissa Breen [00:21:57]:
Okay. So one thing that was interesting, you said if you can get a good quality source, then that’s enough. So what would you define like, how do you find a good quality source? Like, can you give an example? Just curious to understand.
Dr. Ivano Bongiovanni [00:22:07]:
It’s very difficult to define what best practice, looks like in the space. It probably boils down to common sense as well. Representable sources tend, I would say tend to be trusted because of the fact that they’ve done those exercises a number of times. Their bread and butter is really looking into producing reliable information and evidence for people to make decision. Because at the end of the day, we’re still talking about decision making 101. So I would probably say reliable, reputable sources. It doesn’t have to be the, you know, most expensive vendor in the market. That that’s not what I’m trying to say.
Dr. Ivano Bongiovanni [00:22:49]:
What I’m trying to say is that, you know, relying on brands that do it professionally, that that been around for a while, it’s important relying on people’s expertise. As I said before, there’s, there’s really, it’s really difficult to invent yourself in this space. If you haven’t done it much before, it’s it is important to kind of get people that do have that have gone through the process in the past. Now, the downside of that is that they could actually bring some bias. So it’s also important to balance subject matter expertise with also an outsider’s perspective, when it comes to risks. Because things that might be taken for granted and might look obvious to someone might actually be very, very different reality when, when things happen. And again, also also try to look at, the people that produce rigorous information as a profession. So, you know, academic reports, research in the different areas, research in the different spaces.
Dr. Ivano Bongiovanni [00:23:53]:
Obviously, numbers help a lot because they allow people to quantify phenomena. So relying on statistics as as long as they are, you know, that been built using solid methods. And, look, these days, really any organization at the end of their reports includes or most of them at least include, a quick note on how a piece of research was conducted, what was the sample size, what were the questions that were asked and so on. So all of those are all signals that probably you’re looking at the right place.
Karissa Breen [00:24:25]:
So you said something before, Ivano, around be realistic. Do you think people out there just aren’t realistic, though?
Dr. Ivano Bongiovanni [00:24:32]:
It really depends. I’ve seen organizations spend heaps of money to protect assets that were not worth the spent. Like like I’m not saying it’s a it’s of the judgment call. It is numbers. Right. If you draw down the line and you quantify the value of those assets for the organization, then you ask yourself, well, why are you investing so much in all of this? Is there somewhere else that where you could actually potentially be investing? And you also have the opposite side of things, but some organizations that are not really investing in controls to protect the so called crown jewels or they’re thinking that data or assets in general that they ask are not crown jewels when they in fact are. One of the difficult things here is the lack of visibility that a lot of organizations have over their assets. And again, I’m talking about data predominantly.
Dr. Ivano Bongiovanni [00:25:27]:
It’s not the physical world anymore where when you’re protecting your house you exactly know the the valuable objects you have in your house you know how much you spend for your TV you know how much you spend for your I don’t know, jewelry. You know exactly what you have. So, obviously, a traditional defense in-depth approach can certainly be sufficient. In the digital world, it’s not like that. A, because it is incredibly difficult to quantify the value of data, incredibly difficult to quantify the value of data. Incredibly difficult to quantify the value of data. And b, because as I said, the organizations are so complex, so interconnected that they often don’t know where, where the data is. So going back to your question on not being realistic, sometimes it’s difficult because again, there is no visibility around what you’re trying to protect in the first place.
Dr. Ivano Bongiovanni [00:26:18]:
And I’m a big fan of of the data governance concept. Sometimes I think that it’s important obviously to, to invest in, in cybersecurity controls. But what about the foundations? What about knowing exactly where is your PII who has access to it or, or even, even non PII data commercial in confidence information. Again, where is it? Who has access to it in your organization? Under what conditions? What are they doing with that data? Oftentimes we kind of patch the top of the pyramid and we forget about what’s happening at the foundation. Probably being realistic means, okay, well, let’s take a step back before trying. I think somebody once said before trying to change the word, get browsing order. I think that is absolutely applicable to the cyber world these days.
Karissa Breen [00:27:10]:
K. I wanna move slightly to decision making. So do you think people you know, they do all this risk assessment. They’ve got the reports. They’ve done it, but then people just can’t make a decision in terms of all of the the people that are involved. Right? Because it’s not necessarily just one person making a decision. So how does that sort of look then? Like, how do people because then I mean, I’ve been in these conversations in in rooms of 15 different people, and we can’t agree on anything because someone thinks this, someone’s trying to protect their project. Another guy doesn’t know what’s going on.
Karissa Breen [00:27:41]:
Like, how does that sort of sit there? Because that’s been getting into managing expectations and, you know, you’re there for a security function. You’re there to make sure the business still operates and not slow them down. But obviously you got to manage risk and all of these things. That’s where it gets really difficult.
Dr. Ivano Bongiovanni [00:27:55]:
Yeah, it is. And probably goes beyond the cyber, the cyber realm as well. I mean, there’s a lot of, tricky conversations happening at, at the organizational level. And it’s not just cyber, as I said, sometimes it’s finance, sometimes it’s, workplace and telepathy, sometimes it’s HR. With the cyber world, obviously we are relatively new, I would say, to this type of conversations. And so, you know, until some years ago, it would have been very difficult to predict that, a role such as the CISO was created. And guess what? That person now reports to a CIO or even more so to a CEO directly. And that person goes and talks to the board.
Dr. Ivano Bongiovanni [00:28:37]:
So I think we are getting there. We were very new. We should have forgot that as as an industry, as as a professional, as as a transversal, we’re we’re very new in organizations. So the communication side of things, I believe, sometimes is always there. So I believe that it’s actually very, very important to have people, help us know how to articulate ourselves, know how to get that essential buy in. Because at the end of the day, when you have risk conversations, it doesn’t really matter if the owner of the whole process is the size or the CRO if you have a CRO. The important bit is that everybody else in the room, everybody else in that container that you have created upfront knows that at the end of the day, there’s gonna be someone making a decision regardless of all of the evidence that is brought into into play. I think as long as that decision making process is crystal clear since the very beginning and as long as everybody knows that, hey.
Dr. Ivano Bongiovanni [00:29:38]:
In case of contradiction or a case of stalemate, this person will make the final call. I think, I think things can can actually work very well. The the struggle the struggle that that cyber professionals in organizations have always and are still having is this fight for relevance. Okay? That’s why we we used to talk about the fact that, hey, we’re we see it as just being the office of no because we’re all about security risks. And, you know, if we’re a doubt, we’re just going to shut things down or we’re not going to approve a process or an application to be installed or whatever that is. I think, we need to kind of be also a little bit self conscious of where we’re coming in and work on, get that XANT buy in that is fundamental.
Karissa Breen [00:30:28]:
So the other major question I have for you is risk acceptance. So, for example, we’ve done all the risk process, deliberated for days, we’ve come to a conclusion, then the person, the service owner, the general manager, whoever it is, just accepts it. Now I’ve been in those rooms before when someone has accepted it and they do not know what they are accepting because they needed their project to run on time, because they wanted to get their bonus for the year. And that is a real example. How do you then have these conversations with people who are who are responsible for that particular service or whatever it is because they’re they’re owning it, but they still say, great. Thanks for all that stuff, Ivano. Your team’s done a great job, but I’m still going to accept it anyway. And they don’t really understand what they are accepting.
Karissa Breen [00:31:09]:
How does that conversation go?
Dr. Ivano Bongiovanni [00:31:11]:
Yeah. That’s a very that’s a very good question. And look, I think it goes back to a little bit of what I said before. Now, first of all, I would not want to get myself into a position where I simply follow a process and then I let the decision come out almost like mathematically from the process. So if the CEO, if I am afraid that the CEO is going to say no, and I know that that’s the right decision to make in terms of, for example, investing a specific control, I wanna have the conversation well in advance than the production of inputs and the production of evidence and so on and so forth. Because, obviously, you don’t wanna, you know, you don’t really wanna just go down the rabbit hole of say, oh my god. I’ve done all of this work. And at the end, the result is something that I’m actually personally not really confident with.
Dr. Ivano Bongiovanni [00:32:02]:
So establishing a trusted relationship with the decision makers, whoever they are. Okay? In the organization is something that has to be done relentlessly. That’s that’s a daily job. They’re not there’s not something that you sell and forget. You can’t think that people are gonna hold you in high regard forever. You’re gonna need to kind of work on that. There’s there’s no escape. I mean, honestly, if somebody could tell me how to do that in an efficient way, I would love to hear it.
Dr. Ivano Bongiovanni [00:32:28]:
To me, it’s just that constant conversation being that the informal meetings, the coffee machine type of conversation, all that. You really need to kind of build the trust and relationship. And then look. I mean, even even decision makers, I understand when when you bring up the fact that sometime business goals conflict with are in conflict with the risk and risk evaluations. But again, you know, especially at high leadership levels, you would expect that we’re having good leaders. We have good decision makers that realize that, you know, in some cases, no, unfortunately, is the only answer. And that’s also and that’s the first bit. The other bit is also, you know, risk acceptance in itself is not a bad thing.
Dr. Ivano Bongiovanni [00:33:11]:
I’m not trying to push the conversations around. You need to invest in all types of risks. But obviously, the question then is a step before, are we clear about what our risk appetite is? Have we agreed on what our risk appetite should be? Because then obviously, if you if you have that clear in mind, even as a CISO, and then you produce your evidence that show you that, hey, you know what? This particular type of risk doesn’t really exceed our risk appetite, then yourself have to be okay with making the decision that in this case, we’re going to accept the risk. We know that you cannot possibly cover against all risks. It’s a prioritization exercise. It is something, again, that probably in the cyber world we’re not traditionally very used to do. That is why I’m a big fan of working with the risk people, working with the risk department, working with with all of that. And there’s actually a mutual, mutual benefits in that because risk management as, as a discipline itself, I actually have a feeling that before the kind of explosion of, of cyber as an area was going through a little bit of a crisis.
Dr. Ivano Bongiovanni [00:34:29]:
Right? So, you know, we’ve seen we’ve seen companies cut in the risk management space. We’ve seen, investments, you know, somehow go down. Obviously, that depends on the industries. Right? If you’re talking about asset intensive industries, I’m talking about the likes of mining, aviation, as well as a for, obviously, it’s there. They they hadn’t really touched things as much. But, you know, one of the first things that you caught when when you are an organization, if you have to cut, is probably is probably covered in for losses because of the nature of the discipline itself. Now cyber has actually brought the conversation on risks much more prominently. Right? So you look at, for example, Salkia.
Dr. Ivano Bongiovanni [00:35:05]:
Obviously, the idea is to have an all hazard approach. It’s not just cyber risk. We still have to cover for safety. We still have to cover for refinance. We still have to cover for all other risks. But now cyber is up there as well. So all of a sudden, I do have a feeling that there has been, a revamping of the importance of risk departments within organizations. So I think that there’s potentially a powerful alliance.
Dr. Ivano Bongiovanni [00:35:29]:
And and what we should also understand in the cyber war is that risk professionals in organizations are the ones that can really help us articulate our narrative for noncyber slash business people because they’ve done it. They they’ve done it for years. Again, there is this interesting parallel that we can build between the the physical security and the physical safety world and the cyber world. The trajectory is incredibly similar. We just came to the same steps much later because of how novel our discipline is.
Karissa Breen [00:36:04]:
So, Ivano, where do you think if you had to sort of boil it down to that the main issues that people struggle with and I know we’ve sort of we’ve gone on a little bit about multiple different things. But would you say it comes down to that narrative, that storytelling, you know, showing people in a way that makes sense, like you’re saying, comparing it to, like, physical risk? Because, again, sometimes cyber and tech and all these sort of things are hard because people can’t see it necessarily, but they can see physical things, for example. And that’s why we always in this space defer and use analogies from, you know, locking your house and all those sort of things. But what would be the main things from your perspective that people would would struggle with, would you say?
Dr. Ivano Bongiovanni [00:36:40]:
The storytelling component is there. I agree with you. There is probably a lack of and again, I’m generalizing. I mean, I’ve met sales those that you would just listen to them for hours because they exactly know how to articulate themselves. They know how to speak business. So it’s it’s it’s weird. I’m not trying to tell everybody’s like that. But there there’s been there are situations in which you do feel like the storytelling side of things is a little bit missing.
Dr. Ivano Bongiovanni [00:37:06]:
The communication side of things is a little bit missing. But at the other end, that’s not sufficient in itself. At the other end, we still have to be able to produce solid evidence because, you know, I mean, you can’t go to your CEO or a CFO. And with a business case for an investment in a security control, that is just purely shiny stuff, and there’s no substance into it. We we need to complement the 2, the communication side of things, but also the substance side of TIX. Probably, that also speaks to the type of skills that we want our cyber decision makers to have. We probably need to work a little bit on becoming a bit more T shaped type of professionals. Traditionally, cyber leaders come from, you know, deeply technical expertise, which is absolutely important.
Dr. Ivano Bongiovanni [00:37:58]:
I would say it’s absolutely fundamental. So having that kind of subject matter expertise, but then also shaping the top part of your tea, which is all of those transversal skills, such as communication, such as soft skills, even if we know we shouldn’t call them soft skills, such as, hey, understanding how finance works and and why the CEO might actually say no. Being interested in the broader picture of the of the business. I always I always when I speak to cyber audiences, I always tell them, do not forget that you are a drop in the ocean from an organizational perspective. I I always mention the 10% of 10%. Again, it’s it’s a super rough estimation, but, usually the size of a cybersecurity department within an organization is 10% of the 10%. And the first 10% is the size of the IT department, which is 10% of the whole organizational size. Right? So we’re talking about 1 person out of 100.
Dr. Ivano Bongiovanni [00:38:59]:
Now, obviously, give or take, this is not absolutely perfect statistics. It depends on organizational size. It doesn’t really matter. What matters is that the takeaway is where a minority within the organization. So, obviously, it is very difficult for a minority to go on the roof of the building and start screaming at everybody, hey. Just do as we say because we know. We are, from that perspective, in a bit of a disadvantaged position. That’s why I stress the fact that we need to build the the transversal skill sets that help us be more effective at communicating, more effective at understanding what our position with our business is.
Dr. Ivano Bongiovanni [00:39:40]:
And guess what? In most cases, businesses are not about cybersecurity. They’re about, you know, selling products, they’re about selling services, about all of those things. So be realistic about that and also be good at producing the right evidence that gives substance to our arguments.
Karissa Breen [00:39:56]:
So, Abane, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?
Dr. Ivano Bongiovanni [00:40:01]:
Yeah, look, I think it probably you probably understood that I’m quite passionate about a topic. I think it’s a it’s an incredibly exciting space to work in and in the learning that that you can achieve. I have conversations, daily conversations with with people that blow my mind in terms of what they see and what they’ve done, the trajectory that gone through. So just to maintain that willingness to learn that curiosity, that excitement about you’re doing the moment you feel like you’re losing the excitement. That’s probably the time to kind of step back and reflect. And we know it very well that burnout is a significant problem in our profession, especially for Sisors because of the the amount of responsibility and the amount of stress that they need to go through. So I’ve heard this over and over, and I absolutely second it. When there are try to listen to the weak signals.
Dr. Ivano Bongiovanni [00:40:55]:
If the examiner is there, is the willingness to get things done in the right way? Is there perfect? Just just keep going. Just keep learning. Maintain the curiosity. If you feel like there’s, you know, there’s there’s little warnings here and there about how much you love, what you’re doing, about the struggle you’re having, that’s probably important. Not probably. It’s important to then step back and reflect. Okay. Do I have to take some time off? Do I have to search for some support? And so on and so forth.
Dr. Ivano Bongiovanni [00:41:22]:
Baseline, it’s a great profession. It’s a great industry to be working in. And, and again, we need to kind of keep going because because, you know, it’s undeniable that the progress that we had has been mind blowing as well.
