Joe Cozzupoli [00:00:00]:
Threat intelligence, it becomes a business capability, not a report. It becomes a well tuned crystal ball of what could possibly happen if you use it properly. Not just the crystal ball that shows everything happening in the world.
Karissa Breen [00:00:32]:
Joining me now is Joe Cozzupoli, field CISO at Cosive. And today we’re discussing the boardroom view of cyber threat intelligence and speaking the language of risk. So, Joe, thanks for joining me and welcome.
Joe Cozzupoli [00:00:44]:
Oh, thanks for having me. I’m excited to talk about the boardroom view of cyber threat intelligence and how to translate signals and intelligence into decisions leaders can act on.
Karissa Breen [00:00:54]:
Okay, let’s start there. Now, maybe I want to get a little bit more understanding for yourself, Joe, on the boardroom’s view of, of risk and how do you see it?
Joe Cozzupoli [00:01:02]:
So when you sit in the boardroom, when you’re talking to the board, risk doesn’t look like patches, firewalls or threat actor names. ATPs, it looks like, will this stop us from serving our customers? Will this cost us revenue or reputation? Will regulators come knocking? Boards want clarity on how a cyber risk could impact their enterprise value, whether that’s revenue, trust, compliance or strategy. They care about how long a service might be down, how many customers could be affected and what the range of loss looks like. In short, they see risk in terms of business outcomes, not security activity.
Karissa Breen [00:01:41]:
Do you think people just get bored of hearing about we’ve blocked X amount of threats or their eyes glaze over? Like at the end of the day, when you’re in a board position, you’re not a cyber person. So, like, whilst cyber security people care about that, majority of these people in this room don’t. Yes, the risk element of it for sure. But do you think people just go on and on about all these other technical details that these people in the room don’t care about?
Joe Cozzupoli [00:02:02]:
Definitely. And that’s where soft skills come in to be able to translate that into their language. So we all hear this now. Talk the same language as a business or talk the same language as what layer you’re talking to. Because if you talk at the wrong layer, at the wrong language, you get sent down to the layer you should be at and then that doesn’t give you outcomes. So you can do a flashbang dashboard and show all these widgets and have all these numbers on it, but if it doesn’t actually translate to anything that the board can understand because you might be there to explain it for that 10 minutes you have. But then when they go away back to their desk and they’re like, what was the size they’re talking about again? What was. How are they going to understand that still?
KB [00:02:48]:
Right?
Joe Cozzupoli [00:02:48]:
So it needs to be, yes, you can’t lose them at the moment, but you also can’t lose them half an hour later when they’re back at their desk looking at, doing a review of the meeting.
Karissa Breen [00:02:59]:
So the cyber dude or woman rolls into the boardroom, says, hey, this month we bought we blocked 40 billion threats. Just making a number up. Do they then go to say, hey, and this is what this means in terms of translation? Do you think people stop at the and this is what I mean by this, or do you think people are just very focused on, hey, we do all this cool stuff, we blocked all this stuff, then forget about the byproduct of doing that.
Joe Cozzupoli [00:03:22]:
So I think the good, the good ones will actually say the outcome first by the 4 billion threats we blocked, not we blocked 4 billion threats by XYZ widget, XYZ tool. And this saved us X amount of dollars or increased our productivity of our analysts by, you know, 20%. So they should lead with that and then say the how. But the why is the most important. And sometimes you don’t even need to say the how. And they probably don’t even want to hear it. But we do have some semi technical people now in, especially in the coming generations, they’re not going to be all grumpy old board members, right? They’re actually going to be in the field or around the field at least. And it’s been on the news a lot.
Joe Cozzupoli [00:04:10]:
So you just got to read the room, right? But the good ones will lead with the outcome and the why. And then if it comes to it, talk about the how.
Karissa Breen [00:04:20]:
So when you say good ones, would you say, given your tenure in the game, would you say most people that are at that level who are in the boardroom talking to these people, they are the good ones? Or would you say like it’s kind of 50, 50, there’s some good ones. And look, we’re not saying the other people are bad, we’re just saying maybe their social skills could be improved.
Joe Cozzupoli [00:04:40]:
I’m not saying they’re bad at all. They’ve kind of maybe come up through the ranks, starting as a SOC analyst, going in the wee, staying in the weeds, leveling up to be an architect, leveling up to be a manager, leveling up to be then eventually, maybe a sizer.
KB [00:04:53]:
Right.
Joe Cozzupoli [00:04:54]:
So they’ve kept their technical chops and I’ve got my technical chops and I’ve got a mixed range of technical chops. Not all in cyber. I’ve done infrastructure and cloud as well. So it’s been able to then. And I think it’s a skill that you can’t teach. Just probably takes practice. There’s lots of books and courses, obviously, but it just seeing that when you actually hit a nerve and make an impact by the language you talk, not just what you do and what the tools have done, it’s about translating that to the field. So when I say the good ones and they’re not necessarily the bad ones, they just.
Joe Cozzupoli [00:05:27]:
That’s just what they know. So it’s about maybe mentoring them and yeah, I would say 50 50. And it’s getting better. There has been a lot of talk and, you know, on social media and in the field, at events, at, you know, soft skills are becoming one of the most important tools. And that definitely had that switch definitely flipped during COVID when we were all online. I think soft skills became a big skill to have because you’re just talking over video in those, you know, couple of years and even now, right, everyone’s hybrid still. Most people are still hybrid. So soft skills is, you know, at the forefront now and one of the most important skills to have.
Karissa Breen [00:06:08]:
So have you ever been in a boardroom where some cyber person said something, not thinking, and it’s completely triggered the board? Like, whether they’re stressed, they’re alarmed, they’re confused. Have you ever seen that in terms of someone said something bringing forward their technical chops to your point, and then completely just lost people? Yes. But they felt, wow, I have no idea what this guy’s talking about. And what he’s saying sounds really scary once or twice.
Joe Cozzupoli [00:06:36]:
And it was intentional. That one time I did say there was an intent to do that. They were trying to do the fud, the fear of, you know, unknown. But yeah, it’s rare because what they think is and what they know is a heart attack moment.
KB [00:06:54]:
Right.
Joe Cozzupoli [00:06:54]:
A big alert moment, like a big thing that’s happened. The board’s kind of gone, okay, what does that mean for us? Type thing. So, yes, I’ve seen on one or two occasions where they have actually alerted the board to take action. And that was because it was a PE in the industry that the issue occurred with. So it wasn’t just, oh, this happened to Optus or this happened to Medibank, and it wasn’t Relevant to them. It was something very relevant to them. And that actually caused even some of the board members to call their peers and ask actually for more details.
KB [00:07:29]:
Right.
Joe Cozzupoli [00:07:29]:
It wasn’t named because you can’t obviously name other peers, but they kind of put the pieces together.
Karissa Breen [00:07:35]:
So I want to talk about assurance now when I ask you that question. So, for example, if you go to a doctor, I’m not a doctor, say, hey, my arm hurts, I’ve been, I don’t know, working out a lot. What do you think it is then? Obviously, at times, doctor, use their technical terminology, which we as patients don’t understand, then they’ll say, okay, well, now you got to go to see these things, and I’m seeing this sort of thing on your X ray and they’re going to take this medication that’s super long and all these sort of things. But they give you that extra layer of assurance. Yes, they talk in their vernacular, but then they sort of tell you, okay, well, what does that mean to you as the patient in terms of the discourse in which they operate in. So talk me through about how do people out there give that assurance towards like, yes, they have to talk about certain terms to be able to communicate that this person knows what they’re talking about, of course. But they also have to remember to switch it to another gear to be like, okay, well, how does this impact you? What does this mean for you as a board member, all those sort of things to provide that assurance?
Joe Cozzupoli [00:08:35]:
Well, again, it’s talking about the why. And so the why would be we’ve saved X amount of dollars or we prevented X risk or we reduced the risk. So you talk about the Y. And in that there might be some technical terms that you do have to say because you can’t actually help it sometimes.
KB [00:08:54]:
Right.
Joe Cozzupoli [00:08:55]:
A firewall’s a firewall. You can’t say a big shiny box that says yes or no.
KB [00:08:59]:
Right.
Joe Cozzupoli [00:08:59]:
You need to say what it is.
KB [00:09:01]:
Right.
Joe Cozzupoli [00:09:02]:
But then you need to explain that because we’ve done this. That’s what happened. So that’s because we need to do this, because this isn’t. This is in the budget. Because if we don’t do this, then if you look at company, X could happen to us as well, and then look at what happened to their reputation, and that’s what they’ll care about, obviously, because that impacts the stock market and that impacts everything. So, yes, you need to act like that, that good doctor that doesn’t jump to conclusions either, because there are some doctors that jump to conclusions. And you Go in there with a migraine and they say, oh, it could be a brain tumor. Like, some doctors will do that and some will have more EQ and say, well, let’s do a scan.
Joe Cozzupoli [00:09:44]:
Have you taken. Have you tried Nurofen? Have you tried X? Have you tried Y? But let’s do a scan because, you know, we want to catch it early, and if we catch it early, then you. Everything’s going to be okay. All right, so that’s what you kind of need to say. Like, if you do this, we catch it early and then everything will be okay. But it’s not, as you know, with Cyber, it’s never 100% secure and it’s never 100%. That’s it. It’s finished, stopped.
Joe Cozzupoli [00:10:07]:
We can go home, don’t worry about it. It’s always evolving, and especially with AI threats. Yep. I had to say AI, it’s ever spinning wheel.
Karissa Breen [00:10:16]:
So, Joe, just moving on, maybe 2 millimeters. You say speaking the language of risk. Now, I want to get into this a little bit more because, you know, a lot of people are sort of saying we’re gonna speak the language of the board and the risk and, you know, all this sort of stuff we’ve already discussed here today. But what then would you deem as the language of risk in terms of, is there specific words, is there a specific tone that people have to use?
Joe Cozzupoli [00:10:43]:
Yeah, like to me, when. When I hear that and how I think about it is it just ties technical risk? Cause we’re in a technical field. So it ties technical risk, technical issues back to the business. So that means talking about dollars, hours, customers affected. It means being clear about what we know, what we assume, and how confident we are. And most importantly, you know, every risk should be a statement that ends with what decision do we need to make, who owns it and by when? That’s the language of risk outcomes, not acronyms.
Karissa Breen [00:11:18]:
I’ve also heard that some cyber folks now, over the course of my interviews over the years, people have sort of said a lot of these cyber people don’t really know how their business makes money. Right. And by doing that means you can reverse engineer it by, okay, we make money by selling pool equipment or whatever. It may be something super basic. Right. That’s how they generate the revenue. And then, of course, you’ve got to protect it. But there’s people like yourself come on the show that says people in these cyber divisions don’t actually really know.
Karissa Breen [00:11:46]:
So it’s really hard for them to talk about things and contextualize things like the dollars and this sort of stuff. Have you seen that in terms of a gap?
Joe Cozzupoli [00:11:55]:
Yes. And going back to an earlier point, the. Well, astute and bit more, maybe experience, maybe more of a mixed experience in the field will know just to do their research. It’s just basic research. Even when you’re applying for a job, okay, what does this company do? What’s their. How do they make money, what would they see is their risks, who are their peers in the industry, et cetera. So it’s about just doing that basic research and then when you’re writing your reports, when you’re doing your boardroom reports. Board reports, you want to tie everything back to that, to the core of the business, the vision of the business.
Joe Cozzupoli [00:12:29]:
Yeah. Right. So you want to tie impacts to what outcomes to what’s most important to the business. So if they’re a pool cleaning company, then you’re not going to talk to them about, I don’t know, share prices for investment banking or something?
KB [00:12:41]:
Right.
Joe Cozzupoli [00:12:42]:
You’re going to talk to them about, okay, well, the outcome is going to. If we get impacted by our cyber, you know, breach, then that could mean our retail is down, our shops are down. So then that means we can’t sell stock or if our distribution center gets attacked, somehow our inventory system gets attacked, then how are we going to be able to service the stores that sell our stock? Not. Oh, but what’s going to happen if it moves, you know, it could move 10 cents to our share price. For investment bankers type thing, you got to relate and you got to tie it back to the business and to their vision statement and to their mission statement too.
Karissa Breen [00:13:21]:
So would you say, given what you’re saying, what I’m hearing is that at times people lack context. Context being, hey, like you don’t need to go on about stuff in the financial services because we’re in the retail sector. So yes, whilst that’s important, we should be across it and it’s an adjacent thing to us, but it doesn’t really impact us in terms of context. To convey messages to board members, for example.
Joe Cozzupoli [00:13:42]:
Yes, exactly. And that comes back to what I do at Cosive. Right. So there’s a trillion threat intelligence feeds coming into everyone’s theme and soc. So my job is to, when we talk, when I talk to the C suite or to cyber executives, it’s about, okay, what we can do is we can find. Tune your threat intelligence platform to only have the feeds that are relevant to you and to your industry, your vertical, not banking. When you’re in retail or Vice versa.
KB [00:14:12]:
Right.
Joe Cozzupoli [00:14:13]:
So context is again, back to that soft skill as well. Just reading the room, having the context in your report, in what you say, on what level you’re talking to, whether it’s board, whether it’s SOC analyst, that, oh, yeah, that that alert isn’t important when it could be.
KB [00:14:31]:
Right.
Joe Cozzupoli [00:14:31]:
So yeah.
Karissa Breen [00:14:32]:
Do you think as well that at times people just try to boil the ocean with all of the risks? So it’s like, yes, okay, like at the end of the day I could go out, get hit by a car. As we’ve all heard that saying, I could go out, you know, a random alligator where I live in Florida attacks me. That can happen. Probably rare though. Right. So the thing is, do you think at times cybersecurity practitioners just have this thing for just trying to say everything, cover all bases, all of the things, when it’s like we actually have to roll this up a little bit more, understand what’s realistically going to happen. And yes, all of the things could happen. But there is a, there’s a scale of and there’s a spectrum.
Karissa Breen [00:15:09]:
But do you think people, I’ve just seen people get in the habit of just trying to tell you every single thing and then as a result, people are overwhelmed by hearing 50 different thousand sort of routes to potential risks.
Joe Cozzupoli [00:15:19]:
Definitely. And that goes back to one of my earlier points about they try to use fear to get their budget, to get their point across, to get approvals. So they think if they put every single fear and threat under the sun as their context, that’ll get. Oh, people will stand up and listen to them. Right, Stop and listen to them. When it’s not. It needs to be relevant. That’s what’s going to make the most impact.
Joe Cozzupoli [00:15:42]:
Because yes, in that 10 seconds, 30 seconds that you’re talking to someone about that, then they’ll walk away and go, hang on. But that isn’t really important to us. Has he even, have they even read the risk. Our risk register or risk statement, you know, in the business to say what’s important to us, what’s our risk appetite? So, yes, definitely. And that probably comes back to the. Yeah, the more old school cyber professionals at the house of no, the department of no mentality where, well, they have to listen to us because all these things can happen. Look what happened to customer X, look at what happened to Customer Y. So definitely that that’s changing, hopefully.
Joe Cozzupoli [00:16:22]:
And again, there’s more. And I talk around that as well as the whole soft skills thing. And that comes back to soft skills too, because around soft skills isn’t just how you talk. It’s about reading the room, it’s about having the context and it’s about talking the right language at the right layers.
Karissa Breen [00:16:39]:
So just to double click on this a little bit more. Did you say someone does that? No context. Trying to say all the things. Doesn’t, isn’t. Wasn’t super prepared. Doesn’t that get people offside? So what I mean by that is obviously in a podcast I’m actively listening to you, I’m not on my phone in the background, all that sort of thing. I can tell when someone’s in an interview because I’m sitting beside people all the time doing these sort of things that they’re not listening because they’re not asking like follow up questions. They’re not doing certain things that can get the interviewee offside.
Karissa Breen [00:17:06]:
So don’t you think that people just not doing the rudimentary basic research, contextualizing things so make sense that gets their somewhat counterparts but they’re, you know, higher ups, annoyed to be like, well why are we paying this person? Because they actually made me feel worse after going from the meeting than before because they just didn’t make it easier. It’s convoluted, it’s all over the shop. Like I’ve seen that a lot as well. So do you think people think about if I don’t come into this prepared, headshotting, exactly what I’m going to say. Not just, you know, scattergun, wherever I’m going to get these people to probably not like me and therefore when they don’t like me, could get rid of me. Or they’re probably not going to give me any money for the division that I need.
Joe Cozzupoli [00:17:51]:
Or even worse, they’re going to bypass security and involve us in projects early on. They’re going to come and bring us in late just to say, well hurry up, hurry up, CEOs waiting, sign it off. CFOs already signed it off. Don’t block us now. Just read the document and let’s go. Right, so that’s even worse, right? So yes, you might not be liked, but if you might not be liked for the right reasons because you’re giving context and that because of that you slow down a particular project, that’s okay, you actually help with the business and that’d be appreciated later. But if you just come in, scattergun, nuclear bombs, come in, whatever, right? Then they’re going to be like, oh Joe again. Yeah, look, is there a way we can just get sign off? He’s just going to say no.
Joe Cozzupoli [00:18:35]:
Like he’s going to come and say it’s no, you can’t do that, it’s too risky. And then you might lose your job in the end of that, obviously. But worse, is he there? And you’re not listening to, you know, you’re not appreciated because you’ve got the wrong view, you’ve got the wrong no context. You’re seen as someone that doesn’t research, doesn’t think, thinks thoroughly, isn’t willing to step back three steps to say, okay, hang on, let’s look at the big picture of this and put the right context in. So all those things you said is true, that you won’t be, you might not be liked or you won’t be liked, you won’t be respected as much. But then also, also what Worse is the whole security department could be bypassed at times because they’re just going to say no anyway. Let’s just give it to them last minute. We won’t involve them early as in part of the project to help us through the project instead of quick sign.
Karissa Breen [00:19:21]:
It off before cfo. So I want to get into that side of things because they’re the person with the money bag and the money bag is the one that brings in vendors and services and all the people’s pay rises and all the good things people like to talk about. So my brother in law is a CFO of a retailer back in the day, so heard his view over the years. So I’m keen to maybe understand they care about primarily speaking how the business burns money and how it makes money. It’s their job, they got to control that so the business doesn’t go bankrupt. So how would you say with what you do, what sort of language or what are some of the tactics that you’ve used to really get this CFO over the line? Because they’re a numbers person, right? And sometimes there’s overlap in terms of how brains think with security people and CFO sort of people because it’s a numbers. But there’s still that lack of context because they don’t understand, hey, why is this apparent firewall company costing us a million bucks a year? I don’t even know what it does. But then if you try to explain it to them to the end degree to justify the cost of like, okay, I’m bored, I’m lost.
Karissa Breen [00:20:25]:
Like, even when people ask me really rudimentary things outside of the security space, they’re like, oh, you’ve lost me and I’m not even getting into Some of the intricate details that these people that are buying these products and services have to get into. So this has been a big one that I’m always very curious about. So I want to understand your thoughts.
Joe Cozzupoli [00:20:41]:
So CFO cares about cost, right? So they do cost benefit analysis. They’re accountants, they work out. Okay, how many pennies does this translate to and what does that translate to? The business as a whole. So when you’re talking about say firewall Renew or a SaaS Cloud product that’s got a three new year license review renewal coming up, again, it goes back to the why but why is in. Okay, well, this is going to cost us X amount of dollars if this happens. And the chances of this happening is 70% if we implement this. It could, it’ll come down to maybe 40%. Yes.
Joe Cozzupoli [00:21:20]:
It’s not 100% because you explain to them that nothing in cyber is 100% truth.
KB [00:21:26]:
Right.
Joe Cozzupoli [00:21:27]:
But we’re reducing the risk by 30% which could then tie back to later costs or damages. And I’m not a cfo. I don’t know all the language that they talk. But you just want to try and at least come to a common ground and common language to say, look, we’re going to, by implementing these firewalls, we’re going to reduce the risk by 30% of this happening. That’ll translate to 30% saving because your productivity is better. There’s less overtime that may be needed if there is a breach.
KB [00:21:59]:
Right.
Joe Cozzupoli [00:21:59]:
So you could think you can talk in that sense. That would be the best way to do it. But also another avenue I like to take is socialize it. Instead of being all formal, talk to someone in the, in accounting, in procurement that, you know, how does a CFO take this? What would their view be of this? You know, how would be the best way to present this to them? And I’m, I’m big on the whole socializing before, you know, formalities to, to get those pre approvals to make sure everyone’s on the same page before it’s all rubber stepped and ready to get approvals from the C suite. So I encourage my clients to do that too, if they can. That’s a, within technique because then you’re, you’re already speaking the right language. Because every CFA could be different too. One could be very much more accounting focused.
Joe Cozzupoli [00:22:45]:
One could be a bit more business focused because they might have ambitions to be CEO eventually.
KB [00:22:50]:
Right.
Joe Cozzupoli [00:22:51]:
So they need to be more business minded instead of just being an accountant. So you need to again, read the room like Other sizes. Some are more technical than others. All right, so it’s about coming back again to the right language at the right layer that everyone can understand. You can get your point across, you can get your approvals, you can get things moving.
Karissa Breen [00:23:11]:
So I want to move on now and discuss sort of how would you intel into risk statements and sort of, what does this look like? Help me. I want to visualize it.
Joe Cozzupoli [00:23:21]:
Yeah, sure. So 3Dtel on its own is just noise, a list of bad things happening in the world. To make it meaningful, I run through a filter. Does this matter to us, our assets and our controls? So again, like I said earlier, there’s 50 trillion feeds coming into everyone’s seam and SoC, and you need to make it relevant to them. So then I reframe it as a scenario to the business that the business can understand. So, for example, instead of a new credential sniffing campaign, I’d say if attackers kept hitting our customer portal with stolen logins, we could see account takeovers that disrupt orders and customer trust. So from there, I would show what the exposure looks like in time, money and impact and lay out clear options with cost, benefits and timeframes. That way, leaders aren’t just reading about threats, they’re choosing between paths.
Karissa Breen [00:24:18]:
Got it. Okay, that makes sense. And so do you think as well that you said before around noise, do you think too many people are just focusing on the noise and not thinking about the other stuff? It’s like, oh, we’re just too busy looking at the threats and responding to them and all the things that everyone’s got to do day to day, they’re not thinking a little bit beyond that to be like, well, at the end of the day, these threats, intel is here to inform us to make decisions or not make decisions. So do you just think that people just too wrapped up in their day to day rat race, doing the things rather than zooming out and thinking strategically, well, why am I doing this and what’s the purpose of doing it?
Joe Cozzupoli [00:24:55]:
So obviously, as our analyst, that’s their job. Whatever’s in front of them, they have to act on. So you can’t blame them. You can’t, you know, say that it’ll be more the owner of the threat intelligence platform within the business.
KB [00:25:08]:
Right.
Joe Cozzupoli [00:25:09]:
They’re the ones that should be going, okay, how do we optimize this? What do we need to do to uplift our platform to make it the most relevant to us? So then our analysts aren’t spinning wheels all day for 70% of things that don’t matter to our business or our industry.
KB [00:25:25]:
Right.
Joe Cozzupoli [00:25:26]:
Because it might not just be our business, it could be retailers getting attacked and specific retailers being attacked versus, yeah, the 3 trillion feeds coming in.
KB [00:25:36]:
Right.
Joe Cozzupoli [00:25:37]:
So the higher you get, the more strategic they need to be thinking. They can’t think about. They used to be analysts five years ago. This is what I would be doing. It’s okay, how do we make it better for the business? Because then how do I go up to my manager and say, well, we need to look at, you know, using CTR program or a MIS platform or we need to get some consultants in to help us optimize our platform and program because, you know, it’s hard to be internal to think you need to optimize it because it’s all in front of you and it just becomes noise and you’re too busy. Because the analysts can’t just sit there and go, oh, let me filter that out. Oh, that isn’t relevant. They need to look into it first.
Joe Cozzupoli [00:26:15]:
They need to investigate and then they can make that decision. But that’s hours, right? That could be hours before they get to that. And that’s just one.
KB [00:26:22]:
Right.
Joe Cozzupoli [00:26:23]:
So it’s more the threat intelligence owner, platform owner in the business needs to work with their peers in cyber because remember, threat intel is, is a component of cyber, but it’s the actual intelligence part of it. So that lets all the other tools that they’re using and controls they’re using function the most optimal way, or it’s the brains of the program cybersecurity team. I say, so they need to work with the other peers within their cyber team and with Asizo to work on that optimization of their platform because it impacts everyone else.
Karissa Breen [00:26:57]:
So have you seen that when whatever you want to call it, people still have that analyst mentality and as a result, perhaps they’re not thinking strategically. Have you seen that in your career?
Joe Cozzupoli [00:27:08]:
Yes, definitely. When you put it in context to them and tell them in a way that you need to, you know, you’re not going to be able to get approval for this. Because when you go to your manager, whether it’s a sizer, whether it’s a cyber security ism, whatever, like a level below the ciso, they go, oh, here we got, we got a proposal for some consulting to help us with our cyber CTI uplift, they’re going to be like, what?
KB [00:27:36]:
Why? Right?
Joe Cozzupoli [00:27:37]:
Because they don’t then have the context to explain it, like I’ve just said so, because they’ve been in the weeds for so long as an analyst. And they’ve moved up, they progressed because they’ve been hitting their KPIs or whatever it is. But it doesn’t mean they’ve learned to think strategically. And that just, that’s a journey in life. That’s just what people will work out, hopefully eventually. So I there, I kind of coached them to say, look, when this proposal is to do this, but this is what you need to kind of say, and I’m happy to come with you with your, in your meeting with your manager to go over the proposal together and help give that context for you. But really, you need to be able to say that because you might get pulled into the siso by the CISO to explain. And again, you need to explain in a strategic way to them because then they’re the ones that go to the board and ask for it.
Joe Cozzupoli [00:28:28]:
So, yes, I’ve definitely seen it.
Karissa Breen [00:28:30]:
So, Joe, you say show decisions, not dashboards. What do you mean by that?
Joe Cozzupoli [00:28:35]:
So dashboards are great for awareness, but boards don’t want to stare at a sea of red, amber and green. What they need is a choice. So instead of a dashboard, I give them a one pager that says, here’s a scenario, here’s a potential business impact. Here are three options with the cost, the risk reduction, and how quickly each can deliver value. And then here’s my recommendation based on those options. That’s the difference. You’re moving from information to action. You’re translating the intelligence of the dashboard into actions, actual actionable outcomes for the board.
Karissa Breen [00:29:12]:
Good, because how people digest the problem and people sort of respond with, what are our options? I mean, if they sort of come back and say, well, there’s none, or I haven’t thought about it, then that’s probably a worse place to be. So by saying perhaps the scenario, which is what you mentioned before, and hey, this is the thing, this is what we’re dealing with. This is what I, in my position, what I know about it, and this is what I would recommend, like the options. And then this is sort of, you know, 1, 2, 3 options. And this would be like my recommendation towards which option would be best. Do you often find that people go against the recommendation that you’ve provided, or are they sort of very confident to say, well, hey, hey, Joe, you’re the expert.
Joe Cozzupoli [00:29:55]:
Some, not everyone, but some will take more convincing than others. And then again, it depends on your reputation from a previous question, talking about the house of no and always being a no person and a scaremonger type person, then you’re not going to be able to. They’re not going to treat their recommendation seriously. If you’ve got a reputation where the context of the business, you explain the context of your technical jargon to business language, I find that more people do listen. It is hard to say, here’s my recommendation, because then you’re putting your head on the chopping block per se, and it’s hard to tell clients to do that. But they need to be confident. And if they’ve done their research and all their data is correct and they’ve thought things through, then you know, they should be confident.
KB [00:30:42]:
Right.
Joe Cozzupoli [00:30:43]:
So it comes back to the confidence when you do present it and then confidence in yourself to put your reputation on the line. You’re having a chopping block. So, again, I don’t have a problem with it if I’ve had enough time for the client to do that for them. But, yeah, it all comes down to confidence and reputation internally. And yes, some might need more offline discussions. We’ll take this offline, for example, Deline, or again, like I always suggest, socialise it first before you put anything formal in a meeting. Socialise things over a coffee, over a quick chat to say, hey, look, this is what I’m thinking. These are the options I’m thinking about.
Joe Cozzupoli [00:31:22]:
Do they make sense to your part of the business that we’re. That, you know, that I’m going to be talking about with your boss?
Karissa Breen [00:31:29]:
I get what you mean. Around the chopping block, it was just me thinking of the other side on if you’re in that position. So if you’re advising the cfo, it’s sort of part of the job though, isn’t it? So if you’re not willing to put a recommendation or stand behind it, then should that person be in that role? Like, I get it. No one wants to feel like, oh, my gosh, we made the wrong decision. I totally get that. But then it’s like, do you really want someone who’s leading your security practice that isn’t confident then in their decision making?
Joe Cozzupoli [00:31:57]:
No, obviously you don’t. And some people will stop at, here are the three options with the cost, risk, reduction and how quick. So time value. And they’ll stop at that and then they’ll go, okay, cfo, based on the risk numbers, you make the decision and I’ll stand behind you for that.
Karissa Breen [00:32:14]:
So would you say that’s the best approach, though?
Joe Cozzupoli [00:32:16]:
No.
Karissa Breen [00:32:17]:
And the reason why I say that, it’s kind of like a mechanic making a decision for a doctor, for a patient, like, yes, you’ve given some options, but they’re not the most informed person on the matter.
Joe Cozzupoli [00:32:26]:
So I would definitely always say, you know, give a recommendation of the three and just have go there with confidence with it because you know everything will be okay too. If you’ve done all your research, you’ve got all the data, like I said, you’ve put everything on paper, even outlining the cost and risk reduction numbers and all those numbers, you’ll be able to clearly see what’s one of the most logical recommendation, but put your name on it and that gives it credibility and then that gives everyone else confidence. So I definitely don’t recommend that, but I’ve seen that happen. Where they’ll stop at here’s my recommendation, they’ll stop before that. They’ll just give the data and say, here you go, this is what we’ve come up with. This is what we’ve researched most times that won’t get past the CFO that way because they’ll be like, well, tell me which one.
Karissa Breen [00:33:09]:
Well, I think that’s fair because that’s like the security person making a decision on CFO’s job. Like, you may have some basic understanding, but you’re not, you’re not, you can’t make an informed decision. So is that something that, where the industry needs maturation? Like, yes, okay, make the rem, but I need to stand behind it and actually say, no, this is what we need to do because I’ve got 20 years of experience in the game and I’ve now worked across all these industries and consulting and gone around the world to advise people like, do you think there’s enough of that sort of conviction perhaps from people?
Joe Cozzupoli [00:33:42]:
I’ve seen mixed. Right. Depends on the industry too. If they’re very risk averse, they will be more hesitant to do that. If they’re more relaxed in that sense and maybe more knowledgeable themselves, they’ll be more than confident to do it. But it definitely needs to improve. And it doesn’t mean they’re going to accept your recommendation either. They might go, okay, that’s your recommendation.
Joe Cozzupoli [00:34:03]:
Thanks. But as a cfo, I think I’m going to go on what the cost is. Right, so then that’s another issue. That’s a told you so issue. Hopefully not, but you know, it could be a possible told you so issue. So we can all say, you know, here’s my recommendation and this is what we should be doing. But it doesn’t mean they will. So that, that’s another conversation too.
Karissa Breen [00:34:23]:
So then, Joe, I’m curious To understand what you mean by considering to me about reporting. Like what do you mean by report in a cadence? Calms.
Joe Cozzupoli [00:34:31]:
Yes. So going back to that fear mongering. So you know, boards and executives get nervous when reporting is inconsistent or unpredictable. Right. They don’t know what they’ll hear from you or if every update looks different, they lose confidence. Cadence that comes is about giving them steady rhythm, going with the rhythm of the business, as you say. So weekly operational team, weekly for operational teams, monthly for executives, quarterly for the board. All in the same format, using the same measures, the same trends over time and importantly, no surprises.
Joe Cozzupoli [00:35:06]:
If something urgent does come up, they should hear about it right away, not, oh, that’s gonna, that’s two months away in my update.
KB [00:35:13]:
Right.
Joe Cozzupoli [00:35:14]:
They don’t wanna hear that the first time they’re in there. So when reporting is consistent and predictable, leaders feel confident that the cyber risk is under control. And that’s your job as a decisor, to give them the confidence and calm and that everything’s under control. That’s why I’m here.
KB [00:35:29]:
Right.
Joe Cozzupoli [00:35:29]:
That’s why you’ve hired me.
Karissa Breen [00:35:31]:
And so would you say that at times that definitely lacks, but it’s moving in the right direction?
Joe Cozzupoli [00:35:37]:
Yes. And that comes obviously with feedback. Right. So some, you know, board will have time to be like, well look, last time you came and saw us, or even the ops manager came and saw us, he gave us a totally different metrics and charts. Why, like what happened to the other stuff that you just showed us last month or last quarter? So is that gone now? Are we starting again? Right, so it comes with obviously maturity with feedback. But yes, it definitely is improving and things are always evolving in cyber and in it, in tech. So that’s why it is more important to be consistent too. It just calms the waters.
Karissa Breen [00:36:19]:
So Joe, do you have any sort of closing comments you’d like to leave our audience with today?
Joe Cozzupoli [00:36:24]:
So from boardroom to whiteboard, translate signals into scenarios, tech risks into outcomes and provide options and own the decisions. And in terms of, you know, threat intelligence, that becomes a business capability, not a report. It becomes a well tuned crystal ball of what could possibly happen if you use it properly. Not just the crystal ball that shows everything happening in the world. So context is number one in whatever we talk about, who we talk to and why we’re talking to them, any projects that we’re doing, any purchasing that we’re recommending or etc. It has to come with the context of the business, with risk in mind and all the other boardroom concerns time, money and outcomes.
