I have been accepted to co-present at RSA 2019 in San Francisco in March along with my dear ex-colleague Andrew Rose (Vocalink CSO and 2018 European CISO of the year). The topic: “The Fine Art Of Creating A Transformational Cybersecurity Strategy.” I will take the opportunity to not only present but also publish research on this topic. To that end, I would love to know two things from you:

  • If you were attending RSA (or any presentation on this topic), what would you want to get out of such a presentation or discussion?
  • Input into some (or all) of our questions below!

It’s my first time speaking at RSA Conference, so I am already a bit excited, nervous, overwhelmed, thrilled, and terrified all at the same time. Your support and input will be so valuable as always, but especially for this.

Before I start with my questions: Why did we choose this topic? As a former director of cyberstrategy, this continues to be a topic that I’m very passionate about. Both Andrew and I have seen strategies make or break security programs. We’ve seen strategic CISOs being able to uplift security from a low-level, technical topic to one that is well funded, respected, and has board visibility — but we’ve also seen many CISOs struggle to know how to articulate and sell a strategy. A strong strategy is a must, and the process of creating it is ultimately just as important.

We all have different experiences in this space, and all of them are valid and important. It would be great to get an overview from practitioners who’ve done this well, those who’ve made mistakes, and those who have seen it done well and poorly. So these are my questions:

  • What does a cybersecurity strategy mean to you? Is it a document? A philosophy? An architecture?
  • A cybersecurity strategy needs to be risk-aligned, forward-thinking, and business-enabling. This may sound like platitude, but making this a reality can make or break a strategy. I’m curious to hear your thoughts. Do you agree or disagree with the importance of these elements? How have you created such a strategy (or seen it done successfully)?
  • What are the personal and professional qualities required of CISOs leading transformations and strategies?
  • How important is a mission statement in creating your strategy? What would you say is crucial in a mission statement?
  • What have you found to be the best ways to focus, align, and prioritize your strategic efforts?
  • What challenges have you encountered in developing and selling a cybersecurity strategy? How have you overcome them?

If I can help you in any way in that presentation, or subsequent research, I would love to do that.