Thanks Marc! Glad you enjoyed!

Remember a world class CISO has world-class security engineers that report to them. You don't need to be a world-class security engineer to be a CISO. And here's the big problem. If you do something for 12 to 15 years, you are really, really good at it. You are so good at it. That's ingrained in what you do. And it is habits that are very difficult if impossible to break. So if you've been doing security analysts and engineers for 12 to 15 years, that's what you know, that's what you love. That's your comfort zone. So most not all, but most people that have security engineers for 12 - 15 years make terrible CISOs because they go in and continue to be a world-class security engineer. Now, is it possible for you to break the habit? Is it possible for you to become strategic and trust your team and not yourself as the world-class expert? Yes, but it's really, really difficult to do, to be a world-class CISO. You are so good at it. That's ingrained in what you do. And it is habits that are very difficult if impossible to break. So if you've been doing security analysts and engineers for 12 to 15 years, that's what you know, that's what you love. That's your comfort zone. So most not all, but most people that have security engineers for 12, 15 years make terrible CISOs because they go in and continue to be a world-class security engineer. Now, is it possible for you to break the habit? Is it possible for you to become strategic and trust your team and not yourself as the world-class expert? Yes, but it's really, really difficult to do, to be a world-class CSO. You need to speak business, but you don't need to be the business expert. That's the CEO, that's the COO, they're the business experts. You just need to speak the language to translate cyber into business terms, and if you're a CISO, you need to speak security, technical language, but you're not the expert. You need to rely on your team to do that. You're going to have a world-class team around you. So typically the best CISOs out there are the ones that have three to five years experience in security. They have some exposure to business and they're comfortable in both. They haven't built bad habits in either, and they can very flexibly go back and forth between those two roles.

Boy are you mistaken...I have never met a CIO, CTO or CISO that spent 15 years in the trenches....ever. Most have an elementary education about IT....if anything they know more about leadership, strategy and business acumen. Your way of thinking is inaccurate and outdated 😂

You have now, @anthonyharmon9265. CISO here. 12 years doing helpdesk, network admin, and network engineering, then over to audit and security ops, then security consulting. I've worked with plenty of CTO/CIO/CISO who have spent a TON of time doing dev, operations, even hardware design. I have NEVER met a CTO with an "elementary knowledge" of IT....every one I have ever worked with has a deep knowledge of dev or cloud. My "way of thinking" is what got ME in the C-suite, as well as many others I know. One of us is wrong about what C-suite tech folks know, and I don't think it the one of us actually IN the C-suite (me).@@anthonyharmon9265

So to me, when it comes to these risk assessment models, I like to keep them simple. Now, if you're doing it correctly, there's two things. First, everything from a business standpoint is ultimately going to come down to the monetary impact of the business. Even nonprofits make money and even government organizations have to justify their budget. So ultimately everything in business is going to come down to money. So when we look at things like reputation, guess what, why are we concerned about reputational impact? Because it will hurt the brand. It will hurt customers. It will hurt referrals, which ultimately hurts the revenue for the company or the dollars. So all of these other things that would talking about when you're talking about, objectives and obligations and mission, and all of those things are ultimately important because the mission objectives and reputation of the organization is ultimately, what's going to allow your brand. So ultimately all risk is calculated with dollars, because guess what? That's the ultimate language of business. If you go in to your CEO or executives and you say, well, there's risk that could hurt us. Our objective, Eric had hurt our mission or could hurt our reputation. Ultimately, what they want to know is what is going to be that impact in dollars and cents. If I, you go in and say, Oh, we're going to impact our mission. It's going to be really, really bad. Well, what does really bad mean? Well, it's going to cause us to lose $20 million. Okay? Notice it ultimately comes down to dollars. So that that's one thing to remember as being a world-class chief information security officer, that the language you speak, you're a translator later, you speak tactical for the security team and you speak business for the executive team.

Great advice Dr. Cole - makes sense, thank you!

Thanks for tuning in weekly Theicebergx!

Thanks Benjamin :)