Cybersecurity businessman and writer Chris Moschovitis discusses communicating the value of cybersecurity to the board and business functions of an organisation
With the increased convergence of data privacy and cybersecurity, information security leaders must establish a pragmatic program alignment for their business strategies, comply with regulations and stakeholders’ expectations.
Business of Infosec caught up with Chris Moschovitis, author of Privacy, Regulations, and Cybersecurity: The Essential Planning Guide, who shared some of the critical steps infosec leaders must follow to achieve that ahead of his keynote presentation at CISO Brisbane 2022.
Chris Moschovitis has an impressive background with expertise in strategy, governance, privacy, IT value creation and cybersecurity value preservation.
When he started his own company, the Technology Management Group (TMG) in 1989, the company’s focus was on security from the very beginning. By the early 90’s TMG had amassed dozens of floppy disks infected with the very first versions of viruses! By the early 2000s, the company had expanded and opened one of the first cyber practices in the managed IT space in New York.
The Value of Cybersecurity: Enable, Protect, Grow
Moschovitis believes that the most important issue around privacy and cyber security is the disconnect between business and technology operations.
“It is impossible to build resilience unless we find a way to speak a common language: The IT people, the cyber people, the risk people, and the businesspeople. Unless we are all aligned, we are exposed, and our efforts will fall short,” he says.
Helping others succeed in achieving that alignment, Moschovitis says, has come from his team’s cross-functional skills and ability to bridge all aspects of the business, from strategy to operations, to technology, cybersecurity and privacy.
“We bring everyone together using something we all understand: the value of our work, the critical nature of our assets, the necessity to protect our people, our clients, and our value generating capacity,” he says.
Sharing Responsibility and Driving Collaboration
Trying to communicate the value of cybersecurity to an entire organisation can be challenging. If the board is complacent about cybersecurity, cybersecurity leaders may need to emphasize risk and what is at stake.
Moschovitis illustrates this with one of his favourite sayings: “If you want your board to worry about fire safety, burn the building across the street!” he says.
“Arson solutions aside, we emphasize to our clients that cybersecurity is a common responsibility. Any organisation that sees it differently is destined to face serious challenges. The days of working in silos, ‘fail often,’ and ‘damn the torpedoes – put it out there and see what happens!’ are over.
“Isolation results in fragmentation, experimentation without controls needlessly exposes assets, and carelessness and disregard of best practices can, and frequently does, result in bankruptcies and criminal prosecutions.”
When asked what advice he has for other leaders embarking on cybersecurity projects, Moschovitis says to plan a lot and expect delays.
“When I was building my house, a wise contractor told me two things: ‘Measure twice and cut once,’ and ‘Whatever your timing estimate is, multiply it by three!’”.
“Both are applicable in cybersecurity,” he adds. “Many times, we find companies exaggerating their reactions and wasting money with nothing to show for it.
“Spinning up a cybersecurity program always, always, always, takes a lot longer than the business hopes. Setting expectations properly from the beginning is key. Staying pragmatic and respecting The Work (capitals intended) is the only way to success!”
Taking a Practical Approach to Privacy and Cybersecurity
Moschovitis will be delivering a keynote presentation on where privacy, regulations and cybersecurity meet at the upcoming CISO Brisbane 2022 conference, taking place at Hilton Brisbane on the 6th of September.
He will share invaluable steps on how the identify goals, communicate with the executive teams, align and partner with IT, privacy asset valuation, threat and vulnerability assessments, environmental considerations (cloud, IoT, distributed workforce), control selection, incident response, people and cybersecurity, and program management.
The union of privacy and cybersecurity is one of the most important business and societal development of our time. During his presentation, Moschovitis will discuss what privacy means, literally and legally, how to protect it, and how to make sure that business and social goals are attainable in a way that respects your data, your metadata, and your security.
“Equipping our cybersecurity professionals with privacy understanding and expertise, in a world where such expertise is scarce, is the way forward. My presentation will explain the issues, draw boundaries, and demonstrate ways to manage both cybersecurity and privacy programs effectively,” he says.