CISOs: To Build Cyber Resilience, Start with Your People

Meeting - CISOs -To Build Cyber Resilience Start with Your PeopleFour C-level cybersecurity executives sat down at the recent FAIR Conference for a panel discussion on what they’ve learned about resilience during the pandemic. You’d think that making technology resilient would have been top of mind – in fact, the focus was mostly on making their people more resilient.   


FAIRCON21

C-Level Panel - How Risk Management is Helping Companies Be More Resilient during Digital Transformation

Moderator: Omar Khawaja, CISO, Highmark Health

Betty Elliott, CISO, Freddie Mac

Mary Elizabeth Faulkner, CISO, Thrivent Financial

Harold Marcenaro, Digital Risk Officer, BCP 

FAIR Institute members can watch the video of this FAIRCON21 session in the LINK member community. Not a member yet? Join the FAIR Institute now, then sign up for LINK. 


Here are four insights from the session:

1. In a crisis, look to people ahead of technology resilience

 “The technology was the easy part; it’s really developing appropriate processes as it relates to our people” that was the challenge, said Betty Elliott. Processes should build motivation and reduce friction, said Harold Marcenaro. “We learned the key is in reducing friction to change, with training, templates, codes inserted.” Maintaining motivation was critical in the face of the distractions and pressures of work from home, Mary Elizabeth Faulkner said.

2. Open new channels of communication 

Mary Elizabeth and Omar both introduced new meeting formats to air staff concerns. “It took me changing my leadership style to be more vulnerable,” Omar said, as in “I know what’s on your mind and I don’t have a good answer for it but…we’re working on it.”

FAIRCON21 - C Level Panel

Clockwise from top left: Omar Khawaja, Mary Elizabeth Faulkner, Betty Elliott, Harold Marcenaro, 

3. Take it one step at a time

“Being able to stretch without breaking,” was imperative, said Omar. His motto: “Relentless incrementalism is our ultimate weapon.” He recommended that CISOs put their staffs through a resilience assessment (CISA offers one) so that they train to be “responding not reacting” to crises.

4. Focus on corporate strategy, not infosec resilience strategy 

“The big thing COVID did was clarify what the priorities were,” Omar said, “get the employees to safety and deliver services to our customers safely. When you are so unified on the mission, the execution that comes is just phenomenal.” Harold added that his team was able to align with the corporate mission, “because we use FAIR to estimate loss exposure and that’s the value of the initiatives that we propose for risk management, and that gets prioritized with other business initiatives through the same OKR process.” 

Register now at no cost to view all the sessions from the FAIR Conference on video.

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37