The CISO Evolution E-Book

Table of Contents

Cover

Title Page

Copyright

Dedication

Foreword

Preface

Acknowledgments

Introduction

Part I – Foundational Business Knowledge

Part II – Communication and Education

Part III – Cybersecurity Leadership

PART I: Foundational Business Knowledge

CHAPTER 1: Financial Principles

Opportunity

Principle

Application

Key Insights

Notes

CHAPTER 2: Business Strategy Tools

Opportunity

Principle

Application

Key Insights

Notes

CHAPTER 3: Business Decisions

Opportunity

Principle

Application

Key Insights

Notes

CHAPTER 4: Value Creation

Opportunity

Principle

Application

Key Insights

Notes

CHAPTER 5: Articulating the Business Case

Opportunity

Principle

Application

Key Insights

Notes

PART II: Communication and Education

CHAPTER 6: Cybersecurity: A Concern of the Business, Not Just IT

Opportunity

Principle

Application

Key Insights

Notes

CHAPTER 7: Translating Cyber Risk into Business Risk

Opportunity

Principle

Application

Key Insights

Notes

CHAPTER 8: Communication – You Do It Every Day (or Do You?)

Opportunity

Principle

Application

Key Insights

Notes

Part III: Cybersecurity Leadership

CHAPTER 9: Relationship Management

Opportunity

Principle

Application

Key Insights

Notes

CHAPTER 10: Recruiting and Leading High Performing Teams

Opportunity

Principle

Application

Key Insights

Notes

CHAPTER 11: Managing Human Capital

Opportunity

Principle

Application

Key Insights

Notes

CHAPTER 12: Negotiation

Opportunity

Principle

Application

Key Insights

Notes

Conclusion

Index

End User License Agreement

List of Tables

Chapter 2

TABLE 2.1 Mapping of InfoSec Projects to Leading Measures and Business Goals

Chapter 3

TABLE 3.1 The Six Sources of Influence Applied to Phishing Defense

Chapter 4

TABLE 4.1 Factors by Investor Type

TABLE 4.2 Relative Comparison of Strategic Initiative Value

TABLE 4.3 Relative Comparison of Strategic Initiatives

Chapter 5

TABLE 5.1 Impact of Variations by Term & Discount Rate

TABLE 5.2 Summary of Costs

TABLE 5.3 Summary of Benefits

TABLE 5.4 Summary of Costs

TABLE 5.5 Summary of Costs and Benefits

TABLE 5.6 Net Present Value Calculator

Chapter 7

TABLE 7.1 When New, Emerging, or change in risks occur

TABLE 7.2 Likelihood and Impact Matrix

TABLE 7.3 Impact, Likelihood, and Risk Exposure Scale

TABLE 7.4 Linking KRIs with KPIs Source

Chapter 10

TABLE 10.1 Adaptive Leadership Examples

Chapter 11

TABLE 11.1 Managing Across Generations. Data sourced from Purdue Global “Gen...

TABLE 11.2 Cognitive Bias in Cybersecurity

TABLE 11.3 Cost-Benefit Analysis of Employee Training

List of Illustrations

Chapter 1

FIGURE 1.1 Connections Between Three Financial Statements

Chapter 2

FIGURE 2.1 The Business Model Canvas

FIGURE 2.2 The Generic Value Chain

FIGURE 2.3 Logicworks' Business Model Canvas

FIGURE 2.4 Three-Year ROI for Consolidated Audit Program

Chapter 3

FIGURE 3.1 Flowchart of The Scientific Method

FIGURE 3.2 The Six Sources of Influence

FIGURE 3.3 Letter Grade

FIGURE 3.4 Vulnerability Details

FIGURE 3.5 Overall Phishing Responses Over Time

Chapter 4

FIGURE 4.1 Valuation Methods

FIGURE 4.2 Drivers of CISO Satisfaction

FIGURE 4.3 Common Valuation Methods

FIGURE 4.4 Equity Value Drivers

FIGURE 4.5 Optimizing Risk, Value, and Cost for Security Readiness

Chapter 5

FIGURE 5.1 Incremental Cost Curve

FIGURE 5.2 9 Box of Controls

FIGURE 5.3 Common Stakeholders

FIGURE 5.4 Hypothetical Influence Map

FIGURE 5.5 Social Media Post from Industry Thought Leader

FIGURE 5.6 Password Management Solution Comparison

FIGURE 5.7 Summary of Costs and Benefits

Chapter 6

FIGURE 6.1 Risk Appetite, Risk Tolerance, Limits, and Triggers

FIGURE 6.2 Risk Profile Showing Tolerance

Chapter 7

FIGURE 7.1 Penetration Testing, Red Teaming, and Threat Hunting Overlap

FIGURE 7.2 Cyber Risk Portfolio View Rollup

FIGURE 7.3 Linking Objectives to Strategies to Risk to KRIs

FIGURE 7.4 Notes employees of Norsk Hydro encountered when arriving to work ...

Chapter 8

FIGURE 8.1 Path to Action

Chapter 11

FIGURE 11.1 CliftonStrengths Themes

FIGURE 11.2 Myers-Briggs and Cybersecurity Personality Types

FIGURE 11.3 Global Cybersecurity Workforce Compared to Global Total Workforc...

FIGURE 11.4 DILBERT

Guide

Cover Page

Table of Contents

Title Page

Copyright

Dedication

Foreword

Preface

Acknowledgments

Begin Reading

Conclusion

Index

End User License Agreement

Pages

iii

iv

vi

ix

x

xi

xii

xiii

xv

xvi

1

2

3

4

5

6

7

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

The CISO Evolution

Business Knowledge for Cybersecurity Executives

MATTHEW K. SHARP

KYRIAKOS P. LAMBROS

Copyright © 2022 by Matthew K. Sharp and Kyriakos P. Lambros. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data

Names: Sharp, Matthew K., author. | Lambros, Kyriakos P., author.

Title: The CISO evolution : business knowledge for cybersecurity executives/Matthew K. Sharp, Kyriakos P. Lambros. Description: Hoboken, New Jersey : Wiley, [2022] | Includes index.

Identifiers: LCCN 2021044404 (print) | LCCN 2021044405 (ebook) | ISBN 9781119782483 (hardback) | ISBN 9781119782506 (adobe pdf) | ISBN 9781119782490 (epub)

Subjects: LCSH: Chief information officers. | Computer security. | Management information systems—Security measures. Classification: LCC HD30.2 .S5325 2022 (print) | LCC HD30.2 (ebook) | DDC 658.4/038011—dc23

LC record available at https://lccn.loc.gov/2021044404LC ebook record available at https://lccn.loc.gov/2021044405

Cover Design: WileyCover Image: © Wahyu Hermawan and Mark John N. Madriaga of 99Designs

This book is dedicated to:

Matt's wife and son, Luz and AlecoRock's wife, MaryThey provided us with unlimited love and support in this journey.

Foreword

Welcome to an incredible period of change in cybersecurity – what an amazing time to be in this field!

In the chapters that follow, two of the industry's leading critical thinkers divulge the skills and knowledge a cybersecurity leader must acquire to successfully build a modern-day cybersecurity program. To get the job done they combine personal stories, practical knowledge, and intimate case studies.

My colleagues Rock Lambros and Matthew Sharp will challenge us to think about cybersecurity on a new level. They encourage us to contemplate managing our cybersecurity programs differently, through a business lens. What's more, they offer us the tools to make that transition a reality.

With 40 years combined industry experience across many verticals, I'm confident you'll find the following pages rich with key insights about building, sustaining, and maintaining your cybersecurity program. I can't think of two more qualified practitioners to lead the charge in shaping how we must evolve our approach to aligning cybersecurity programs with business objectives.

Rock and Matt offer profound insights into how organizations should design, adapt, and embrace cybersecurity best practices to ensure business alignment. Gone are the days of selling your security program through Fear, Uncertainty, or Doubt (FUD). The era of digital business will require executive presence to claim your seat at the table.

The success that has brought you to your current role is a good start. I'd like to disrupt your assumptions and inspire a deliberate review of what you need to survive in the middle of the cybersecurity jungle. I would encourage you to consult this timeless, universally applicable reference in your journey forward.

The CISO Evolution: Business Knowledge for Cybersecurity Executives is not only your survival guide – it's a blueprint for the aspiring cybersecurity leaders of tomorrow. The concepts in this book are proven through multiple industries. As life learners, Rock and Matt hope to ignite a spark in you; meanwhile, their courage coupled with their commitment to give back to our community was the driving force that led to this seminal work.

The only constant with our field is change, and the rate of change continues to intensify. If you think you've seen it all so far; I'm here to tell you we've not seen anything yet. The future holds boundless uncertainty!

How do we stay current? More importantly, how do we embrace this change while ensuring alignment with the business?

The answer is The CISO Evolution: Business Knowledge for Cybersecurity Executives.

As you read this book, please keep in mind that most businesses are trying to move at the speed of innovation. We need something radically different. Rock and Matt are the industry experts prying open a new door to an unexplored path that will make us think differently about our cybersecurity programs.

Demetrios Lazarikos (Laz)3x CISO, 30+ Year Security VeteranBusiness and Technical AdvisorCo-Founder, Blue Lava

Preface

To know and not to do, is really not to know.

—Stephen R. Covey

Go to enough conferences, and a clear pattern emerges. A few industry leaders have the courage and presence to impart wisdom. Yet, most of the industry is an echo chamber of platitudes. Maybe you've heard a hollow statement from a so-called expert. These throwaway phrases reveal nothing, yet our colleagues masquerade behind them as thought leaders. The most insipid example, “Speak to the business in business terms.” For too long we have allowed one another to nod in agreement while behind the scenes we consistently fail to apply this wisdom and execute. This book provides a roadmap so that you can start asking the right questions, making the right investments, and delivering outcomes that matter.

The first generation of CISOs learned that with confidence you can cast cybersecurity as a black art that cannot be measured. Eventually, the anecdotes and hopeful statements weren't enough. Business leaders soon learned that cybersecurity knowledge is only part of the job. So, we have arrived at an inflection point. We can do better. We must do better. It's time to evolve.

The challenges of information sharing in our field are known, along with the talent crunch. To cultivate the future leaders of our profession we must exhibit the courage to be vulnerable, as people. Cryptocurrencies, IoT, and the public cloud will accelerate the demand for safe computing. Future economies will rise in cyberspace. The wars of the information age will be fought and won digitally. Competition is no longer about company versus company. Instead, bundles of services and the most effective supply chains dictate the winners and losers of commerce. Courage is the path forward. It won't be easy; it will require that we circumnavigate the legal constraints, licensing restrictions, fear, and self-preservation that has prevented the requisite knowledge sharing and talent development. We fought back each of these dragons in the process of publishing this book.

With the stakes higher than they have ever been, Rock and I hope to share our experience as builders, operators, and consultants. We are both experienced CISOs and MBA graduates. We have supported leaders who failed to convince their businesses of the importance of cybersecurity risk. We have lived these symptoms:

Failure to garner trust from executive leadership

Misaligned expectations around risk appetite and capital allocation

Misperception of cybersecurity's role in business

Demoralization of your team in the face of cyber risk acceptance

Increased stress and anxiety from managing an underfunded program

As authors, we see the world through different lenses. We disagree in our politics, our management styles are varied, and we think this phase shift in values and approach will benefit you as the reader. Path dependence is when the decisions presented to people are dependent on historical experiences. So, we complement each other in the diversity of our experience and the order of our career transitions. Rock was an operator for years before starting his own consultancy. In contrast, I spent years in consulting before I was entrusted with the responsibility of operating a security program. Indeed, the world looks different from the vantage of a vendor versus that of an end user. You are treated differently, welcomed or not into circles of peers, and so the lessons you learn, the relationships you build, and soft skills you hone are a product of your path dependence.

With this book, we created a streamlined business reference that is tailored to cybersecurity professionals. It will equip you with insights curated to develop your business acumen, communication, and leadership skills. The chapters expand upon the content often delivered in MBA programs. Each of these capabilities is required by the modern CISO.

We provide you with the tools you need to evolve from a technical leader into an effective cybersecurity executive. Each chapter is packed full of specific, practical advice and real-life stories to help you communicate with business leaders, establish an executive presence, secure cybersecurity budgets, protect what matters, and not only enable, but also accelerate business outcomes.

By contributing our mistakes and experience, we hope to fuel your success and stimulate more forthright dialogue in our industry. If you find value in this book, we'd love to hear from you. And if you disagree, take issue, or find room for us to improve, we'd love to hear from you too!

You can find us at www.CISOEvolution.com, or on LinkedIn:

Matthew K Sharp –

https://www.linkedin.com/in/ciso-mba/

Kyriakos “Rock” Lambros –

https://www.linkedin.com/in/rocklambros/

Acknowledgments

We are grateful to all the people who helped us bring this project to life.

We thank our families that encouraged us and took on responsibilities we could not in the early mornings, long nights, and weekends spent to realize this book. Thank you for reviewing our early drafts, providing your guidance on the logo and cover, and creating space week after week. Thank you for your empathy through the challenges we faced and the mounting stress as the deadline for our final manuscript approached. Thank you for your reassuring words, patience, and believing in this book as we conquered each new surprise. Most of all, thank you for your hugs and for your loving support. Without them, this book would not have been possible.

We thank the many individuals who invested their time to help review and refine the manuscript. The perspectives gained from CEOs, equity investors, industry analysts, consultants, MBA professors, and the many CISOs and cybersecurity professionals who contributed surely improved the accuracy and relevance of our content.

We want to express specific gratitude to Kenneth Ziegler, Brian Ahern, and Lisa Xu, who helped in reviewing various chapters, offering revisions and insights and examining content from a CEO's perspective. Karan Saberwal, Shaun Gordon, and Michael Lee were generous in extending their expertise as equity investors. Paul Proctor has been an inspiration for years. His work at Gartner continues to push the industry forward, and we were lucky enough to benefit from his passion and commitment to emphasize the most important ideas in our text. Timothy Galpin added his perspective with years in M&A consulting and more recently in academia as a professor and academic director. Dave Hannigan and Caroline Wong were reviewers of our book proposal as we pursued a publisher and later contributed as valued reviewers. Their perspectives as cloud and application security pioneers, experienced operators, and mentors have been invaluable. Malcolm Harkins's expertise as a successful Fortune 50 CISO and later entrepreneur has been a beacon, especially during our formative years in the profession. Marilyn Daly for her support in considering the impact of our words from a variety of unique perspectives. Demetrios Lazarikos for his generous time writing the foreword and being a dedicated mentor in cybersecurity and entrepreneurship. The Lean CISO group not already mentioned here: Philip Beyer, Russell Eubanks, Alex Kreilein, Sean Martin, and Jasper Ossentjuk for their friendship and for supporting physical and mental health throughout an unprecedented year.

We thank them all for their guidance and the time each individual invested as it doubtlessly improved our book.

We thank those who gave us permission to quote them, contributed graphics, extended our professional networks, and encouraged our work. Chris and Kristine Laping, Tage Tracy, Craig Fletcher, Stefan Peter Roos, Steven Martano, and Ryan Freilino: we thank you for your willingness to support this project.

We thank the authors and experts who came before us. In many cases, we merely extended their theories, research, and formulated thoughts or shared our experience putting their ideas to work throughout our careers. In most cases, we are bridging other's content into the world of cybersecurity. The Notes section at the end of each chapter does a great job capturing the people who inspired us in this regard. Without their deliberate contributions this body of work would not have been possible.

Finally, we thank Richard Seiersen for his introduction to our publisher. And we thank our team at John Wiley & Sons for seeing the potential of this project: Susan Cerra, Sheck Cho, Samantha Enders, Michael Isralewitz, Beula Jaculin, and the countless others behind the scenes.

Introduction

In the foreword and preface we got aligned on the challenges our industry faces, our motivations for writing the book, and a bit about the authors. To help you use this book as reference in your day-to-day experience, we'll now review the structure of the book and offer a summary of each chapter.

First note that the book has three parts. So, if you plan to read the book front-to-back the flow is natural and the content is cumulative. Chapters at the back of the book assume you are capable of financial analysis, business cases, and other topics covered early on.

In our view, it was important to first establish requisite Foundational Business Knowledge in Part I. That is where you will learn key vocabulary, basic financial formulas, and business strategy tools. We will also review business decision models, valuation methodologies, and business case development. Each chapter (or class) includes one or more case studies to apply the knowledge you've learned. That's true throughout the book, and also true in any MBA program as well. What is different here is that our case studies are developed through the lens of the CISO, rather than a strict business perspective that surfaces in MBA curricula.

Equipped with a common foundation of business knowledge and clear examples of how to apply the core concepts we move on to Part II – Communication and Education. Here you can expect a review of how to leverage COSO, an enterprise risk management framework, to ensure cybersecurity risk fits into the broader context of business risk management. Remember, cybersecurity risk is another risk that needs to be addressed along with financial, operational, strategic, legal, and compliance risk. Just as market, credit, and liquidity risks are types of financial risk, there are subcategories of cyber risk too. So, Part II is the connective tissue that ensures cybersecurity risk is properly framed and prioritized.

Finally, assuming a foundation of business concepts and the proper governance structures for treating cybersecurity risk are in place, you need to lead a team and execute according to the priorities you have established and the projects you have funded. In Part III – Cybersecurity Leadership we review techniques for attracting and retaining talent, and finally negotiation skills that will help you navigate interactions with your employees, colleagues, investors, regulators, and outside vendors.

Now that you know how the book is structured, it's also important to understand how the chapters are structured throughout the book. Through personal stories we outline the opportunities we feel are most relevant at the very beginning of each chapter. Then we introduce theory or research in the Principle section. Next, each chapter extends theory with an Application section that features one or more illustrative case studies. In some cases, the names or details were adapted to protect the innocent. Finally, each chapter is summarized with a Key Insights section that draws out the salient lessons we hope you learn. There is also a Notes section provided at the end of each chapter that outlines supporting research and reference materials.

We recommend that before you read a chapter, you read the Key Insights and examine the Table of Contents. Since we cover many high-level frameworks quickly, this approach will be helpful to keep you oriented in the chapter and book. It's also a speed-reading technique. The following paragraphs provide a summary of each chapter.

Part I – Foundational Business Knowledge

Chapter 1 – Financial Principles. This chapter builds your knowledge of financial statements, reviews connections between each statement, offers free resources for further study, and features two case studies that relate cybersecurity operations to accounting rules and financial statements. Read this chapter to solidify your understanding of EBITDA, CapEx, OpEx, Retained Earnings, and Net Income along with other fundamental vocabulary and accounting concepts.

Chapter 2 – Business Strategy Tools. In the second chapter, we introduce business models, KPIs, and value chains. Other topics include board composition and systems theory. We provide a case study to demonstrate the use of the business model canvas. There are two additional case studies that feature value chain linkages to create competitive advantage. One case study features optimization while the second focuses on coordination. Read this chapter for tools that will help you dissect your business's strategy, understand the supply and demand dynamics of your company operations, connect to primary business measures, and optimally position cybersecurity as a source of competitive advantage.

Chapter 3 – Business Decisions. Our third chapter explores how business decisions are made. Decision-making can be improved with an awareness of the biases and noise that commonly afflict us as human beings. We cover a lightweight application of the scientific method to enhance learning. From there, we dive into decision science and choice architecture frameworks. We briefly examine the use of an influence model, and then we finish the chapter with two case studies. The first case study examines various applications of the decision science framework in the context of a hypothetical new CISO scenario. In the second case study we apply choice architecture to phishing defense.

Chapter 4 – Value Creation. The fourth chapter is all about business valuation. We naturally start by defining what we mean by value. Then, we examine the critical attributes of value. Next, we explore how those attributes surface in determining business valuations. Additionally, we examine investor types, means of return, valuation methodologies, and common value drivers. The application section covers the core concepts in a case study that applies security strategy in the context of business valuation for a hypothetical beverage manufacturer.

Chapter 5 – Articulating the Business Case. To get the fifth chapter started, we review several important cost concepts including incremental, opportunity, and sunk cost. From there we explore a communication framework, and two financial analysis methods: cost benefit analysis and net present value. Finally, we close out the chapter with three case studies. The first examines a successful budget request for password management, and the second applies cost benefit analysis to the same project. The final case study leverages a Monte Carlo simulation to examine possible net present value outcomes of a revenue-generating opportunity resulting from delivery of security services.

Part II – Communication and Education

Chapter 6 – Cybersecurity: A Concern of the Business, Not Just IT. In Part II, we will build upon Part I and introduce additional tools that transform cyber risk issues into enterprise risk dialogue. This chapter starts to break down the COSO framework. It lays the foundation for elevating cyber risk conversations to enterprise risk by focusing on the first two guiding principles of COSO:

Governance and Culture

Strategy and Objective Setting

At the end of this chapter, the case study relives one of the author's greatest regrets and warns of the consequences of failing to establish a robust governance structure.

Chapter 7 – Translating Cyber Risk into Business Risk. Chapter 6 discussed establishing a cyber risk management program's foundation using COSO's first two guiding principles. This chapter expands upon those foundations and focuses on executing the cyber risk program and rolling up cyber risk into a portfolio view of enterprise risk that executive leaders, and the board, can use to make business decisions. To do this, we will align with the final three risk management components of COSO:

Performance

Review and Revision

Information, Communication, and Reporting

The case study reveals how the author helped an organization align its cybersecurity program to its enterprise risk management efforts. This ultimately highlighted previously unknown risks and secured additional funding from its board of directors.

Chapter 8 – Communication – You Do It Every Day (or Do You?). This chapter challenges you to examine how you communicate. It provides a structure to improve communication for the explicit purpose of advancing a cybersecurity program. We close this chapter by expanding upon the case study in Chapter 7. We take you into the boardroom to eavesdrop on the conversation between the author and the board of directors.

Part III – Cybersecurity Leadership

Chapter 9 – Relationship Management. You cannot operate in a vacuum. A robust cybersecurity program relies on individual technical skills and interpersonal relationships. Read this chapter to master the four key skills of relationship management: maintaining trust, indirect influence, managing through conflict, and professional networking. We conclude with two case studies. The first demonstrates how some humble pie is the remedy to establishing greater trust. The second case study shows the importance of a professional network as the author transitioned from being an operator to an entrepreneur.

Chapter 10 – Recruiting and Leading High Performing Teams. The cybersecurity skills gap is well documented yet hotly debated. However, as a leader, you must ensure you have the right people in the right roles at the right time. This chapter will dive into methodologies we utilized to attract, retain, and lead high-performing teams. The case study walks through the perils of combining a bureaucratic hiring process with an inability to implement the hiring practices we advocate for in this chapter. The same case study then walks through what it was like to get “baptized by fire” in servant leadership.

Chapter 11 – Managing Human Capital. Read this chapter for specific tools to baseline strengths, critical considerations in managing a multigenerational workforce, the importance of training, the criticality of diversity, and cognitive biases to be aware of that may rear themselves in our day-to-day jobs. The case study brings to bear a cost-benefit analysis technique outlined in Chapter 5 to demonstrate the actual value of training and the true cost of eliminating it from a constrained budget.

Chapter 12 – Negotiation. In this penultimate chapter, we focus on adapting the skills from Chris Voss (a former FBI hostage negotiator) as featured in his book Never Split the Difference: Negotiating As If Your Life Depended On It. There are countless negotiations you perform every day. If you can be successful in your negotiations while preserving your relationships, you have what it takes to generate cultural change. The chapter concludes with a case study on building security culture and application security using the negotiation techniques introduced.

Conclusion. We conclude the book with a heartfelt note of gratitude and an optimistic eye toward a brighter future. Engage us online at www.CISOEvolution.com

PART IFoundational Business Knowledge

CHAPTER 1Financial Principles

Embrace Reality and Deal with It.

— Ray Dalio

Opportunity

It's easy to get distracted by how you think things should be. Yet, it is critical to understand how they really are. Early in my career, I often identified ways that would make my work more efficient. When there was a dependency on resources I didn't have, I usually stewed in frustration about how stupid the people were who designed such a flawed system in the first place.

It wasn't until years later that I learned optimizing all parts of a system does not necessarily optimize the system itself. You see, every organization has a mission and limited resources. Today, nearly all organizations in the modern economy deliver value through technology. However, not all organizations and leaders agree upon the importance of cybersecurity.

As a cybersecurity leader, it's your job to educate, build consensus, and secure necessary resources. Organizational mission and cybersecurity goals must be aligned. I think Malcolm Harkins said it best: “We provide protection that enables information to flow through the organization, our partners, and our customers. We protect the technology that our organizations create to provide new experiences and opportunities for our customers.”1

Now, imagine for a moment you are on vacation and you've decided to travel internationally. The country you're visiting speaks another language. You've done your part to learn a few keywords before your arrival, so you have the basic vocabulary. You can count to 10, you can ask about the time, and you know different words that indicate modes of transportation.

There you sit in the terminal at the bus station, and the time comes for your bus to leave. You make your way to the platform and discover – no bus. Of course, you don't know if you missed the bus, if it is late, or if they simply changed the platform. When you turn to ask a passerby, they don't speak your language. You go back to the information desk and ask for help. The attendant offers hints at what to do through gestures, but you remain a bit uncertain. The attendant tells you what you can only make out to mean “The bus will come 8.”

What does that mean? Bus #8, platform 8, at 8 p.m., in 8 minutes – there's no way to be sure because neither of you possesses adequate language.

It is precisely this experience that happens worldwide as companies decide how much they should invest in cybersecurity. Without a foundational understanding of accounting and financial principles you are unlikely to succeed in securing the appropriate resources required so that you may effectively protect and enable your organization.

What is also true is that business leaders speak the language of business. They are dependent upon you to communicate about your topic of expertise, cybersecurity, in a language they can understand.

This concept isn't new – we've been hearing about it for several decades now. You'll encounter the phrase “speak in business language” in professional journals and conferences alike. Yet, there seems to be very little information available to outline the critical vocabulary and concepts that cybersecurity practitioners need to secure their “seat at the table.”

Principle

The focus of this first chapter is to establish critical vocabulary and fundamental business knowledge. We will briefly overview several terms only to the extent required to understand their application. Naturally, these terms have been covered in detail elsewhere. When possible, we will point to our favorite resources. These resources emphasize cheap or free, easy to consume, and available in a convenient format. That should help you dig into various topics that pique your interest or prove weak points in your knowledge base. We think you'll pick up a few of the most valuable nuggets right here in this very first chapter, so resist your temptation to skip forward.

To get you started, I'll share the approach I used to structure my pursuit of business acumen. At the time, I was a consultant, and a high percentage of my work weeks included commuting by plane to a customer site.

That's where I learned about Josh Kaufman's The Personal MBA (https://personalmba.com/), which touts “A world-class business education in a single volume.” Since I am perhaps the slowest reader in the world, I decided to expedite my knowledge acquisition by leveraging getAbstract (https://www.getabstract.com/), which as of this writing, claims to contain “the key insights of 20,000+ nonfiction books summarized into compelling 10-minute reads.” These were a great start, but ultimately, I obtained an MBA because I wasn't confident that my cursory review was sufficient. We hope this book can be an alternative, serving as a shortcut to the long nights and imbalance that a master's degree can impose on your personal life.

Conceptually there are relatively few things you need to master from this chapter. You need to know a handful of vocabulary words, how to read and understand financial statements, and how to apply them to your role as a cybersecurity leader. The good news is – that's it – from an accounting and finance perspective!

It is worth mentioning that later in the book, we'll continue to infuse these foundational business concepts with other topics intended to develop more complete business acumen, including Part II – Communication and Education and Part III – Cyber Security Leadership. So let's dive in with our first topic.

Financial Statements

There are three financial statements. The Income Statement offers a window into profit performance on a specific date. The Balance Sheet describes the financial position comprised of assets, liabilities, and equity at a particular point in time. And finally, the Statement of Cash Flows describes what cash came into the business and what went out in a given period (typically a quarter or a year).

Income Statement

As with any complex topic, it can be helpful to start at a very high level and then pursue a more nuanced understanding. To get started, we're going to review the critical elements of an income statement:

Revenue

Cost of Goods Sold (COGS) / Cost of Revenue

Gross Profit (GP)

Sales, General and Administrative (SG&A) Expenses

Earnings Before Interest, Taxes, Depreciation, and Amortization (EBITDA)

Depreciation Expense

Amortization Expense

Earnings Before Interest and Taxes (EBIT)

Interest Expense

Income Tax Expense

Net Income (Bottom Line)

The order of each item conveys a story. A few items appear in gray. They are not required and, therefore, may not be present in all income statements. However, you can always calculate them from the information available. The elements in gray often serve as metrics that have a significant influence on behaviors in business. Let's cover each of the items and reveal the story they tell.

REVENUE

First, we start with revenue, which can often be called the top line. Revenue is essentially the amount of money that the company received for the sale of its product or services. Without revenue, you can't pay for any of the expenses that follow, so this is a great place to start. Some companies focus on Net Revenue. You can calculate it by subtracting discounts, returns, and allowances from revenue.

Depending upon your business model and perhaps the economic sector, there are often compelling arguments that a cybersecurity leader can make about how their team contributes to enhancing revenue acquisition. Accelerating revenue is especially true for software or SaaS companies serving highly regulated industries, as their customers undoubtedly have significant compliance obligations. One good indicator is if your cybersecurity team is helping sales complete diligence questionnaires for your customers and prospects. If so, then you are certainly part of the sales cycle and serve as an advocate of revenue acquisition. Third-party risk management (TPRM) is undoubtedly a complicated endeavor that may seem duplicative and, at times, even unproductive. Do not fall prey to the trap.

Instead, embrace your role here. More sales activity means more revenue to fund operations – including cybersecurity operations. TPRM also gives you a view into revenue sources, what types of customers you will soon serve, and what value expectations exist. These insights can help you anticipate demands on other areas of your security program.

COST OF GOODS SOLD/COST OF REVENUE

Next, we see the term COGS, which only makes sense in a company that produces a physical product. In a services (or software) business, you are more likely to see the term cost of revenue. It means the same thing, but the terminology is a bit different. There are all kinds of nuanced language with financial statements that mostly get us to the same outcome. Start with what your customers paid you, subtract the costs, and determine what remains for retained earnings, future investment, or dividends.

Suffice it to say that there are generally accepted accounting principles that specify what expenses you must group and where they must appear in the financial statements. COGS / cost of revenue includes raw materials, shipping costs, sales commission, and direct labor costs.

If your business is not primarily in the delivery of cybersecurity services or software, you probably don't have a role to play in this line item. However, you may be able to augment funding sources or support the cybersecurity program by partnering with other business stakeholders with a heavy COGS expense concentration. It may be easier to obtain security champions in other teams that perhaps establish a dotted line reporting structure. Partnering in this way can be a great source of operational leverage by ensuring more consistent security outcomes but requiring less of your direct managerial attention.

GROSS PROFIT

Gross profit (GP) is the profit a company makes after removing the costs associated with manufacturing and selling its products or delivering its services. You calculate GP by subtracting the COGS from revenue.

Note that gross margin is a commonly used and very similar term. Frequently people (incorrectly) use it interchangeably with GP. In short, gross margin is a percentage value, while GP is a monetary value. They both represent the resources available to invest in your business and accelerate growth after you have directly delivered upon your commitment to your customers.

To calculate gross margin:

Margin profile can be a value gate in deriving a company's worth. That is to say, some business models anticipate a high gross margin (SaaS, professional services, etc.) while others will not (such as an electronic components distributor, value-added reseller, airline, etc.). Either way, you want to be clear on gross margin expectations. Ask your financial planning and analysis (FP&A) team if you don't already know.

SALES, GENERAL, AND ADMINISTRATIVE EXPENSES

Some costs can be difficult, if not impossible, to assign to specific revenue-generating activities directly. These are things like rent, phone, utilities, and salaries for shared services such as Legal, IT, and Cybersecurity. They all frequently fall into the category of Sales, General, and Administrative (SG&A) expenses, and this is why cybersecurity is often a “cost center.” For now, just know that no enterprise cost reduction or transformation effort is complete without some consideration of SG&A expenses. Note that SG&A may also appear under the title operating expenses.

EBITDA

One way to calculate Earnings Before Interest, Taxes, Depreciation, and Amortization (EBITDA) is by building up from the bottom of the income statement. Starting with Net Income, we'll add each item to derive our final value, or we can start with the top line and subtract.

OR

We'll go into business valuation in much more detail in Chapter 4 – Value Creation. For now, it's essential to know that using an EBITDA multiple is one of the most common methods for valuing a company. EBITDA is particularly useful to investors as it provides a more transparent view of financial results. Unfortunately, accounting methods selected (for depreciation in particular) can enhance profits artificially. Using EBITDA helps expose the underlying cash generating profile of the business. In any given year, there are one-time expenses that may impact EBITDA. The goal is not to make you an expert in calculating EBITDA (leave that to your accounting and finance departments). Instead, the purpose of reviewing the formulas is to offer you an awareness of the relationship each of the income statement line items has with the metrics your company executives care about most.

DEPRECIATION AND AMORTIZATION

In the course of operating a business, assets wear down or become obsolete. Obsolescence applies to both tangible and intangible assets. For example, servers may break down over time, and a company can only legally enforce intellectual property rights, such as patents, for a limited number of years. Because assets have useful lives that frequently last longer than one accounting period, accountants reduce the value of these assets over their estimated service lives. The term depreciation applies when the asset is tangible, such as furniture or computers. Similarly, accountants use amortization when an asset is intangible.

EBIT

Earnings Before Interest and Taxes (EBIT) is similar to EBITDA. In this case, we pull the depreciation and amortization expenses back into the picture. Operating profit considers the Capital Expenditures that span more than one accounting period and reflect the profit or loss resulting from operations more accurately. Investors examine operating profit to separate a company's operational performance from the costs of the capital structure and tax expenses.

OR

INTEREST EXPENSE

Interest expense reflects the payable liability resulting from any borrowing management has done to fund operations. It is often evaluated outside the operational analysis and is called a nonoperating expense. Interest expense includes loans, lines of credit, bonds, and any type of convertible debt. There is often very little that cybersecurity teams can do to affect the interest expense.

INCOME TAX EXPENSE

The government collects taxes to finance public services or national programs. One source of funding that contributes to these services is income tax. So, a tax expense is a liability owed to the government. Again, cybersecurity teams cannot impact the tax expense materially.

NET INCOME

Net income is what you have left after you have subtracted away everything you spent. For that reason, it is also known as the bottom line. As you will see, net income connects to retained earnings, which is the cash a company keeps to finance further operations. The relationship becomes much more apparent in the Connections Between the Financial Statements section later in this chapter.

If by this point you are feeling pretty good, then, by all means, keep reading. If you're feeling a little uncertain or unsettled about your mastery of the materials, spend some time settling in with these concepts. Here are several great resources to help you close the knowledge gap:

http://www.responsive.net/Accounting.skills.html

http://www.accountingcoach.com/

http://accountingexplained.com/financial/introduction/

Balance Sheet

A balance sheet offers a view into the capital structure or how an organization finances its assets through a combination of debt and equity. A simple formula summarizes the information contained on the balance sheet:

The financial condition includes ensuring that the company has enough cash and controlling liabilities relative to assets and revenues. The financial state is primarily a Chief Financial Officer (CFO) responsibility.

One standard financial ratio on the balance sheet is the Debt-to-Equity (D/E) ratio. A heavily leveraged company will have a relatively high D/E ratio. Meaning, the company has borrowed a lot to finance operations. Typically, analysts compare a D/E ratio of one company to another company competing in the same or similar industry.

That is to say, comparing the debt-to-equity (D/E) ratio of a high-growth SaaS technology company to an energy company wouldn't be an informative analysis. The risk profile, stability of revenue, equipment required to operate, and borrowing costs will be very different given the risk to lenders for each of these very different business models. In my experience, the only time I ever considered any of these balance sheet topics was in deciding to take the job or not. Even then, the issue surfaced indirectly via a line of questioning: “Do I have a budget? How is it funded? What control do I have over it?”2

While the balance sheet is essential to company managers, it is not typically a driving force in conversations outside of one key element that appears indirectly on the balance sheet – Capital Expenditures.

CAPITAL EXPENDITURES

Capital Expenditures (CapEx) are expenses that a company capitalizes. That means it records expenses on its balance sheet as an investment rather than on its income statement as an expenditure. This process was touched upon briefly in the Depreciation and Amortization section. Again, for clarity, assets have useful lives that last longer than a given accounting period. So, accountants reduce the value of these assets over their estimated service lives. This value appears as a depreciation or amortization expense, which is a fraction of the actual cost in most cases.

CapEx becomes particularly crucial in a business where Enterprise Value (EV), or what the company is worth to investors, is determined by an EBITDA multiple. Notice that EBITDA, the value driver of the business, does not include depreciation and amortization expense.

In some cases, CapEx may include capitalized labor associated with the development of intangible assets – such as software, intellectual property, and patents. There are several cybersecurity activities in the new cloud era you can consider capitalizing.3

Additionally, consider the Productive Asset Investment Ratio (PAIR). If capital expenditures exceed annual depreciation, the business is likely expanding as more fixed assets are added than have depreciated over the same time. This ratio can be a clear indicator of a company's willingness to maintain its current level of investment. If the value is below 1.0, the business may have accounting or operational challenges. Companies with a value greater than 1.0 have more valuable earnings (because they aren't delaying capital expenditures to boost their profits).

Statement of Cash Flows

Cash flow statements show the change in cash over the accounting period. Cashflow statements are structured to demonstrate how the cash balance was affected by Operating, Investing, and Financing activities.

Operating activities may include selling, collecting payments and interest, building or purchasing inventory, paying salaries, and contracting third-party suppliers and service providers. Investing may comprise buying and selling noncurrent assets, typically termed Property, Plant, and Equipment (PPE). Finally, Financing activities include paying down debts, issuing equity and dividends, borrowing funds, and even repurchasing stock.

There is value in clarifying: the statement of cash flow tells you nothing of profit. That is to say, your cash balance can, and often does, go down during profitable growth. Also, it is equally probable for cash to increase while a business operates in the red (unprofitably).

The relationship between cash and profit is perhaps one of the most common points of confusion. At the heart of the difficulty is accrual accounting. Accrual accounting matches revenue and expenses at the time of a transaction, rather than when payment is received or made. This matching simplifies accounting in practice but conceptually results in some very unintuitive implications for managers.

For example, if you outsourced your third-party risk management (TPRM), you may pay an annual subscription fee upfront, say on January 1. However, to consummate the transaction, the partner must deliver the service in full. So, if there was a $120,000 subscription for the year, your expenses may accrue $10,000 per month throughout the year. In this example, you paid the TPRM vendor in January, but the service must be delivered to complete the transaction. Now imagine, in this case, that your TPRM vendor heavily discounted the sale to a point where providing the service was not profitable. On January 1, you paid the service in full, but the business proceeded to operate unprofitably, and your vendor realized a loss by the end of the year. Indeed, cash flow is not profit.

You may be wondering, “Then what good is cash flow, and why should we care?” Simply stated, it's the inflows and outflows of cash for a business. To operate a business, you have to pay your debts when they come due. If you cannot, you may be declared insolvent. Cash flow and balance sheet insolvency tests are the two ways of determining insolvency.4

As a cybersecurity leader, managing operating activities is likely the most significant lever you have to impact insolvency, for example, by negotiating extended payables when you contract with third-party providers. There are assuredly prescriptive procurement processes in larger companies that ensure your contracting practices align with company standards. Otherwise, you can try requesting Net 45 rather than Net 30 in your terms and conditions. That just means payment is due 45 days after the invoice date rather than the typical 30. Everyone recognizes it takes time to make a payment. While that time passes, essentially, one company is “financing” the amount for the other. Let's be honest; the payment terms on cybersecurity consulting engagements aren't likely to make a sizable difference for the business. But your finance department will at least appreciate awareness of the issue. Also, tactically conceding terms like this helps create reciprocity when negotiating a contract. More on negotiating in Chapter 12 – Negotiation.

Now, let's briefly contrast insolvency with bankruptcy. An organization may declare bankruptcy if its only option to resolve a distressed financial position cannot be addressed by selling off all assets to clear its total debt. At this point, the courts initiate a legal process to resolve the debt. The court decides how the bankrupt company will repay debts. Debt repayment plans may include selling tangible and intangible assets.

While your ability to impact insolvency is low, your ability to protect against bankruptcy is more pronounced. Some examples where cybersecurity failures led directly to bankruptcy include (Dante, 2019):5

Intellectual-property loss (Westinghouse Nuclear, Nortel Networks, SolarWorld)

Loss of cash resulting from cryptocurrency exchange compromise (Mt. Gox, YouBit)

Wire transfer fraud (Little and King, LLC)

Lost revenue from contract termination (Altegrity Risk International)

Ransomware (Colorado Timberline)

Other extortion (Code Space)

In many businesses, cash is king. To successfully navigate the political landscape, you must know what figures business managers are looking to optimize either for their benefit or the company as a whole. Next, we'll examine the best resource I know of to empower your understanding of how financial statements impact behaviors and decisions.

Connections Between the Financial Statements

How to Read a Financial Report: Wringing Vital Signs Out of the Numbers by John A. Tracy is one of the most profoundly productive resources presented during my MBA. In particular, he offers an exhibit that provides a visual overview of the connections between the three financial statements (see Figure 1.1).

Throughout this chapter, I mentioned we would pull together a few concepts in this section, including:

Net Income and Retained Earnings

CapEx and EBITDA

Cash and Profit

NET INCOME AND RETAINED EARNINGS

As you can see in Figure 1.1, the balance sheet features retained earnings. Retained earnings are the cash that a company decides to keep at the end of an accounting period. But notice that in this example, retained earnings are less than net income. Where did the rest of the cash go? Follow the arrows, and you quickly discover a Cash Dividend from Profit paid to owners.

CAPEX AND EBITDA

Again, using Figure 1.1, it is easy to connect the relevant elements in the financial statements. In this case, the Accumulated Depreciation contra account on the balance sheet relates to the Depreciation Expense on the income statement. Ironically, because depreciation is a noncash expense, it is added back to the cash flow statement in the operating activities section, alongside other expenses such as amortization. This accounting trick keeps the books balanced but tends to be conceptually very difficult.

The point is only to clarify relationships in the figure. It's worth noting that long-term equity investors will prefer another value, Free Cash Flow, which we will discuss further in Chapter 4 – Value Creation. This preference is that EBITDA ignores CapEx, which is an issue to be considered in capital-intensive industries.

FIGURE 1.1 Connections Between Three Financial Statements

Source: J. A. Tracy and J. Wiley (2013). How to Read a Financial Report: Wringing Vital Signs Out of the Numbers (7th ed.). John Wiley & Sons. Reproduced with permission of John Wiley & Sons.

CASH AND PROFIT

Finally, in this example, it's evident that the Decrease in Cash during Year on the Statement of Cash Flows has nothing to do with the Net Income (bottom line) of the company on the Income Statement.

Tracy dedicates an entire chapter to the Impact on Growth and Decline on Cash Flow if you're interested in understanding this relationship in more detail.

The conclusion I hope you have drawn is that when you are uncertain of the relationship between an action you are taking and a key metric in the business, it is always a good idea to consider this resource as an aid in helping you connect the dots.

Application

Imagine there are two CISOs hired at the same time in different companies. They both identify the need to create and operate a threat and vulnerability management (TVM) program.

You estimate the new TVM program will require a Vulnerability Risk Management (VRM) platform to integrate scanning tools, inventory, asset criticality scoring, software-driven risk analytics, threat feed ingestion, and efficient ticket operations.

Case Study 1 – Gaming the Financial Statements

In this first case, a product company has raised capital by selling equity. They are a publicly traded global product manufacturing company, and their new investors believe they can enhance market capitalization by compressing the SG&A costs to optimize profitability while growing revenue through more efficient deployment of capital in the marketing department.

The CISO reports to the CIO. The company believes that higher revenue growth, coupled with stronger EBITDA, will provide the return on investment they need to satisfy their new equity holders.

What are the key challenges you see in this situation? What actions might you recommend?

In this case, likely, the CISO budget primarily comprises SG&A. This account is already a target for cost reduction, so you can anticipate more scrutiny before you begin.

Unfortunately, “One size fits all” targets are all too common when performing cost reduction.6 Deloitte reports that “it is common for companies to tackle SG&A cost reductions by implementing across-the-board cuts without fully understanding the potential impact on their business. A company may use an opportunity assessment and a high-level business case to identify optimal savings and improvements. Targeted restructuring or cost reductions may be better suited to optimize growth strategies.”7