How can CISOs articulate risk and get the support to protect and enable the organisation?
Kylie Watson - CISO at DXC Technology, Donald Elliott - CIO at Cricket Australia, and Olivia Loadwick - Partner at McKinsey & Company explored managing cyber incidents and stressed the importance of involving leaders beyond the cyber team in a Security Edge panel discussion.Kylie Watson – CISO at DXC Technology, Donald Elliott – CIO at Cricket Australia, and Olivia Loadwick – Partner at McKinsey & Company explored managing cyber incidents and stressed the importance of involving leaders beyond the cyber team in a Security Edge panel discussion.
Peter Hind, Principal Research Analyst at ADAPT, moderated the session, guiding the conversation around the need for broader leadership involvement in managing cyber incidents and how a multi-departmental approach builds resilience.
Donald highlights the importance of aligning cyber security language with business goals.
He emphasises that cyber security shouldn’t be seen as an obstacle, but rather an enabler, ensuring operations like test matches and community cricket continue smoothly.
Donald explains that communicating the impact of data breaches in a way that resonates with different stakeholders, from board members to grassroots organisers, helps drive awareness.
While blocking certain actions for security reasons may seem obstructive, it’s vital to provide safer alternatives that allow the business to function without compromising security.
Olivia agrees, advocating for shared responsibility in managing cyber risk, stating that businesses must work closely with the security team to integrate controls that support business objectives.
Kylie adds to this by warning against relying solely on technological solutions to eliminate risk, stressing the importance of understanding behavioural insights.
She supports using tools like nudge theory to encourage secure behaviours and highlights the risks when users fail to understand the consequences of their actions.
Olivia also expands on how connecting cyber security strategy to overall business goals creates a necessary feedback loop, ensuring security efforts align with business objectives and risk appetite.
The discussion also covers the value of wargaming exercises as a way to boost organisational preparedness. These exercises involve a wide range of stakeholders and external parties to simulate real-life incidents and fine-tune processes accordingly.
The panel emphasises the importance of scenario planning that includes various stakeholders to raise security awareness and capabilities.
Regular scenario discussions with legal, corporate, and risk teams help identify vulnerabilities and improve understanding. It also prepares executives for decision-making.
The conversation highlights the chaotic nature of incident response, comparing the leader’s role during a crisis to that of a kindergarten teacher, who must maintain calm and order amidst the stress and urgency, ensuring clear communication and a steady approach.
Key takeaways:
- Broader leadership involvement: Effective incident management needs leaders from outside the cyber team to address the wider organisational impact, allowing technical teams to focus on solving the immediate issues.
- Scenario planning and stakeholder engagement: Regular scenario discussions involving various departments (legal, corporate, risk) are crucial for identifying vulnerabilities and helping executives and stakeholders better understand the importance of cyber security.
- Keeping calm during crises: The chaotic nature of cyber incidents requires strong leadership to maintain order and strategic focus, ensuring clear communication and steady decision-making under pressure.