Updated: Dec 1, 2021
When my students had a question about how to sell Cyber Security without threats to C-Suite, I decided to ask Diana Kelley to visit in one of my lectures. My students have been asking from the beginning about hearing actual stories from the field. I decided to surprise them!
It was amazing to see so many students inspired by Diana Kelley’s visiting my Cybersecurity for Business- lecture at Metropolia University of Applied Sciences.
I want to thank Diana for accepting the invitation and the added value for my students!
Diana has been in Tech for over 30 years. She has been working in C-Suite (Cybersecurity Field CTO at Microsoft, CISO at IBM, General manager at Symantec), co-authored books about Cryptographic Libraries For Developers and Practical Cybersecurity Architecture: A Guide to Creating and Implementing Robust Designs for Cybersecurity Architects. She has inspired many people during her career, including me.
The first time I heard Diana speaking was at the Cybersecurity Nordics event for thousands of people. What I was inspired by was her understanding of business to technical detail. I had an opportunity to discuss with other great women in Cyber Security. They were working either in business development or management. Some of them were working in forensics and STEM-related Cyber Security roles. The most fascinating was that they were not only good at a business perspective, but they all were also highly skilled in processes and technology.
The feedback Diana’s lecture received was astonishing. The students were able to dig their way out from the technical perspective to the C-suite level. This shift is difficult, I agree. When a comfort zone is in technical binaries, it is always hard to shift the mindset towards business.
Many times we are missing actual company goals when it comes to Cyber Security. It is about securing businesses, not only about all the threats that are lurking around. It is about the impact on the strategy and the business goals. Business Planning requires risk planning. The same risk models apply to Cyber Security as it does for business in general. The most known models are PESTLE (Political, Economical, Social, Technology, Legal, Environmental) and SWOT (Strengths, Weaknesses, Opportunities, Threats).
So why so many companies are pulling the plug when it comes to Cyber Security and deciding to outsource even the most critical roles?
It is all about communication. Even though negativity might get viewers on social media, it does not resonate with C-suite professionals.
One of the anecdotes in Diana’s lecture was about understanding where the listener is. Think about going to a doctor. If the first thing the doctor would say to you was cancer, without diagnosing first. How would this make you feel? In business, the same thing applies. C-suite is responsible for the company, its employees, its business. If you tell them at first that they have all the threats in the world, they will stop listening.
Typical topics in the mainstream media are mainly about the leaks and the threats. Trying to sell and market with threats causes people to react by pulling away from the topic. Securing business crown jewels and goals should be the center of the discussions. The same applies when it comes to demographics in the Cyber Security field.
Over 80% of the companies have outsourced Cyber Security in Finland, according to Etla Digibarometri 2020 study https://www.etla.fi/julkaisut/digibarometri-2020-kyberturvan-tilannekuva-suomessa/.
Seldom do I see Cyber Security as part of the business as usual functions, such as in Business Development, Product Development, Quality Management, Enterprise Risk Management. I believe it is time to build, By Design and By Default Cyber Security instead of building Silos.
When Cyber Security is business as usual, the milestone marks the start of a new chapter.