Stephane Nappo. Top Cyber News MAGAZINE January 2023

MAGAZINE
TOP CYBER NEWS
JANUARY 2023
STÉPHANE NAPPO, 2018 GLOBAL CISO OF THE YEAR, VICE PRESIDENT, CYBERSECURITY DIRECTO
LOBAL CHIEF INFORMATION SECURITY OFFICER, GROUPE SEB, FRANCE, RETHINKS CYBERSECURIT
STÉPHANE NAPPO
WITH

The Strategic Leaders’
on Emerging Trends
Perspectives
Source: Imgur

Fore
Word
“Sometimes people come into your life and you know right away that they were
meant to be there, to serve some sort of purpose, teach you a lesson, or to help
you figure out who you are or who you want to become. You never know who
these people may be (possibly your neighbour, co-worker, longest friend, or even
a complete stranger) but when you lock eyes with them, you know at that very
moment that they will affect your life in some profound way.”
Cybersecurity Community desperately needs a positive and warm-hearted
approach to confidence building, developing people, assisting in raising
awareness and identifying key issues to support a culture of cybersecurity.
It needs leaders, role models that encourage and inspire for
transformations to be made. Mr. Stéphane Nappo is one of these leaders. 3
3
Top Cyber News MAGAZINE - January 2023 - All Rights Reserved

Innovation in
Cybersecurity
Dr. Rudy SNIPPE, Netherlands
4
4
During a conference where I was talking
about innovation, I was approached during
the break by a man who introduced himself
as Henry. ‘May I ask you something’, Henry
asked, and went straight on without waiting
for my response. ‘In your presentation you
stated that language is an important barrier
for innovation, but also an important tool. Can
you explain this to me again?’ Despite his
somewhat rude appearance, Henry seemed
like a nice guy, so I replied:
Wow, this is quite a broad question for a
short break. Language is, of course, only
the first problem organizations face in
development & innovation. The way in
which organizations are structured is an
even bigger problem, but language also
plays a role here.
I won't make it too complicated. Let's do a
short experiment. ‘When you think of the
word ‘secure’ from your history, what do you
think of?’
Dr. Rudy Snippe is the Founder of the FASS Theory (Strategy & Leadership / Complex Social Systems).
Founder, Chief Executive Officer, Partner of Stocastic. World-Strategic Innovation Dynamics platform. Thesis
Research Supervisor (MSc) at Nyenrode Business University.
“We think in language and through
language we create our own world of
thought. The language in which we think,
and our own world of thought, have
acquired meaning in our past. That's fine
until we want to develop something new
and keep thinking in a language from the
past. In addition, everyone has a different
past and thus gives a
Henry looked a little suspicious and said:
‘On trenches, a suit of armour, defensive
walls, something impenetrable.’
“Do you see any of this thinking in the
approach to cybersecurity?”, I asked. Henry
smiled. “Secure contains cure”, I continued.
“Suppose you invent a system that heals
very quickly after an attack?”
different meaning to
language and ideas. In
order to innovate or
develop, we must
therefore look for new
meanings, perhaps even
for new words.”
‘I work in cybersecurity
development’, Henry said.
‘As you know, cybersecurity
is comprehensive and
complex. That is why we
work with highly developed
experts who really know
what they are doing. Can
these experts also give an
impulse to development
and innovation in our
company through
language?’
“Or imagine that the
concept of secure does
not consist of defending
and protecting, but that
you can continue to do
what you were doing?
The (re)definition of
concepts is key in
development and
innovation.
You should always ask
yourself what effect you
want to cause and try to
put this into words as well
as possible.”
Henry, lost in thought,
said ‘goodbye’. We walked
back to the conference
room.

Stéphane NAPPO, France
Vice President, Cybersecurity Director & Global Chief Information
Security Officer at Groupe SEB – global market leader, in the small
household equipment sector, including prestigious brands: Krups,
Rowenta, Tefal, Supor, WMF, Emsa, Calor, Moulinex… And present in 150
countries.
Stéphane Nappo is an internationally recognized cybersecurity leader
and a senior level cybersecurity executive with over twenty-five years'
worth of experience in international finance, banking, digital services,
and industry.
Previously: Global Chief Information Security Officer at Société Générale
International Banking and Financial Services (responsible for
cybersecurity of 40 major banks in 67 countries); Group Information
Security Officer at OVHCloud – European leader in cloud computing, with
a presence in 138 countries; Head of Cybersecurity Consulting dept. for
Banking & Finance at VINCI - world leader in concessions, energy,
and construction, in 120 countries.
Throughout his career,
Stéphane has taught,
trained, and worked with
hundreds of talented
cybersecurity professionals.
Named Global CISO of the
Year, and awarded the
European Excellence Trophy
in Digital Security in 2018,
Stéphane Nappo is chosen
the Global Security Executive
Influencer by the prestigious
IFSEC Global, and ranked the
Top Five Influential French IT
& Cybersecurity expert by
FORBES for the Year 2021.
Actively supporting diversity
and Women in Cyber, Mr.
Nappo was named Ally of the
Year 2021 by the United
Cybersecurity Alliance USA.
Passionate for innovation
and business’ digital
protection, his leadership
skills have been recognized
throughout the world. His
articles and renowned 5

By Stéphane Nappo
6
>>
Everything is a risk, nothing is a
risk… the dose makes the risk
A risk generally results from an unwanted
outcome or negative consequence. When
it comes to cybersecurity, a risk usually
relates to the potential for a cyber attack
or data breach to occur, which could result
in financial loss, reputational damage, or
other negative impacts.
As the zero-risk does not exist, as well as
all actions and decisions can lead to
negative consequences, it is possible to
state that “everything is a risk”.
However, as the risk sensitivity and
appetite can vary from an organization to
another, and the risk level can also greatly
vary depending on the specific situation,
context or duration, it is possible to state
that “the dose makes the risk“. It means the
likelihood and potential impact of an
unwanted outcome are closely related to
the level of exposure, vulnerability, and
tolerance of the target to that risk.
A higher level of exposure, vulnerability,
or business intolerance to a risk will
generally result in a higher likelihood and
stronger impact of an unwanted outcome
on the resilience capacity.
“The evident non-tech basics are
Seeking for simplicity
Cybersecurity complexity is skyrocketing,
led by new business models, new
technologies, and the ever-evolving threat
landscape. Literally overwhelming the
cybersecurity current model, at the very
moment we need it, this trend has four
main drivers: Technologies changes,
Regulatory strengthening, Operational
transformation, and Cyber threats
sophistication.
In this context, simplifying cybersecurity
is a necessity to help organizations to
better protect sensitive information,
manage their digital ecosystem, comply
with regulations, and reduce evolution
costs. It can also make it easier for
employees and contractors to apply
security practices. However, rethinking
cybersecurity requires a cultural and
strategic comprehensive approach that
goes far beyond the sole IT dimension. To
succeed, we have to accept that the
solution does not lie in more technology,
but in cybersecurity philosophy re-
engineering.
To secure or not to secure…
That is the response, not the
question!
Cybersecurity is first of all a response,
both proactive and reactive, to the
constantly-sophisticating digital threat
and need for resilience. It usually relates
to the protection of the digital systems,
data, and users, from unauthorized
access, disclosure, use, modification,
disruption or destruction.
To secure or not, is a decision that must
be driven by business stakes, situation
and the potential consequences to do
to keep pace with threats and digital evolution

7
>>
Cybersecurity must be
considered a business value,
rather than a balance due
Nowadays, cybersecurity must be
considered by businesses as a value,
rather than a fate or solely as a cost
center.
Whether it comes for IT, OT, IoT, or online
services, cybersecurity can enhance
organization’s reputation and customer
trust, which can be beneficial for business
growth, company valuation, and long-
term success. It is not only a way to
protect from negative events, but also to
enhance overall performance and
reputation.
Conversely, as a result of cyber attacks
level and impact severity, to simply wait
and see, or reacting to incidents after they
happen, is for long no longer a profitable
approach.
Overall, the situation today highlights the
importance of organizations to promptly
adopt a comprehensive cybersecurity
approach, which may be positively driven
by business ambition, risk management,
Cybersecurity is much more
than a matter of IT…
It encompasses a wide range of topics,
including technology, processes,
regulations, geopolitics, and human
behavior. Effective cybersecurity requires
a holistic approach that takes into account
the various factors that contribute to an
organization's overall security posture,
including its interactions with its business
strategy, and its ecosystem.
Cybersecurity is, therefore,
truly a matter of resilience.
The risk management is the process of
identifying, assessing, and prioritizing the
risks to an organization or individual and
then taking steps to mitigate or accept
those risks.
The goal of risk management is to find a
balance between the cost, the effort of
mitigating a risk and the potential
negative impact of the risk if it were to
occur. Ultimately, the decision to secure
should be based on a balance of risk,
business ambitions, and costs. In the aim
to effectively identify, protect, detect, and
especially “respond to” and “recover from”,
a cyber attack.
One of the main cyber risks is to
think they don’t exist. The other
is to try to treat all potential
risks…
Picking battles according emergencies,
demands, or audits, can be risky. It may
lead to hasty or ill-informed decisions. It
can also result in resources being directed
away from important or long-term issues.
It is important to consider the potential
risk driven consequences and prioritize
accordingly.
“Fix the basics, protect first what matters for
By Stéphane Nappo

Cybersecurity is the most immediate,
financially material sustainability and ESG
risk that organizations face today. It has
been weaponized by nation states, and it
has become an invisible high-stakes
battlefield. Covert operations can be
carried out without the risk of physical
retaliation, making cyber attacks an
attractive option for countries to use as a
means of projecting power and influence.
In addition, cybercrime has become a
highly profitable and growing component
of GDP for some nation states, while the
chances of hackers being caught are
extremely low. According to the World
Economic Forum 2020 Global Risk,
only .05% of crimes are detected and
prosecuted. In addition, the reporting of
cybercrimes remains low, making it hard
to assess how big cyber risk has become
across every aspect of the connected
world we live in today.
As a human-created risk, it seems logical
that cyber risk should also be a
manageable risk compared to natural
disasters, and yet the entrepreneurial
nature of motivated hackers requires a
more pro-active approach to protect
connected organizations. The internet
connectivity, data and distributed systems
that power enterprises have become an
integral part of modern society.
Distributed work forces utilizing a variety
of personal devices across corporate
networks, make managing corporate
networks even more challenging than
ever.
Regulators across the globe are enforcing
the reporting of cybercrimes and breaches
by passing new laws that impose financial
fines to encourage timely disclosures and
active defense and management of
corporate networks. The United States
Cybersecurity and Infrastructure Security
Agency (CISA) has issued guidance, while
Cybersecurity is Critical for Sustainability
Cristina Dolan, Global Head of Alliances, NetWitness
8
Sustainability and ESG have become
popular topics for investors, and yet most
investors lack the visibility or
understanding of cyber risk. Regulatory
requirements for public companies are
increasing. Corporate directors are now
expected to understand cyber risks in the
context of corporate sustainability. The
disclosure of management practices,
controls, audits, and policies will be
required in financial reports and
regulatory filings.
“Will 2023 be the year where
cybersecurity risk is finally viewed by
investors, executives and leaders and the
Cristina Dolan, Global Head of
Alliances, NetWitness and co-author of
Transparency in ESG and the Circular
Economy: Capturing Opportunities
Through Data

by Stéphane Nappo
The Swarm
Cybersecurity
Frequently associated too exclusively to
the subjective value of trust, cybersecurity
is mainly a response to the need of
resilience and digital development of
nations states, organizations, businesses,
and individuals. In this respect, far to be a
balance due, cybersecurity is a pilar for
the creation of value and sustainability.
Cybersecurity practitioner for more than
25 years, I have profound respect for
peers and professional practices in this
very challenging discipline. However, I
strongly believe that cybersecurity and
resilience paradigms have to evolve in
shape and strategy to keep pace with the
threats’ Darwinian evolution and the fact
that they are boxing with no rules.
The traditional security approach aims, in
most cases, to rely in fine on a central
authority or system, to manage and
coordinate the defense against threats.
Increasingly eroded by the digital
transformation and the constant threat
evolution, this traditional model leads to
two growing major challenges: 1. if the
central authority or system is
compromised, the entire security system
can be defeated; 2. this traditional model
can hardly deal with information systems
opening to third parties, SaaS, Cloud, and
outsourcing trends that impact Business,
IT, and Security activities.
9
a way to repurpose & strengthen resilience?
After decades of pure competition-
based model for companies’ and
individuals' development, the
“togetherness as a pack” is a real
cultural challenge to address for
cybersecurity. In parallel the (outdated)
vision of the cybersecurity as a taboo
still makes many actors reluctant to
“unite to defend”.
Over and above that, the inability to act
as a Swarm is also the weakness used
by cyber threat to attack one by one its
preys.
Of course, the interest of communities
is not new, nevertheless the swarm
model aims to share action (detection,
reaction, recovery…), far beyond to only
share information.
To act as a pack increases synergies and
can leverage a lot of efficiency relying
on the "less is more" model for real.
Finally, the swarm must strengthen a
“versatile, organic and modular”
cybersecurity swarm, with attention to
not create new systemic risks.

One key advantage of using a swarm
approach to cybersecurity is that it can be
highly scalable and consistent with the
today outsourced and delegated digital
ecosystem. As the number of devices in
the information systems increases, the
capacity of detection/reaction of the
swarm also increases. Additionally,
because the swarm elements are
decentralized, it can be more difficult for
an attacker to target a specific device or
compromise the security of the entire
system.
Another benefit of swarm cybersecurity is
that it can be more adaptable and
responsive to fast evolving threats.
Because the devices in the swarm can
communicate and coordinate with one
another, they can share information
about potential threats and work
together to respond to them in real-time.
This can be especially useful in detecting
and responding to sophisticated cyber
attacks that may be able to evade
traditional security measures.
As usual, the first challenge is to support
the idea that it can be possible to achieve
more with many existing things. (I can
hear now some: “there is nothing new in
this”, “and so what!?”, … ;-)
When in doubt, do remember that cyber
attackers are significantly ahead
regarding swarm ecosystems. Crime as a
service, Dark Marketplaces, Botnets… Are
effective demonstrations of their ability
to federate self organized and
heterogenous systems to converge
toward a collective purpose, with an
adaptative resilience to deal with
technology evolutions and fight back
methods. If they can do it for - offence -,
so can we for - defense -.
The swarm cybersecurity notion refers
to the use of a large number of elements
(tools, people, processes) or other
"swarms" to provide enhanced security for
a network or system.
These elements can be anything from IT
with computers, servers and network, to
OT with industrial robots and specifics, IoT
devices such as connected products,
security cameras or smart thermostats, as
well as teams and experts.
The idea behind swarm cybersecurity is to
create a decentralized network of means
that can work together to detect and
respond to security threats.
As an adjunct to current practices, the
Swarm Cybersecurity is one interesting
approach to consider and drill down that
aims to address these challenges by using
a decentralized network of interconnected
organizations or devices to defend against
threats.
Overall, the goal of swarm cybersecurity
is to create a network that is highly
resilient to cyber threats, and able to
quickly and effectively respond to any
attacks that do occur.
10
By Stéphane Nappo

11
By Stéphane Nappo
How to swarm
1. Think different, envision the whole
value chain & its unity beyond
boundaries or interoperability gaps:
• Shift the scope from supply chain, to
end-to-end value chain, including third
parties and outsourced services.
• Encourage the systems thinking. This
discipline is helpful to quickly and
efficiently encompass the cybersecurity
needs.
2. Adopt a swarm model wherever
possible, starting from inside your
organization:
• Strengthen cybersecurity by design with
a systematic first level of self defense,
alerting, or monitoring for each item
(software, equipment, processes,
projects, products…).
• Implement the zero trust as well as
SASE principles must be a systematic
reflex and rule in your organization
(configurations, access rights,
administration levels…).
• Break the silos when it comes to
security especially between IT, OT, IoT
dimensions. And do remember, the first
silo to remove is the false impression
that a perimeter fence protection still
exists.
• Do remember, Swarm is not
incompatible with segmentation. Quite
the contrary!
3. Unite, and aim to hyperconverge
with your fellow beings
• Although you may think otherwise, this
change is anyway underway. Your
organization is hyperconnected, with
Internet, digital business processes,
and you share a lot of assets and stakes
with the Cloud, SaaS, etc. Then, try to
benefit from it. Share, share, share!
Alerts, best practices, forces
4. Define and enforce a set of
coordinated “behaviors” to protect
your fundamentals beyond your
organization’s boundaries.
• Invest in behaviors beyond IT systems,
is important. This can include
communication protocols, do’s &
don’ts, decision-making algorithms,
triggers status, and detection,
reaction, recovery techniques.
• Additionally, you will need to develop a
system for monitoring and controlling
the swarm proper functioning by parts
and “as a whole”, such as a
decentralized network.
5. Secure at holistic AND individual
levels, using “primal organic self-
defense” principals
• Your enemy is increasingly automated,
then defense must respond
accordingly. Attacked by ro-bots, we
cannot fightback only with humans,
SOCs, and computer mouses.
• The principle of primal organic self
defense is key. It must rely on simple,
but automatized alerts, proactions and
reactions. It must be coordinated, but
also able to continue to act individually
in case of isolation.
Many things have yet to be thought
through, refined and built. The AI is also
working on the SWARM model, and I
thought it was important to share this
. . .

12

Stéphane Nappo is one of the main
references when talking about
Cybersecurity. With a career of more than 25
years in which he has successfully
demonstrated that the best way to fight
cybercriminal industrialization is the digital
transformation of technological
environments, he is also international
keynote speaker, author, PhD researcher and
key opinion leader… He is always a
leadership example of paying it forward.
It is undeniable that people matter to him. I
have been fortunate and honored to know
him over the years.
He is an excellent human being, a
humanistic leader full of qualities who
builds teams in high-performance
environments where communication,
flexibility and active listening are an axis
capable of making everyone share a
common vision: a purpose and a horizon to
navigate towards together.
Always at the forefront, it offers us an
open and honest vision that goes beyond
what we see, that makes us think outside
the box, that invites us to grow as
professionals and people, reaching every
day our best version to offer it to our teams
and collaborators without qualms.
As a CISO, what I have always admired and
what has always struck me about his vision
is that he is not a slave to fads. In fact,
innovation is the main axis of his
decisions, he has always had an excellent
risk control and a proactivity focused on
benefits that has led him to be a pioneer in
the field of cybersecurity.
Stéphane’s permanent desire to learn and
protect makes a chat with him totally
enriching.
In Search of Excellence - Talent, Made in
France
Interview conducted by Isabel María Gómez,
Global Chief Information Security Officer. Madrid, Spain
13
13
I hope and wish to offer a vision that allows
all of us who once chose to dedicate
ourselves with dedication to cybersecurity,
to discover a source and a reference that
brings us light on sometimes unmarked
paths, and that make a CISO during the fog
to find a light that is a reference to bring the
ship to a good port. What's next? Let's
discover together “The Journey” and the
new direction of cybersecurity for the
coming years...
Global Chief Information Security Officer, Isabel
María GÓMEZ has long tested experience in
security and information technologies, and in the
course of her career has specialized in several
areas related to security. Some of them are: Risk
Management, Cybersecurity, Continuity and
Resilience IT, Privacy, Compliance and Digital
Transformation. She has also a widespread legal,
regulatory, technical, and financial background let
her manage and coordinate efficiently different
legal and technical areas. Previously, Isabel has
had various executive roles reporting direct to
CEO in information security in leading companies
in their respective lines of business, such as
Atento, SegurCaixa, Bankia, and Medtronic.

“The Journey”
[Isabel María Gómez] Cybersecurity
is a vocational choice of delivery and
service there is no doubt. What was
it that drove you to dedicate
yourself to it?
[Stéphane Nappo] Cybersecurity is
not only a choice of career or a job,
but a choice of a life and service
spirit, that a few might want to live
or experience. Often people ask me
how and where I take time to live my
life, to create a family, to build a
house, plant a tree or a garden. In
my thoughts. Then in reality. This is
how I used to operate with my time,
my strategic objectives, knowledge,
and desires.
Am I always right? No! Would I
choose a different lifestyle? Maybe
not. Did I give up on my job, my
colleagues, my projects, companies
who trusted me with cybersecurity
and highly confidential business and
personal issues? Never did. Never
will.
Like anyone these days, I am a
digital citizen of our world. My
peers, colleagues, friends and family
can, and do rely on my experience
and expertise. I highly appreciate
and treasure this trust. I build on
this interest. I try everyday to
innovate, strategize and live this
trust, that is in reality hope of
opened hearts and connected minds
for our lives. In this respect, global
CISO is really a mission that I am
proud of.
Interview conducted by
Isabel María Gómez,
Global Chief Information
Security Officer. Madrid,
Spain
14

15
[Isabel María Gómez] All of us who work
in cybersecurity know that our day-to-day
work is going to take place in a changing
environment that requires a lot of
“resilience”. We are always going to be far
from a comfort zone. What are, in your
opinion, the skills and virtues that have
helped you the most throughout your
career in cybersecurity?
[Stéphane Nappo] Thank you for this
question, Isabel. The truth is, we are all
bounded, sometimes blinded by
agreements, legal or personal and
motives, more often than we would wish
for. The most difficult moments are those
when we have no crisis situations; when
our minds and our senses can and must
have tranquility and serenity.
The cybersecurity profession requires and
expects the devoted professionals to
‘never logoff’. Am I different? No. Do I or
did I pay the price for my decades ever
constant focus and never resting senses?
I did and I do have, like any hyper-
committed professional my fair share of
the ‘professionally created price to pay’.
Obstacles in cybersecurity activities, have,
like life itself, the ‘colours’ that we give
them. I try to choose the bright and
[Isabel María Gómez] What has been the
innovation that has inspired you the
most?
[Stéphane Nappo] Inspired first by my
two sons and peoples’ cultures, but also
electro and pipe organ music - my forever
first love and twenty five plus years of
active contribution, is in performing as
well as possible to make digital places as
safe as possible.
In life, what took first my absolute
attention were the engineering drawings
of Leonardo da Vinci. Yes, this memory
goes half a century back… Not only did I
create my own drawings of motors,
airplanes, and power plant, but I
collected tools and materials from little
bricks and tiny seashells to wheels, and
compasses. From more recent
innovations – Internet, and applied
Artificial Intelligence, of course.
Like many professionals around my age, I
grew up with the computers’ emergence
in our lives, and I received a second birth
with arrival of Internet. And finally -
digital photography. Photo art could
probably be compared to art of painting.
My masterpieces are, of course, amazing
pictures of my two sons and some
Interview conducted by Isabel María Gómez
>>

[Isabel María Gómez] One of your
reference phrases is "Knowledge is the
only matter that grows when we share it".
In cybersecurity, we sometimes err on
the side of secrecy. What are the forums
you recommend most to break this
tendency?
[Stéphane Nappo] Exactly and precisely
the point that I always amplify when
speaking at the conferences, digital and
live events, meetings with peers and
followers. In France, we have professional
forums (ANSSI, Campus Cyber, Le CESIN)
and specialised conferences (FIC, Les
Assises de la Sécurité, Hacktiv’
Summit… ). Cybersecurity is
interconnected and can be a complex
matter, we all must teach, train and learn.
This is what brings us all together as a
community. This is what makes the
Cybersecurity community so special and
valued among professional circles.
Incredible open and free platform is the
emerging phenomenon of Top Cyber
[Isabel María Gómez] All of us who work
in cybersecurity know that our day-to-day
work is going to take place in a changing
environment that requires a lot of
resilience. We are always going to be far
from a comfort zone. What are, in your
opinion, the skills, virtues that have
helped you the most throughout your
career in cybersecurity?
[Stéphane Nappo] From the very first
memories that take me to my beloved
Provence, in France, all my future life
decisions and actions, I developed, spirit
of mission, sense of eagerness, justice,
respect and quest for positive and
devoted faith in life purpose. This leads
me through all the difficulties, moments
of success, doubt dispelling, and
happiness. As security pathfinder, board
advisor, business enabler and strategist, I
believe each CISO must act as a guide
with strong leadership and deep
pedagogy. Each CISO has to face
unpredictability and take responsibility
>>
16
”CISOs Need Strategic Thinking to Be Effective”
Emilio IASIELLO for Top Cyber News MAGAZINE
October 2022 edition
The Chief Information Security Officer, or CISO, is fast-becoming one of the more
difficult C-Suite positions to fill. The CISO role has been plagued with turnover, the
average tenure lasting anywhere from 18 to 26 months. This doesn’t come as a
surprise as the CISO is inundated with an array of challenges that include a
nonstop barrage of diverse cyber threats seeking to exploit the enterprise he
watches over, internal competition to secure budgetary resources to aid in his
defense efforts, lack of authority to instil necessary change, and convincing the
larger C-Suite as to why certain security measures are needed regardless of their
cost. Indeed, in many ways, the modern-day CISO is the cybersecurity equivalent of
Sisyphus struggling to protect the network enterprise only to see another incident
set him back on progress.

[Isabel María Gómez] One of your great
passions is sharing your knowledge
through writing and public speaking,
giving conferences, for example. Where
will we be able to listen to you in 2023?
[Stéphane Nappo] Thank you for this
question, dear Isabel. My 2023 and
beyond plans are continuously in
deliberate development and change. It
will very much depend of many factors
where the role of the global CISO will
change; developing me personally, while
planning and strategizing.
From the good news: In France, we have
paid vacations. I often use this time…
days and weeks… to pre-schedule my
speaking arrangements. In the last five
years, for example, I delivered keynote
addresses or participated in panel
discussions in Paris, Zurich, Dubai,
Beijing, Moscow, Prague, Berlin, New
Delhi, Amsterdam, New York City,
Montreal, Porto, Monaco, Deauville-
Normandie, Brussels, Miami, Tel Aviv,
Casablanca, Nairobi…
[Isabel María Gómez] Have you ever
been tempted to leave the world of
cybersecurity and redirect your career to
another discipline?
[Stéphane Nappo] When times are
challenging like these days and in the
foreseeable future, I will be very open
and honest. I will never let my personal
[Isabel María Gómez] One of the main
responsibilities a leader has is to work on
his or her own skills. Sometimes looking
in the mirror is more complicated than it
seems. What advice would you give us to
keep evolving for the benefit of our
teams? What do you think are the keys to
work, for example, with the new
generations of cybersecurity?
[Stéphane Nappo] Learn from your
heart. Give and share your knowledge.
When chosen, follow your own choices
and decisions. When impossible… Do
remember.. Nothing is impossible.
There is probably more unknown
unknowns to explore and unlock. I see
more devotion, more enthusiasm, more
aspiring actions and strategic leadership
in my younger colleagues than I could
imagine just a few years ago.
Better understanding, communication
and prepared talents are the future of
Cybersecurity work force.
17
I choose to give my knowledge and
expertise to my employer, my country, my
European and international colleagues
and peers. For collective success.
For greater than personal, for devoted
and desired security and safety for the
world. I am a global citizen and I give my
all to work well.
>>

“One of the main cyber-risks is to
think they don’t exist. The other is
to try to treat all potential risks.”
“It takes 20 years to build a
reputation and a few minutes of
cyber-incident to ruin it.”
“If you think you know-it-all
about cybersecurity, this
discipline was probably ill-
explained to you.”
“Even the bravest cyber defense
will experience defeat when
weaknesses are neglected.”
“Education has always been a
profit-enabler for individuals
and the corporation.
Cybersecurity education is a part
of the digital equation.”
“The five most efficient cyber
defenders are: Anticipation,
Education, Detection, Reaction
and Resilience.
“IoT without security = Internet
of Threats.”
“Threat is a mirror of security
gaps. Cyber-threat is mainly a
reflection of our weaknesses.”
“Technology trust is a good
thing, but control is a better
one.”
“Digital freedom stops where
that of users begins...
Nowadays, digital evolution
must no longer be offered to a
customer in trade-off between
privacy and security.”
“Privacy is not for sale, it's a
valuable asset to protect.” 18
Renown quotes by Stéphane
Nappo
>>

20
Let's face it, CISOs are the most sought-
after executives in cybersecurity. From
start-ups to big companies, they all want
to get their products in front of and win
them over as a champion. The old way of
attempting to build relationships with the
CISOs are the events such as CISO dinners
that only allow for a few hours of
interaction that result in 2-3 meetings and
possibly one closed deal. These events are
losing their effectiveness.
CISOs seek new ways to connect with
innovative cybersecurity and information
security vendors. The new approach is to
create a CISO Advisory Board consisting of
security experts who provide advice on the
vendor's direction, products, marketing,
roadmap, and unbiased advice, as these
advisors are not "drinking the kool-aid."
The purpose of the CISO Advisory Board is
to help the cybersecurity organization
gain new insights and advice to solve
business problems or explore new
opportunities by stimulating robust, high-
quality conversations. A CISO Advisory
Board acts as a sounding board for the
cybersecurity company to bounce ideas
off and get access to expertise that might
not ordinarily be available. CISO Advisory
Boards provide a competitive advantage
and help build the company's visibility,
credibility, and revenues. A properly
constructed and executed CISO Advisory
Board will foster lasting and meaningful
relationships with key prospects and
customers of the business.
The vendor is not the only one reaping
benefits from a CISO Advisory Board. Since
an adequately built CISO Advisory Board
comprises security specialists, information
security experts, generalists, and critical
thinkers from diverse backgrounds, the
CISO advisors gain knowledge and
insights from their peers. Enabling the
CISO advisors to bring back valuable
Brooke Cook has 20+ years in the
cybersecurity executive relationship
building and event space. With a
background in business and psychology,
Brooke has mastered the niche of building
trust in an authentic way with executives
around the world and treating them to
first-class event experiences. As the CEO
and Co-Founder of Security Sisters
Network™, Brooke brings her passion,
industry knowledge and tenacity to
helping her network of over 15,000+ CXO
relationships stay at the leading edge of
their business, cultivate their desire to
learn about new products and
surrounding themselves with their peer
group for the benefit of their own
network.

Troels Oerting, Chairman Of The Board at BullWall. Denmark
Qvo Vadis (Cyber) Security?
First, my recommendation is to avoid
hype and fearmongering. Humanity will
survive the Internet and we should not
use or promote ‘fear’ as a driver for sale
of security solutions. We should instead
instigate, defend and promote ‘hope’ of a
safer Internet and digital future and lead
the way forward with an optimistic
approach.
Secondly no such thing as ‘absolute
security’ exists. Not in the physical
World nor in the Digital. Security needs to
be driven by proper risk assessment
knowing that no one ‘silver bullet’ does
the trick and security can be broken from
multiple angels and from inside or
outside of the network. So, we must be
realistic in our security level and adapt to
the level that secure what’s important
without limiting i.e., privacy or data
protection. More security often means
less privacy and usability and the balance
needs to be right and decided after a risk
assessment.
The entry into 2023 marks 43 years
anniversary of me starting into Law
Enforcement, Security and
Cybersecurity.
A lot has happened during these many
years and the development in speed and
complexity increased.
On the other side I have also noted that
the World is still standing and despite
loads of crises, challenges and
uncertainty we tend to overcome the
majority of problems and move on.
Looking back the many years, knowing
that my generation of security experts
will be replaced by new enthusiastic ones
I find the time appropriate to share some
of my learnings and insight with the
coming generations of security experts.
21
“We, in security,
should not promote fear,
but protect hope.”
~ Troels Oerting

by Troels Oerting
>>
And then you should train and exercise
this plan and adjust it according to reality.
Do a tabletop exercise and test if the plan
works and take all relevant into
consideration. And rule number one –
make notes of what you do during an
attack. From the first to the last second.
We forget and you need to be able to
remember if insurance or regulators ask.
Shortly, if you fail to plan, you plan to fail.
Finally. Make security attractive. For the
company and the staff. Too many CISO’s
are under too much pressure.
Cybersecurity is not the enemy of
innovation, marketing or usability. It
should be an asset instead. High
information security is a positive sales
argument and the tone from the top
should be that security is important for
companies holding private and sensitive
information.
Despite war in Europe, inflation,
increasing prices and interest rates,
deadlock in the US House, covid increase
in China, geopolitical tension and other
global challenges we will – together –
improve cyber security and share more
insight faster. I am confident of this.
“Happy New Year and I wish you all
in security a great 2023 and thank
each and every one of you for your
service.”
Thirdly the overall security goal should
be resilience. I define resilience in this
way: Cyber resilience refers to an
organization's ability to prepare for,
absorb, respond/adapt to and recover
from an adverse situation while
continuing to function as intended. A
strong cyber resilience framework should
be adaptable and account for unknown
variables, like new types of attacks. By
focusing on resilience, the organization is
forced to promote a more holistic and
inclusive security strategy involving staff,
training, HR, legal, communications and
other functions important for securing
that the organization quickly recovers
from a cyber incident and gracefully
continue with the main business. If
somebody from the outside, ask a
member of an organization leadership or
Board ‘who is responsible for
cybersecurity in this organization’ and the
answer is: ‘the CISO’ – they have got it
wrong. The right answer obviously is: ‘we
are all responsible for cyber security’.
Fourth advice is to prepare. We will all
get hacked at some point. We need to
plan for how we will operate during such
an incident. Who is in the crises
management team? Do we have
playbooks on all types of incidents? Do
these playbooks outline a
communications strategy, a press
strategy, a legal strategy (is it legal to pay
ransom?) etc. All organizations,
regardless of size, need to develop a
security strategy and discuss and decide
what to do when you get compromised.
22
Troels Ørting Jørgensen, Chairman at Bullwall, Expert
Member at INTERPOL
Mr. Ørting is a globally recognized Cyber Security Expert. He has
been working in cybersecurity ‘first line’ for over 4 decades.
Throughout career, Mr. Ørting has been working with governments
and corporations to advise on how they react to the increasing
international cyber threats, and worked closely with law
enforcement, intelligence services and cyber security businesses.
Formerly, with the Danish National Police, first as Director, Head of
the Serious Organised Crime Agency and then as Director of
Operations, Danish Security Intelligence Service; Deputy Head, ICT
Department and Deputy Head, OC Department, Europol, EU’s Police
Agency; Head of European Cybercrime Centre and Head of Europol
Counter Terrorist and Financial Intelligence Centre. 2015-18, Group
Chief Information Security Officer (CISO), Barclays. Chaired the EU
Financial Cybercrime Coalition, of which most banks are partners,

Francis West, Chief Executive Officer at Security Everywhere.
England
Why Your Anti-Virus Is Like The
Yellow Pages - Old School And Out
Of Date
To be fair, we can’t paint everyone with
the same brush and we know there are
some IT companies that have done just
as we did and went to their customers
and said “we have discovered our
solution is no longer fit for purpose, and
there is a better one suited to today’s
needs”. This approach probably cost
them some customers, as they clearly
had high appetite for risk and didn’t think
the protection was necessary for the
additional cost.
Some of our clients said “Okay, great.
Thank you”, while others said “We don’t
really like the price and are happier with
less protection and lower cost”. Others
simply said “No, we are not going pay any
more and we will be looking for another
supplier” This is the main reason why
most IT companies will not tell you to do
the right thing – they are scared of losing
customers and revenue.
We do have answers, one of which is a
very short, blunt and not particularly
politically correct answer. And then of
course, there is the answer that we would
write!
So first, let’s be blunt.
The answer is that your IT advisors are
likely not cybersecurity experts, and so
are not on top of the market, or spend
years in the cyber security market to find
the best tool for the job.
They are very likely to have been
supplying an antivirus program to their
customers, probably from a well-known
vendor, and it’s not in their interest to go
and tell their customers that it is not
good enough. In many cases, they
probably are not even aware that it’s no
longer fit for purpose.
This only leaves them with the option of
telling their customers that the antivirus
is protecting them and of course it is
good enough! After all, they would look a
bit stupid if they went to the customer
that they’ve sold the antivirus to and said,
“We know our antivirus solution is a bit
rubbish”.
23

So, why is it antivirus not good
enough?
All legacy antivirus is reliant on doing
database lookups to identify any threats.
Every single time it does a scan, it has to
effectively pick up the Yellow Pages (list of
viruses and threats) and go through the
entire book looking for a match. If it finds
a match it to something in there, it’s lists
it as threat. If it can’t match it to anything
in the book, then it’s not a threat and lets
it go.
The issue that yellow pages is growing at
the rate of four new entries a second. By
the time it’s printed, shipped out, and
everybody’s got their copy, it’s out of date
by thousands or hundreds of thousands
of entries, as there are 345,600 new
threats added every single day, and it’s
not decreasing! This basically leaves you
with a solution that just not fit for the
purpose of protecting you against new or
unknown threats, not to mention it is not
very effective as it relies on constantly
looking the threats up every time.
But, you say, it does protect me against
millions of known threats, doesn’t it –
surely that is better than nothing!? The
problem we face is that the hackers aren’t
stupid. Why would they use old threats
that they know most solutions can block?
That’s why they’re building new ones
every four seconds because they’re
looking for ways around existing security.
What you actually need is a solution that’s
going to look for patterns of behaviour
rather than doing a look up in an
antiquated system.
For want of a better example, it’s like the
difference between using live facial
recognition to identify threats rather than
relying on someone walking around with
a photo and putting it up next to
everybody to decide who’s a threat and
who’s not. Or even worse, having to use a
multiple massive libraries of photos if
you’re talking about a proper criminal
database. In short, you get what you pay
by Francis West
>>
Francis West, Chief Executive Officer at
Security Everywhere is on a mission to
inform and advise a million business owners
on how to stay cyber safe so they can
maximise the advantages of technology
whilst minimising the risks. Having started
his career in the African Army, Francis moved
to the UK and built a million-pound IT
support company. In both professions, his
motivation has been to protect others from
potentially destructive and devastating
threats.
Successes in that first IT business included
redesigning a bespoke, cloud-based, global
recruitment platform and contributing to the
design and launch of a remote desktop
solution for Randstad. Whilst providing
managed security services for large
enterprises, Francis realised there was a lack
of information and support tailored to SMEs.
In 2010, he launched Westtek Solutions to
educate SMEs on cyber vulnerability and
provide a complete security service.
This was followed by Security Everywhere a
partnership with Graeme Ison. They provide
SMEs with 5 easy, affordable and
comprehensive layers of Cyber Protection,
within 24-hours. Francis’ expertise in his field
is widely recognised. He sits on 5 Cyber
Security Panels and is the Cyber Security
National Lead for the FSB (Federation of
24

by Allan Alford
25
One of the pivotal moments in
becoming a leader in cybersecurity
occurs when the newly minted leader
makes the decision to postpone
addressing a particular finding from
the team due to reasons of budget,
schedule, business priorities, etc. This
critical moment separates successful
practitioners (who should advocate to
address cybersecurity risks) from
successful cybersecurity leaders (who
should advocate for doing the right
thing for the organization - which
might well include deprioritizing a
given cybersecurity risk).
If this moment is pivotal in the initial
transition to cybersecurity leadership,
then perhaps it serves to establish a
trend for future leadership roles in
cybersecurity as well. As one rises in
leadership ranks, one should inherently
become more aware of the surrounding
environment, of the needs and drivers of
peer departments, and of higher order
objectives and goals for the entire
organization. If such knowledge is
expected of a cybersecurity executive,
then that same moment where the fresh
cybersecurity leader makes the call to not
address a given risk due to higher order
concerns should occur more frequently
as the leader gains more perspectives on
the greater organization. To put it
“Without risk there is no
business. Take the smart risks
and profit. Take the wrong
risks and lose. ”
It can be argued that business is nothing
more than taking risks, hoping they are
the smartest risks vs. your competitors,
vs. time itself, and vs. market demand.
Take the smart risks and profit. Take
the wrong risks and lose. Investment is
risk. Further, all business innovation is
also by definition risk. What if the
newness of a given product or service
prevents its being understood or
adopted? Ingenuity, as with all business
moves, requires wilful risk. It is important
for CISOs to remember this as they dive
into their 2023 risk management plans -
that wilful risk is not just acceptable, but
integral and necessary to the success of
the organization.
CISOs debate often about who owns any
given cybersecurity business risk as
identified by the CISO’s team. Most CISOs
will tell you that the CISO’s role is to point
out the risk, to clarify it, to advise on its
disposition and let “the business” own the
risk. One can argue, however, that there
is an intrinsic flaw in that argument as
indicated by its nomenclature. “The
business” is not something that exists
over there while the cybersecurity team is
over here. To refer to the rest of the
organization as “the business” is to
divorce oneself from one’s vital
leadership role in the business. The
mantra is not “Enable the business!” The
mantra is “Be the business!” To this end,
CISOs need to bear more ownership of
risk despite conventional approaches.
Taking Ownership of
Risk

by Allan Alford
The CISO should then state that, “It is my
recommendation that we…” Being firm
on disposition while encouraging mutual
ownership begins the process. Note that
this approach can never be embraced
until the CISO has internalized it and
applied it to their own personal career
risk:
“I am accepting and owning some
career risk with each business
decision I make. This is the price
of executive leadership, and I
will not let it worry me as I
charge forward in my role.”
The vital aspect of this method is two-
fold: First the CISO is not shirking or
dodging, avoiding, or placing themselves
in a position of helplessness. The CISO is
demonstrating authority by publicly
declaring accountability. Authority is
given far less than it is taken, and
authority is rarely successfully held by
those who do not publicly own the
outcomes of authority, both good and
bad. For the CISO who embraces this
philosophy and approach, Step Two
manifests in two ways: One: Authority
has grown to meet the accountability that
the CISO led with. Two: Career risk is
actually diminished, not increased, due to
the CISO’s demonstrating real leadership,
real ownership, real business savvy, and
real accountability from a business
standpoint. To demonstrate these
qualities is to weather at least most
storms that might blow in when a given
risk-taking decision backfires. We all are
capable of gambling on the wrong
outcome. Doing so with authority and
accountability, doing so with the mutual
respect of peers who recognize that
accountability has been maintained, most
likely results in commiseration rather
If this model is valid, then the CISO’s
ownership of risks and of specific risk
acceptance should grow commensurate
with the awareness of the greater
organization. By the time one has
achieved the CISO rank, one should see
oneself first and foremost as a vital co-
leader of the business, as a peer to other
business leaders from other
departments, and as someone who is
well informed as to those other leaders’
goals, drivers and obstacles. The “Chief”
in “Chief Information Security Officer”
mandates business leadership over
cybersecurity leadership.
Getting back to the CISO debate as to risk
ownership, the conclusion that unfolds
regarding the cybersecurity leadership
trajectory is that the CISO is as much a
risk owner as their fellow executive
business leaders, and no less so.
One cannot be the business without
inheriting risk ownership, in other words.
That ownership is shared across all the
business leaders, and the CISO does not
have an inherent right to claim an
advisory-only role with regards to any
given risk they have identified. The
ownership of risk is mutual and
mandated for all executives.
The CISO job is hard. The hours are long,
the stakes are high, and the stress levels
seldom dissipate. Often CISOs are
scapegoated, being summarily dismissed
when a risk they pointed out to the
business months ago turns into an active
incident.
CISOs are held accountable and blamed
for things they often have no authority
over. Every CISO, no matter how
competent, devotes some portion of their
thinking to a fear of an untimely end to
their role. Given this climate, how can
CISOs embrace risk ownership? Part of
the solution is in addressing this notion
of accountability without authority.
Step One is for the CISO to do what they
have (presumably) always done:
26
>>

CISO and Cybersecurity Consultant, Mr. Allan Alford has led security functions in companies
from 5 employees to 50,000 and executes a risk-based approach to security, as well as
compliance with many frameworks.
With Master of Information Systems & Security and a Bachelor of Liberal Arts with a focus on
Leadership and twenty+ years in information security, Allan has served as CISO five times in
four industries, with a strong history in technology, manufacturing, telecommunications,
litigation, education, cybersecurity and more. He parlayed an IT career into a product security
career and then ultimately fused the two disciplines. This unique background means that Allan
approaches the CISO role with a highly business-aligned focus and an understanding of an
organization's greater goals, drivers, methods, and practices.
Allan Alford gives back to the security community via The Cyber Ranch Podcast, by authoring
articles, speaking at conferences, teaching, mentoring, and coaching aspiring CISOs
About Allan Alford Consulting
Mr. Alford launched his boutique cybersecurity consulting practice in 2022, with the intention of
helping organizations efficiently implement and manage security programs and projects. Allan
keeps the practice small, bringing in a hand-selected team of subject matter experts only as27
Allan Alford, United
States

by Steve King
Cybersecurity Leadership
cooperation that is not always
forthcoming. The relationship between
the board, C-suite and the CISO is often
ill-suited to the execution of actionable
programs as the definitions of
accountability and responsibility are soft-
peddled and generally ignored by the
senior party. This translates to
responsibility and even accountability
on paper but not extended in fact or
downright withheld in practice,
leading to mis-trust and an inordinate
amount of anti-productive meetings,
analysis and proposals.
My experience is that the board simply
does not trust either the IT or Security
leadership; they don’t trust that either
team understands the business nor could
make the right executive decisions were
they in charge, and as a consequence, the
board will not relinquish the reins of
leadership outside of their domains. The
CISO doesn’t seem to be able to grasp
business basics or understand for
example the notion of risk transfer.
We hear frequently that 99% of the global
business leaders claim cyber risk is the
greatest risk facing our economy and
when Fed Chairman Jerome Powell said
on 60 Minutes that the greatest risk to
the economy is cyber risk, we assume
that our business leaders are all on the
same page. They don’t worry about
inflation, another financial crisis or
another a pandemic — they worry
about cyber risk.
The World Economic Forum (WEF) Global
Risk Report 2021, tells us that the top
three short-term risks to the world, as
defined by its survey of 650 WEF leaders,
are infectious disease, income inequality
and extreme weather events. The fourth,
is cybersecurity. Nearly 40% of WEF
leaders cited cybersecurity as a “clear and
Given my background, I empathize with
Cybersecurity leadership and can’t
imagine trying to do the job at current
expectation levels during the storm in
which we find ourselves. The competition
between business unit owners driving
toward the 4th industrial revolution,
pockets of shadow IT running unknown
quantities of cloud sessions, increased
dependencies on supply-chains, open-
source everywhere, new heights of
network complexity, a lack of available
resources to fill the gaps, and increased
sophistication and smarter attacks from
cyber- criminals along with promises of
safely and security from 4,000 point
solution vendors would drive anyone
crazy.
If you have a CISO who appears to be
keeping the lights on, make sure s/he is
happy. For every competent CISO, there
must be a dozen who aren’t.
But CISO leadership is not limited to
technology choices, maturity programs,
operations and governance and the
provisioning of adequate detection and
protection capabilities to assure a
computing environment is safe from bad
guys. It is responsible to the company
and shareholders to do everything
possible to assure maximum protection
and the implementation and support of
well-thought out and carefully designed
layers of defense, leveraging the best and
most effective technology tools, the
optimal use of available resources, the
appropriate levels of education and
training delivered to the right people at
the right time and communication with C-
suite and Board members at a level
where both sides can operate from the
same page of the play book, at all times.
In addition, in most corporate IT
environments, the relationships
28

by Steve King
“What we need is for the CISO to step
into the breach – to embrace a true
leadership role – which translates to
defining a path forward that will
minimize the probability of a
catastrophic event. It is now time for
the CISO to report directly to the CEO
or the BOD. We are swimming in a new
ocean now and if we expect CISOs to
be held accountable with personal
liability and fiduciary care duty, then
s/he needs to have the appropriate
reporting and decision authority as
well.”
Following the Joe Sullivan verdict, I will be
surprised if our next shortage isn’t the
CISO role itself. Would you risk 8 years
behind bars to defend a dysfunctional
company’s assets without controls or
authority for $500K year? Of course not
and when Sullivan’s sentencing becomes
real for folks, there will be few willing to
take that risk.
True leadership means having the
courage to architect and promote an
alternate approach to layered, defense
in depth security models. It means
embracing an enterprise-wide Zero Trust
strategy. One that begins with third party
assessment, a rigorous identification of
critical assets, an isolation of these assets
through micro-segmentation and access
protection through granular identity
management and policy engines with a
fully saturated monitoring of lateral
activity beyond initial entry through to
behavior while on the networks and upon
session exits, the dedication of fully
staffed cybersecurity hygiene programs,
and the discipline to adhere to best
practices throughout.
It means translating that strategy into
language that the board will understand
and contextualized outside the standard
threat/consequence matrix, so that
professional risk decision makers can
make determinations aligned with
The Convention on Cybercrime (AKA the
Budapest Convention) has been ratified
by 65 nations, but focuses primarily on
nation states assisting each other in the
prosecution of cybercrimes, not
addressing today’s nation states
attacking private sector companies at
will. Are 65 companies asleep at the
wheel or have they all signed up for
Chinese protection under the BRI
initiative?
Even though we have seen these attacks
in action now for years, we still have no
Convention-like treaty that establishes
rules of engagement for nation states in
cyberspace and provides a legal
framework for the international
prosecution of violators.
And as a consequence, nothing will
change the global landscape for private
or public leadership with regard to cyber-
crime and cyber-attacks. Without
modernized laws at a whole of global
government level, it is impossible to
impress upon the decision makers in
private companies to break from the
pack.
Risk transfer will remain the Sleepeze for
board members unless and until our
CISO leadership community determines
that it is their responsibility to force
reality into their presentations in a way
that the board can both grok and
understand the details of liability as they
relate to their fiduciary responsibilities.
Or until Cyber-insurance disappears as a
risk-transfer option. Until then, business
as usual.
As a result, without changing the way
that CISO’s manage within their
organizations, the lack of leadership
will always be one of the great Achilles’
heels of the Cybersecurity space. It is
the equivalent of laws that protect retail
criminals from prosecution if all they steal
is valued at or under $950.
As even casual observers will recall, it
only took Colonial one day to decide on a
29
>>

30
Mr. Steve KING is the Founding Board Member and Managing Director of CyberEd.io, the
leading Cybersecurity Education On-line Learning program in the world. His other day-job is
helping Cybersecurity clients get their brand story, positioning statements and messaging
squared to the appetite of their targeted audience, as Managing Director of CyberTheory, a full
service digital marketing, branding and advertising company. Both organizations are part of
the ISMG global media family, the largest media group focused only on Cybersecurity in the
world. Education in Cybersecurity is Steve’s passion and he feels lucky to have this amazing,
broad, popular, far reaching and active ISMG network to promote and advise on their way
toward CyberEd.io’s North Star, which is to CLOSE THE GAP in Cyber education.
Steve got his start in InfoSecurity as a co-founder of the Cambridge Systems Group, which
brought to market, ACF2, the [still] leading data security product for mainframe computers –
Cambridge sold their product suite to CA back in the 1980s. In the year 2000, as businesses
struggled to get their message out to the web, Steve started a few businesses to help make
that easier. From ESI, a digital branding business that helped companies like Harley-Davidson,
Abercrombie and Fitch and Lucky Brands get to the digital markets, to Blackhawk Systems
Group, an early player in the SIEM/SOC/MSSP space. Blackhawk and its partners aggressively

PeopleAreTheCrownJewels
Anne Leslie, Cloud Risk and Controls Leader Europe at
IBM Cloud for Financial Services
Anne Leslie is Cloud Risk and Controls
Leader Europe at IBM Cloud for Financial
Services where she focuses on supporting
financial institutions to securely accelerate
their journey to the cloud and transform
their cybersecurity operations to adapt to a
hybrid multi-cloud reality. An accomplished
public speaker, Anne is a passionate
advocate for upskilling initiatives related to
cyber talent transformation and applying
human-centered approaches to some of
the most wicked problems facing
cybersecurity practitioners. Irish by nature
and French by design, Anne lives happily
with her three children in Paris, France
which has been her home now for over
twenty years.
31
In the context of cybersecurity, people are
frequently referred to as an organization’s
biggest vulnerability. And while there is an
element of truth to that assertion, it is a
framing that negates the hugely positive
impact that harnessing human energy,
engagement, and commitment can have
on an enterprise cybersecurity program.
The truth is that, with the right
enablement and environment, people
will naturally want to contribute
because as humans we are motivated
by being of service and united in
something that is bigger than
ourselves.
Cybersecurity professionals are often
characterized by an innate drive to
protect. To many practitioners,
information security is much more than
a job; it's a cause they want to defend.
The most progressive organizations are
exploring how to leverage human-centred
methods, such as design thinking, as a
way of identifying how to design security
programs that channel the best of what
makes us human and complement these
capabilities with processes and tooling
that augments people’s skills instead of
hindering them. Such an approach
involves interacting with cybersecurity
practitioners and enquiring of them, “How
might we go about making your day go
better? How could we go about allowing
you to have more impact? What might
we be able to do to take obstacles out
of your way?”
Again, these are seemingly simple
questions. However, rare are the
organizations where such questions get
asked and where the answers are
genuinely acted upon. While many
cybersecurity professionals start out in
their careers with a powerful desire to
serve and defend, the weight of

Scott D. Foote
Managing Director at Phenomenati Consulting
Introducing Risk Level Agreements™ (RLA)
for the C-suite and the Board
strategic Risk Profile and the decisions
made regarding how those Risks will or
will not be addressed.
Phenomenati refers to these as
“agreements” because they codify the
shared awareness, assessment,
negotiation, and decisions between the
organization’s leadership and its
infrastructure providers (both internal and
external), with respect to the balance of
benefits, costs, and Risks in any aspect of
the business.
The RLA then becomes a formal business
record, persisting the context and
tradeoffs of critical business decisions,
across changes in the organization, until
such time as any decision needs to be
revisited.
Typically, development of RLAs will include
a series of quarterly Executive team
meetings that employ high-level Risk
Scenarios to support cross-functional,
collaborative decision making regarding
whether the leadership team Accept,
Reject, Mitigate, and/or Transfer each
identified strategic Risk.
While these RLAs greatly improve
strategic level planning and reporting,
they also provide very clear corporate
records which concretely demonstrate the
Due Diligence and Due Care applied to the
organization’s overall Risk Management
efforts. 32
o facilitate discussions between
executive teams and their boards,
Phenomenati has created the
concept of Risk Level
Agreements™ (RLAs)
(www.risklevelagreements.com)
which concretely document an
organization’s
Risk Tolerance ("Appetite")
Each Phenomenati RLA begins by
documenting the organization’s current
benchmark for Risk Tolerance.
The U.K.’s Institute of Risk Management
defines Risk Tolerance or Appetite as “the
amount and type of risk that an
organization is willing to take in order to
meet their strategic objectives”.
the organization’s Risk Tolerance, Risk
Scenarios, Inherent Risk,
Recommended Controls to mitigate risk,
Risk Mitigation Decisions, and
remaining Residual Risk that is either
accepted, transferred, or avoided.

by Scott D. Foote
>>
e.g., a threat actor attempts to steal
customer records, 4-5 times per year.
Next, across the organization, any
Vulnerabilities relevant to that Threat are
identified. This should include the Severity
of the Vulnerability.
e.g., use of single-factor authentication
[weak passwords] on accounts with bulk
access to customer records.
Finally, the potential Impact of specific
Threats exploiting specific Vulnerabilities
is characterized in terms of Consequences
to the business (e.g., potential losses).
These Consequences should be assessed
both qualitatively and quantitatively.
e.g., a possible $xM in regulatory fines, a
potential 20% loss of customers, and
potential 35% drop in revenues due to
reputation damage.
To effectively characterize each Risk in
terms of numeric “amounts”,
Phenomenati applies conventional Risk
Assessment discipline including both
Qualitative and Quantitative assessment
of each Risk Scenario that has been
identified. Deeper explanation of Risk
Assessment techniques is a topic for
another article.
A qualitative approach to characterizing an
organization’s Risk Tolerance/Appetite
might use a subjective spectrum from
“Risk Averse – to Risk Neutral – to Risk
Seeking”.
A quantitative approach to characterizing
an organization’s Risk Tolerance/Appetite
might use an objective, numerical
threshold to describe specific levels of
acceptable loss (e.g., % of revenue lost). In
practice, most organizations find that
their Risk Tolerance is situationally
dependent upon the circumstances of
each specific Risk Scenario that has been
identified. So, a single “threshold” value is
often impractical.
Risk Scenarios
Any serious discussion about “Risk” must
transform abstract concepts into concrete
expressions using concepts such as the
“Risk Scenarios” mentioned above. A “Risk
Scenario” begins with identifying a
specific Threat that is directly relevant to
specific Assets of the organization (e.g.,
business systems or business
information). Discussion of Threats should
include the Likelihood or anticipated
frequency of each Threat materializing.
ID Risk Type Threat Metric Vulnerability Metric Consequences Metric SLE ARO 0 - 25
Annualized Loss
Expectency
(SLE x ARO = ALE)
R0001
Legal, Reputational
(Cyber)
Criminal Theft / Extortion 5
Need to improve Data Loss Prevention.
Do not adhere to Least Privilege principle.
Need to improve Segregation of Duties.
End-point Protection on cloud assets.
Monitoring & Detection on cloud assets not well
integrated into Security Ops (Sophos 24x7 SOC
service).
Need to review the protections on DevOps pipeline.
4
First Party Privacy Breach - Loss of Client
Confidential material
5 4,000,000
$ 0.25 22.5 1,000,000
$
33
Figure 1 - Example “Risk Scenario”
The example “Risk Register” in the
diagram below includes a short set of
example Risk Scenarios (rows) where each
has been Qualitatively and Quantitatively
assessed.
Those aggregate Risk “scores” appear in
columns to the right, and are used to
prioritize the overall list of Risks as well
as inform subsequent Business Cases
(e.g., Cost-Benefit Analyses) regarding
investment in additional Controls.
Inherent Risk
Inherent Risk is traditionally thought of as
the “untreated” risk in a process or
activity. Meaning nothing has been done
to either reduce the “likelihood”, or
mitigate the “impact”, of potential
threats. In Phenomenati’s RLAs, the
Inherent Risk is captured as the collection
of potential Consequences from the Risk
Scenarios that have been identified.
Effective methods for communicating the
set of “Inherent Risks” to an organization
include: a tabular “Risk Register”, and/or a
simple “Risk Matrix” diagram.

5 10 15 20 25
4 8 12 16 20
3 6 9 12 15
2 4 6 8 10
1 2 3 4 5
Current Aggregate Risk:
Risk Landscape
10,940,000
$
Impact
Likelihood
ACTUAL
R0001
R0002
R0003
R0011
R0004
R0005
R0010
R0006
R0007
R0009
R0008
R0012
R0013
R0014
R0015
R0016
R0017
R0018
R0019
R0020
0
1
2
3
4
5
6
0 1 2 3 4 5
The very familiar example of a “Risk
Matrix” in the diagram above illustrates
how the Qualitative scores for each of the
Risk Scenarios from the Risk Register can
be plotted along the traditional attributes
of “Likelihood” and “Impact”. Risks to the
upper right of the risk matrix (in the
yellow, orange, or red cells) are typically
considered to have Inherent Risk that is
above the organization’s Risk Tolerance.
Below the matrix, the “Current Aggregate
Risk” sums up the Quantitative monetary
values of the current Risk Scenarios from
the Register. Presenting this value along
with the traditional Risk Matrix has proven
to be a powerful catalyst for discussion
among Executive Leadership teams, as
well as with Boards.
by Scott D. Foote
>>
Risk Level Agreements™ (RLAs)
Qualitative Quantitative
Annualized Loss
Expectency
(SLE x ARO = ALE)
R0001
Legal, Reputational
(Cyber)
service).
4
5 4,000,000
$ 0.25 22.5 1,000,000
$
R0002
Operational, Legal,
Reputational
(Cyber)
Ransomware 5
service).
4
Loss of Availability of the SaaS platform leads to
Reputation damaage (loss of Trust, Credibility) and
Lost Business (clients, revenue)
5 2,000,000
$ 0.5 22.5 1,000,000
$
R0003
Operational, Legal,
Reputational
(Cyber)
Compomise of Service, Injection of Malicious
Software into the SaaS offering 4
Need to review protections on DevOps pipeline.
Need to expand/improve Application Security
Testing (AST) (e.g., scanning of all sw
dependencies.
5
Loss of Integrity in SaaS Infrastructure leads to
loss of either Client or Company Intellectual
Property (IP) damages valuation.
5 5,000,000
$ 0.2 22.5 1,000,000
$
R0011
Legal, Reputational
(Cyber)
High Expectations of Security & Privacy from
Prospects
5
Overall Information Security & Privacy Program
has not yet been certified.
4
Lost revenue opportunities.
Losses to valuation in financing rounds.
4 1,000,000
$ 4 18 4,000,000
$
R0004
Operational, Legal,
Reputational
(Cyber)
Insider Threat 3
Administrative Controls need improvement: e.g.,
background checks for privileged staff w/ "Need to
Know"; more specific policies on Data
Classification, Access Control, Data Handling,
Data Retention; add'l NDAs; special access
training; team experienced with Insider Threat
Investigations.
Technical Controls need improvement:
e.g. No monitoring of Annotators while in system.
e.g. No monitoring of engineering and operations
staff w/ full privileged access.
e.g., No UAM/UBA platform to tune monitor User
Behavior effectively.
Physical Controls TBD
4
Loss of Client Confidential intellectual property,
leads to Reputation damage (loss of Trust,
Credibility) and Lost Business (clients, revenue)
5 4,000,000
$ 0.5 17.5 2,000,000
$
Risk Levels
Qualitative Assessment Quantitative Assessment
Figure 2 - Example “Risk Register”
34
34

Some controls will attempt to reduce the
Impact of a possible compromise.. e.g., use
of backups or replication, or
obfuscation/tokenization of customer
information. Each Control is assessed for
practicality based upon Benefits (e.g.,
reduction in Likelihood or Impact to reduce the
Risk) related Costs, and any additional Risk
use of the Control may introduce.
Recommended Controls
For the highest priority Risk Scenarios,
Controls (also called countermeasures)
which may directly impact each scenario are
enumerated and assessed for practicality.
Some controls will attempt to reduce the
Likelihood of a specific Threat exploiting a
Vulnerability. e.g., use of 2FA for privileged
accounts.
35
For each Risk Scenario, Phenomenati’s RLA captures the current inventory of Recommended
Controls using a simple table called a “Control Matrix”. The example in the diagram above
illustrates how Controls might be proposed and communicated to a non-technical audience, in
support of an RLA discussion, for the common Risk Scenario of “Insider Threat” (InT). Note that
each Control is placed in the matrix based upon the Control Type (Administrative, Physical, or
Technical) and the Control Objective (Preventative, Detective, or Corrective). The total Costs of
the recommended Controls are estimated and then added to the evolving Risk Register (see
the diagram below) to support the Cost-Benefit Analysis of the proposed investment (ref. the
far right columns). Simplistically, quantitative reductions in Risk that outweigh the associated
Cost of additional Controls are considered a good investment. A deeper discussion of this
Cost-Benefit Analysis is out of scope for this article.
Figure 4 - Example “Control Matrix”
by Scott D. Foote
>>
Annualized Loss
Expectency
(SLE x ARO = ALE)
Administrative Physical Technical Annualized
Cost
R0001
Legal, Reputational
(Cyber)
service).
4
5 4,000,000
$ 0.25 22.5 1,000,000
$ 100,000
$ -
$ 100,000
$ 200,000
$ 5.00
R0002
Operational, Legal,
Reputational
(Cyber)
Ransomware 5
service).
4
Reputation damaage (loss of Trust, Credibility) and
5 2,000,000
$ 0.5 22.5 1,000,000
$ 100,000
$ -
$ 300,000
$ 400,000
$ 2.50
R0003
Operational, Legal,
Reputational
(Cyber)
Compomise of Service, Injection of Malicious
Need to expand/improve Application Security
dependencies.
5
5 5,000,000
$ 0.2 22.5 1,000,000
$ 100,000
$ -
$ 100,000
$ 200,000
$ 5.00
R0011
Legal, Reputational
(Cyber)
Prospects 5
has not yet been certified. 4
Losses to valuation in financing rounds. 4 1,000,000
$ 4 18 4,000,000
$ 300,000
$ -
$ 500,000
$ 800,000
$ 5.00
R0004
Operational, Legal,
Reputational
(Cyber)
Insider Threat 3
Investigations.
e.g., No UAM/UBA platform to tune monitor User
Physical Controls TBD
4
leads to Reputation damage (loss of Trust,
5 4,000,000
$ 0.5 17.5 2,000,000
$ 100,000
$ -
$ 5,000,000
$ 5,100,000
$ 0.39
Risk Levels Cost/Benefit
Analysis
Qualitative Assessment Quantitative Assessment Controls
Figure 5 - Example “Risk Register” Including Simple Cost-Benefit Analysis

approved or rejected by senior leadership.
Based upon this due diligence, the
leadership team will document their
decisions on whether to Accept, Reject,
Mitigate (through additional Controls),
and/or Transfer (e.g., to insurance
underwriters) the Inherent Risk within
each of the Risk Scenarios that have been
identified.
These decisions regarding investment in
additional Controls, including the Residual
Risks for each Risk Scenario, complete the
organization’s Risk Level Agreements
(RLA). The executive team (and board as
appropriate) document their agreement
regarding what investments will be made
(or not), including what Residual Risk will
be accepted (ref. the additional columns
on the far right in the diagram below).
Residual Risk
Finally, any “Residual Risk” (those Risks
remaining unaddressed) are clearly
documented, often using the same Risk
Register described above. The Residual
Risk is then compared to the overall Risk
Tolerance of the organization. Where
Residual Risk still exceeds the
organization’s Risk Tolerance, additional
Risk Mitigations may be considered, or
the Residual Risk should be explicitly
Accepted or Transferred.
Risk Mitigation Decisions
Within the constraints of both Budget and
Risk Tolerance, the Controls with the most
optimal Benefit/Cost/Risk balance are
selected, recommended for
implementation, and either
Figure 6 – Example “Risk Register” Including Executive Agreements
Our team at Phenomenati hope you find this concept of Risk Level Agreements to be as
useful as we have in improving strategic level planning and reporting between your
Executive Teams and your Boards.
Annualized Loss
Expectency
(SLE x ARO = ALE)
Administrative Physical Technical Annualized
Cost
Avoid Accept Mitigate Transfer CEO COO CSO CTO Product Eng
India
GM
Date Decided Last Reviewed
Next
Review
R0001
Legal, Reputational
(Cyber)
Monitoring & Detection on cl oud assets not well
service).
Need to review theprotections on DevOps pipeline.
4
Confidential material 5 4,000,000
$ 0.25 22.5 1,000,000
$ 100,000
$ -
$ 100,000
$ 200,000
$ 5.00 X X AB CD EF GH IJ KL MN 2022-02-01 2022-02-01 2023-02-01
R0002
Operational, Legal,
Reputational
(Cyber)
Ransomware 5
Monitoring & Detection on cl oud assets not well
service).
Need to review theprotections on DevOps pipeline.
4
Reputation damaage(loss of Trust, Credibility) and
5 2,000,000
$ 0.5 22.5 1,000,000
$ 100,000
$ -
$ 300,000
$ 400,000
R0003
Operational, Legal,
Reputational
(Cyber)
Compomi seof Service, Injection of Malicious
Need to expand/improveApplication Security
dependencies.
5
5 5,000,000
$ 0.2 22.5 1,000,000
$ 100,000
$ -
$ 100,000
$ 200,000
R0011
Legal, Reputational
(Cyber)
Prospects 5
has not yet been certified. 4
Losses to valuation in financing rounds. 4 1,000,000
$ 4 18 4,000,000
$ 300,000
$ -
$ 500,000
$ 800,000
$ 5.00 X AB CD EF GH IJ KL MN 2023-02-01 2023-02-01 2024-02-01
R0004
Operational, Legal,
Reputational
(Cyber)
Insider Threat 3
Investigations.
e.g., No UAM/UBA platformto tune monitor User
Phys ical Controls TBD
4
leads to Reputation damage (loss of Trus t,
5 4,000,000
$ 0.5 17.5 2,000,000
$ 100,000
$ -
$ 5,000,000
$ 5,100,000
Risk Levels Cost/Benefit
Analysis DECISIONS
Qualitative Assessment Quantitative Assessment Controls Authorities Dates
by Scott D. Foote
>>
About the Author:
CISO, CPO/DPO, Cybersecurity Executive, Board
Advisor, CISSP, CCSA, CCSP, CISM, CDPSE, CIPM,
CRISC, CISA, currently a Managing Director
with Phenomenati, Scott Foote is a globally
recognized thought leader and subject matter
expert with more than 35 years of technology
leadership experience in cybersecurity and the
broader software industry, Scott is an
experienced cybersecurity executive, designing
security and privacy into digital transformation
initiatives for his clients. Scott has an acute
ability to understand and map organizational
needs to security models, architectures,
solutions, and technologies. 36

https://intelligence-sec.com/events/
t. +44 (0)1582 346 706 | e. info@intelligence-sec.com

“Cybersecurity, like life,
has the colours that you give it”
Stéphane NAPPO
38

“KNOW THYSELF”
39
The Ancient Greek aphorism "Know Thyself" (Greek: γνῶθι σεαυτόν,
transliterated: gnōthi seauton; also ... σαυτόν … sauton with
the ε contracted), is one of the Delphic maxims and was inscribed in the
pronaos (forecourt) of the Temple of Apollo at Delphi according to the
Greek writer Pausanias (10.24.1). The phrase was later expounded upon
by the philosopher Socrates who taught that: “
The unexamined life is not worth living”
An unexamined business transformation strategy is not worth implementing. To
facilitate and maintain the confidentiality, integrity, and availability of data and
business operations, consider creating roadmaps to digital transformation;
designing a reliable system, where your security strategy is a part of your digital
transformation strategy. People are an imperative part of the system.
In essence, automation should NEVER create a function. In the aim of preserving
corporate identity and user/customer experience, automation must be driven by a
clear functional need and relevant compliance knowledge. For automation (just a
tool) to provide a global vision, monitoring, interoperability, traceability,
orchestration and steering features, NEW holistic and strategic vision is required. To
preserve corporate identity and adequate user experience, automation must be
driven by a clear functional need and relevant compliance knowledge.
As truly successful business decision-making relies on a balance between deliberate
& instinctive thinking, so does successful digital transformation rely on
interconnectedness & interdependence of the state-of-the-art technologies. In
information and cyber security, to identify adversaries, to find unknown security
vulnerabilities, to reduce cyber risks and envision potential future threat landscape
is crucial. To understand, develop and cultivate remarkable resilience is vital. Have
in place an ever-evolving cyber resilience blueprint. Arm your business in the face of
future cyber threats. Mind the systemic nature of a cyber threat landscape. 'Know
thyself' to increase your cyber-resilience. Strive to inform and educate. Education
has always been a profit-enabler for individuals and the corporation. Education,
both conception and delivery, must evolve quickly and radically to keep pace with
digital transition. Education is a part of the digital equation.
Ten Recommendations for Cyber Resilience Strategy:
Identify, Protect, Detect, Respond and Recover (NIST CSF domains for
managing cyber threats), remain fundamental steps, then the race is on.
And, therefore, it is crucial for an organisation to adhere to these ten
recommendations while aiming a high level of cyber resilience:
• Align information and security strategy with business digital
transformation strategy.
• Adopt a comprehensive cyber risk management attitude.
• Identify the most critical information and assets.
• Find and Manage vulnerabilities.
• Reduce cyber risks in projects and production.
By Stéphane Nappo

MAGAZINE
Human Centered Communication Of Technology, Innovation, and
Cybersecurity
TOP CYBER NEWS
AN AWARD-WINNING DIGITAL MAGAZINE
ABOUT PEOPLE, BY PEOPLE, FOR PEOPLE
Ludmila Morozova-
Buss
Editor-In-Chief
Doctoral Student
Capitol Technology University

Stephane Nappo. Top Cyber News MAGAZINE January 2023

More Related Content

Similar to Stephane Nappo. Top Cyber News MAGAZINE January 2023 (20)

More from Dr. Ludmila Morozova-Buss (20)

Recently uploaded (20)

Stephane Nappo. Top Cyber News MAGAZINE January 2023