Welcome to the cybersecurity leadership and management course. Today we'll be discussing cybersecurity leadership, governance and senior management. My name is Cicero Chimbanda and I will be your instructor for this course. Cybersecurity leadership, governance, and senior management. This course objective is to describe the makeup of the senior management and information security governance, ISG. We will detail the roles and responsibility. We will also describe the importance of effectively designing the cybersecurity leadership task force or committees that will contrast the proper cybersecurity leadership model and build security trust and stability. The key definition elements in this course, we will review the leadership structure. Talk about the organization governance, and discuss some of the key deliverables. The second portion of this course, we will discuss how senior management in cybersecurity have different roles and they make up different senior management roles in cybersecurity. And finally we will discuss the responsibilities of the senior management in cybersecurity program. This slide might be familiar to you as we have talked about governance in a previous course. These are the main components, elements of a corporate governance. You have the board and its committee, you have the regulatory laws that typically publicly traded companies or regulatory companies must adhere to certain laws. And even smaller companies have specific laws that guide the incorporation and the fiduciary responsibilities of those organizations. Within the organization you have the corporate hierarchy which is the leadership and its management level and contributor workforce which makes up the corporate hierarchy. And finally you have policies and procedures that are built within the corporation in order to safeguard the growth of the corporate. In this topic as we talk about organization governance, leadership, it is important to find that governance is the internal systems of practices, controls, procedures that your company adopts in order to make itself effective, comply with the law, and meet the needs of the external stakeholders. What are the deliverables that an organization must have? Well, it is laid in these four components. You have the vision, which is typically your state vision statement, which is what does the company want to be? Lays out the hopes and the ambition. And interchangeably some might have the vision statement first or the mission statement, but typically the mission statement is why do we do what we do? What is it that the company produces in order to exist? It lays out the motivation and the purpose of a company. Then you have the strategy which is usually the plan and the objectives, laying out what the company is going to do to get there. And then the goals and execution, which is the actions, who are the owners, the timeframes, the outcomes, what must be done to achieve its goals? The two top, mission and vision, is usually where the leadership mindset dictates within a company. And once you lay down the vision and the mission, which is typically your roadmap, then you have the strategy goals, which is how is the company going to get there. And you lay down the goals, what must be done, the actions, the owners, the timeframes and the outcomes. Again, leadership management. Continuing to talk about organization leadership, as we examine the deliverables, it is very important that the leadership understands and embraces the mission and vision. And it aligns itself with the organization strategy and goals for its cybersecurity program. Doing this, you will see that the mission, the vision, the strategy and goals, its main goal is for the strategy alignment and goals. Well, mission statement is typically your vision the company sets rather than the mission statement. These statements are nevertheless are interchangeable. The most important is that it is communicated and it adds value. Cybersecurity leader must understand and embrace the mission. The vision statement, this is the corporate vision concretely describing what is the company and where does the company see itself in the future. It is especially important for the individuals to understand what is the vision statement and understand and embrace the vision. The strategy of a cybersecurity is where the alignment happens. And I've had the privilege of working for a large utility energy industry where its strategy was demerger or divestiture of different companies, different entities. A lot of the reason or the motivation for the strategy was due to regulatory and legal purposes. In the cybersecurity department we had to understand all the different vulnerabilities that might have been introduced because we were demergering or the diverstaturing companies. We had to reevaluate our business continuity, we had to reevaluate our vulnerability assessments. And in doing so it became part of our strategy alignment to the corporation. I've also had the privilege of working in large financial institutions where the strategy was to perform mergers and acquisitions to onboard or transition funds into its portfolio. And this in itself laid some inherent challenges for our cybersecurity professionals. We had to make sure that if we were bringing in companies there were minimum requirements and their cybersecurity posture that they adhere to certain technologies that had passed the standard best practices for cybersecurity. We had to evaluate the policies to make sure that they were fitting to the merged entity. All these strategies, they pose heavy responsibility in the corporate governance and leadership and must take into account the discussion of cybersecurity leadership and discuss the key elements of alignment. Talking about alignment STS, security, trust, and stability. You will hear this theme over and over again as I talk about cyber security and management success. Because the alignment that's needed for a cybersecurity leader to its senior management is done at that level. The senior management are really more focused on the strategy. What is the organization strategy? They're focused on meeting the regulatory systems or obligation, and they are demanding operational excellence so that their customers will not be impacted by any event. Well, the security, trust and stability is what brings in the goals, which is to have confidentiality, to have integrity, to have availability of your cybersecurity program. Thus, creating what we call the cybersecurity program life cycle. You see, you design your cybersecurity program, you execute your cybersecurity program, and then you do evaluation. See where there's lessons learned, room for improvement and at all levels of the building of the cybersecurity program. The roles of the senior management in cybersecurity. It is important to understand that the roles of the senior managers is to build the alignment structure, and to effectively design and execute and evaluate the cybersecurity strategy. This right here is the executive management model by ISACA. We see that the shareholders which typically are the ones who are funding by purchasing shares or providing equity to the company investments in a way of investments. And the board of directors are subject to meeting their demands by quarterly goals or semi annual goals and annual goals. Board of directors usually have a board secretary and it's headed by the general manager or chief executive officer. And you have board committees that come out of the board directories and part of the general manager, the CEO, he typically has a senior management staff. And then within the border committees you have several types of board committees. You have the corporate board committee, you have risk commitment committees, audit committees, compliance committees, pay committee. And out of the corporate governance committee is typically where you have your cyber governance committee. The makeup of a cybersecurity department or program. You need a lead, and usually the head of that department or organization is the CISO, which is the chief information security officer. This chief information security officer typically comes out of the senior management role or participates. And this is where you have your chief human resource officer, or you have your chief financial officer, or your CIO, which is your chief information officer. Other CTO or COO or CISO a mature model is a pear to a chief or a C suite. And then, but sometimes the chief information security officer will play that role of being the chair for your cyber governance committee or your cyber security task force committee. Usually chair, we'll talk more about that. The hierarchy of a chief information security officer typically begins with him being the head of the cybersecurity or sometimes the president of that organization when you have VP cybersecurity that reports to the CISO. And in a mature model you have information security director, you have individual contributors, and then you have your entry levels. And this is typically how the cyber security roles within an organization according to NIST. What are the responsibilities of a cybersecurity management? Well, you've seen this before, we talked about the McKinsey 7s model, where leadership has the role of building the structure, the strategy, and the systems. And then you have management where they are bringing in and making sure that the organizational skills are being developed, that staff has the necessary resources to continue to contribute to the corporation. When you have the style of the corporation, and and within the 7s's of the model McKinsey, you have shared values, which is what holds it all together. Well, in this model of responsibilities of the senior manager and the theme that you will see me constantly talk about to be successful as a cybersecurity leader and management, is the STS-Alignment model. You see a security which your primary responsibility is to ensure that the organization has the proper security. And then trust, this is where you will need to have the senior manager and your investors to trust your organization. And so it is an important alignment component. And then you have stability, unless there's stability in organization, unless there are predictable outcomes, investors will not invest in the business. And so cyber security is an important component of bringing, and that's why we have the STS-alignment model. And the link to senior management is leadership, and the management of the components to your downstream, mid level managers to the contributors is through management. Executive management sets the tone by providing the mission and the vision. The CISO, he aligns the corporate strategy and goals through cyber security program and through the mission, the vision which is the leadership portion. The strategy and the goals, you want to make sure that you align your security by bringing confidentiality and delivering organization strategy. You want to make sure there's trust which will allow there to be a regulatory systems to be met and in turn the integrity of your organization will be there. And then you have stability where availability of your resources, and you bring in operational excellence. This is the responsibility of a senior management in cybersecurity, to make sure that all the components are adhering and meeting, thus creating the cybersecurity program life cycle. And in doing so, you design, you execute, and you evaluate, therefore, continuous improvement of your cybersecurity program lifecycle. Again, to review, STS is the alignment. You want it to bring confidentiality, integrity and availability. And in doing so, you will bring organizational strategy, regulatory systems, and operational excellence. Thank you for listening to this course. And we'll see you next time as we talk about cybersecurity leadership management.
