Welcome to the cybersecurity leadership and management course. Today, we will be discussing cybersecurity management reporting relationships. My name is Cicero Chimbanda and I am your instructor for this course. Cybersecurity management reporting relationships. We will be defining the proper reporting relationship between senior managers and information security managers. The key discussion points for this course, we'll talk about governance, communication overview. We'll also look out communication of organization strategy, bring security. Sequely we'll talk about regulations or regulatory systems, how it brings trust. Finally, we'll talk and touch on operational excellence and how it produces stability through communications. Let's get started. Cybersecurity governance communication overview, you've probably heard the statement, seek to understand, and then to be understood, Stephen Covey, 7 Habits of Highly Effective People. Cybersecurity governance communication elements are complex. We might use the example of the human body, which is very complex yet it's an amazing organism. We, as technologists, we have created automation, business intelligence, virtual, and augmented reality. But I don't believe we will be able to ever create a technical logical element that completely mirrors the human body. Unless of course, we do DNA cloning. I'm not qualified to talk about this subject matter. But one area we can use is the analogy of communication. The brain is a central command center, and it uses the nervous systems to communicate to its body. We know that there are neurotransmitters that send communication, and there are receptors that receive communication to the brain. Well, in the same way, in a network communication, we know that there are packets that are sent to transmit communication, and those packets in turn return alarms or alerts to central command systems in order to act. Well, similarly, communication has top-down communication and bottom-up communication. We look at the first organism of cybersecurity communication, which starts at the top. Top-down communication, where the corporate governance dictates the way the company will operate. You have the CISO within the cybersecurity task force, as we learned in the past, is the link between what the corporate governance dictates top-down in priority first, into the cybersecurity elements to properly secure the organization. Well the elements of communication, the executive board, the directors, the senior leadership. Then we have the front office, which are the head of the business units. Again, depending on what kind of organization, whether it's a private organization, public, nation-state or non-for-profit, you have different elements. But the front office is usually those who interface with the bottom line of that organization. Then you have the back-office, which is the supporting cast to the organization that runs the operations; financial, the legal and compliance, human resources, operations, administration, and technology. Well, the communication that must come down from the top down are the following; mission, the vision, the strategy, and the goals. The mission statement, why does the company exist and what does the company do? That's got to be communicated down. The vision statement, what does the company want to be? Communicating hope and ambition. The strategy plan, how is the company going to get there? Goals execution, what must be done. Again, this is repetitive as we cover this on previous courses, but it's important we understand that is a top-down communication that each element must understand. Then bad communication must be done between a corporate governance and the CISO. CISO must understand these elements, and that's the elements that the CISO create through the cybersecurity task force , the cybersecurity program. Once the cybersecurity program is established, then there's the bottom-up communication. Bottom-up communication from a CISO, the chief information security officer, begins to lay out the cybersecurity strategy that meets the organization security by bringing confidentiality to its elements, to the data. Bringing the security that aligns with the organization strategy. Similarly, the chief information security opposite through this task force wants to communicate the strategy that meets the regulatory systems by developing and bringing trust, in turn, developing that integrity that the corporation needs to operate. Lastly, it needs to communicate, bottom-up, the cybersecurity strategy that meets the operational excellence, which brings stability, bringing and assuring availability. As you see, communication is of the utmost. As we look specifically at cybersecurity governance communication, organization strategy with security, the ability to communicate orally and literally in the business language or nomenclature of the industry that you are responsible for as the cybersecurity leader will yield successful results. As you align security to your cybersecurity strategy by bringing the business strategy with you. This communication styles requires the cybersecurity leader to obtain proper inputs from the organization. This is that top-down communication. The cybersecurity leader must seek to understand, must understand what is the leader's elements, the vision, the mission, the goals, the strategy as laid out previously, and as we continue to communicate. Well, then the cybersecurity leader will take those and transpose or may translate them as current and future goals, long-term and short-term goals. He or she will have take previous year's challenges in victories, will look at feasibility studies that the company is going to, they will look at new business initiatives and they will look at industry, and market trends and create that cybersecurity strategy with those inputs. Once those inputs are put together and the cybersecurity program is defined through the cybersecurity task force, then we begin that bottom-up communication, information to provide the business leaders and partners. The cybersecurity program will be done in a cybersecurity lifecycle. Well, you have the design and in the design, you will want to develop the cybersecurity program strategy. You will want to develop the ongoing plan. You will want to define your cybersecurity task force, the community, the operational guidance. Then you have the execute portion of your cybersecurity program, and within the execute, you want to have your annual risk assessment, which include pen testing or vulnerability assessments. You want to have your user awareness trainings developed and communicated. Then you have evaluation or the feedback of the program which will include incident response reports, forensic, and imposed incident like lessons learned. All these will come in a format of KPI, which is Key Performance Indices, that pertain to the organization business, or KRI, which is the Key Risk Indices that pertain to the organization business risks. These are the communication that will be done bottom-up to your leadership. What are the methods of how to obtain this type of information? The methods or the vehicles can be done in formal meetings, with the different partner businesses, for example, one-on-one meetings or some examples are having cybersecurity leaders go into department meetings, representatives, or vice versa. Having the business units attend a Cybersecurity Leader Meeting, but formal meetings as a vehicle to have these types of communication being done. Informal meetings, lunches, coffees. It's never undervalue that social relationship that a cybersecurity leader has with other leaders or other co-workers and other business units. Then the cybersecurity leader must also have inputs and communication with business-related webinars, conferences, road shows, having relationship with research agencies such as gardener, foresters. Having great relationship with business vendors or even technical vendors, reading or understanding why papers. Then lastly, having industry focused information share groups, depending on what organization or industry. For example, Financial has the financial services information sharing and analysis the FI ISACCO, healthcare has health care, public health sacral coordinating the council. Retail has the RH, ISACCO, which is the retail and hospitality focus hybrid intelligence. Belonging to somebody's information share groups, allows you to have some inputs. Then obviously books, education, certificates, getting further education. These are all points to obtain information in order to input your Cybersecurity Program, in order for it to be successful. Communication that develops security. Let's talk about the Cybersecurity Governance Communication, with regulatory systems that bring trust. The ability to understand and communicate the regulatory rules, that is governing your organization will dictate the success of the communication that yields trust for your organization. As we have discussed in previous chapters, Regulatory and Legal Binding Rules. Again, you need to understand what is it that my organization must adhere to. Those are the ones that take precedence because we know in laws there are legal binding constitution, there are acts, there's ordinance, legislation, common law. These are all legally binding. If your organization falls within those particular terms of definitions, you want to make sure that you understand them up the upmost priority. Then there may be certain international laws framework, legal rules, bills, policies. These are potentially legally binding. They are important, but not necessarily as high because of the previously mentioned. Then you have what we call Guidelines, Instructions, Standards, Best Practices. These are usually legally binding by they are good to have, and followed in order to be excellent in building that trust. As a cybersecurity professional, these are the administrative controls that you want to be able to communicate and build rapports to your constituents, to your stakeholders. For example, having a Regulatory and Compliance Reporting Procedures. You will risk audits, vendor management questionnaires, having an IAM or Identity Access Management audits, legal holds and investigation procedures, having forensics in post incident reports, firm element. These are computer-based training, user awareness, phishing and social engineering tests , user awareness programs. These are documents, reports that one and wants to build in order to communicate and built trust, you do them either monthly, quarterly, semi-annually or annually. In terms of the schedule. Cybersecurity governance, communication, operational excellence, which brings stability. As we've stated in previous courses, one cannot get a seat at the table if the lights are not kept on. Meaning operational excellence is a requirement not only to get a seat at the table, but it is how the organization retains and regains customer or client. For example, the front office can acquire new businesses. But the only way to keep this client and to get reoccurring business will be determined by how stable the organization is. Project management office which is best-practice, communicate three methods of communication. There's one, interactive communication. Interactive communication is an effective communication that allows the stakeholders to have an interaction with the people related to the project. Some best examples of the interactive of video conferencing or live chat or phone calls. These are interactive communications for the stakeholders of a project, whether it'd be in different regions and the experts or the actual executer so the project can have interactions with the project manager facilitating this type of communication. Secondly, you have push communication. This type of communication which the project manager can use a medium of communication such as meeting notes or press releases or sending emails or formal letters, faxes, memos to the audience. Not necessarily requiring feedback, other than that the message has been received. The third type is pull communication. Just like it says, it's where the communication is done where the project manager create a repository, whether it'd be like a share point file or repository or file share. The project manager deposits communication and sends out a ladder or a link and then individuals can pull that information at their own desired time, such as slideshow, study materials, training sessions. These are what's called pull communication. Throughout the life cycle of a project within operational excellence, it's best to use frameworks. We've talked about frameworks in the past course. A great framework for operational excellence in best practice is, for example, software development lifecycle or software deployment life cycle, SDLC. We've talked about them before. Within the LCLC, you have communication. For example, in the initiation, you have the requirements gathering. Within the planning stage, you have estimating, the scheduling, the tracking, and then you have modeling where the analysis and design. Then you have construction, for example, code and a test. Then the deployments, you have the delivery and support like for example, this is the waterfall model, which is a traditional approach to the software deployment lifecycle. Again, different frameworks, you have the idle. NIST is a framework. You can use different frameworks to help build stability in your communication. Depending on your organization, depending on what your company is used to. Nevertheless, it's important that you have administrative controls that communicates the reports, such as the PMO office, the procedures that will be done, having network design, architectural topologies, having a change management project, disaster recovery, software deployment lifecycle or development lifecycle. Having supervisory performance training reviews, job rotation and segregation of duties. These are different types of controls or communication vehicles that a cybersecurity leader will develop in order to demonstrate accountability for the entity responsible for the operations of the organization. Operational excellence for continual improvement will be done by presenting key performances indices. These are the references and we'll see you in the next course.
