Providing cybersecurity advisory content to startups to establish an effective cyber program

— Join former ICE and NYSE CISO Jerry Perullo as he explores the opportunities available to tech executives after retirement
Season 3 Episode 1 - The Interim CISO

Joined by fellow Interim CISO veterans Yael Nagler of Yass Partners and Aurobindo Sundaram of RELX, host Jerry Perullo reflects on his experience as the Interim CISO of Silicon Valley Bank and explores the challenges of the role from hiring manager and candidate perspectives. Yael Nagler: https://www.linkedin.com/in/yaelnagler/ Aurobindo Sundaram: https://www.linkedin.com/in/aurobindosundaram/ 00:16:30 Why hire an Interim CISO? 00:21:00 Is there such a thing as KTLO in the CISO role? 00:30:3

The Risk Acceptance Myth

The notion of "Risk Acceptance" has always challenged me. For the uninitiated, Risk Acceptance is a concept often discussed in cybersecurity leadership when it comes to accountability for cyber debt. The idea is that cybersecurity leaders and other professionals identify risks and recommend mitigating actions that would reduce that risk, but recognize that it is always up to business leadership to weigh the costs and benefits of change and make a final decision. Risk Acceptance has always come u

Cyber Governance: What is Fair to Expect from Board Directors and Management? 3 of 4

Episode 3: Incidents In Episode 1 of this series I talked about oversight of cybersecurity threats and how a Board can engage with senior management to determine the mission of the cybersecurity department and prioritize testing and analysis. Next I moved on to cyber risks in Episode 2 and the idea of a Remediation Agility chart to guide a wide-ranging Board room discussion with a single visual. The next area that deserves a permanent spot on the Board agenda is incidents. Incident awareness a

Season 2 Episode 1 - Board/CISO Interaction

Returning from 6 months as the interim CISO of Silicon Valley Bank, host Jerry Perullo speaks about Board/CISO interaction on the FS-ISAC Insights podcast. Full video interview at fsisac.com/insights 00:04:35 Being the Interim CISO of SVB through the crisis 00:06:36 The CISO “seat at the table” 00:14:00 Board TRIC 1: Threats 00:17:30 Board TRIC 2: Risks 00:19:30 Board TRIC 3: Incidents 00:21:20 Board TRIC 4: Compliance 00:26:00 CISOs as Board Directors Season 2 Episode 1 - Board/CISO I

Cyber Governance: What is Fair to Expect from Board Directors and Management? 2 of 4

Episode 2: Risks In Episode 1 of this series I talked about oversight of cybersecurity threats and how a Board can engage with senior management to determine the mission of the cybersecurity department and prioritize testing and analysis. Now it's time to move on to cyber risks and what level of detail is appropriate in a Board room. To steer our conversation let's use a Remediation Agility chart. Similar to the Threat Objective portrayal in Episode 1, this visual is meant to sit on the screen

Bad CISO Archetypes

As part of my advisory work, I often help companies find and/or interview security leaders. While I'm a huge fan of screening quizzes, I realized that I should go a step further and help firms understand what I'm trying to detect or avoid during the interview process. In the process of discussing this with some peers, the Bad CISO Archetypes list was born. Look out for these when you are hiring - but more importantly steer your career to avoid becoming one! Chicken Little You don’t want someo

Cyber Governance: What is Fair to Expect from Board Directors and Management? 1 of 4

With mounting pressure around cyber literacy in the Boardroom, Directors are looking for specifics around what will be expected of them. Likewise, organizations are wondering what is fair for Directors to expect of management. Drawing on experiences from both sides of the table, following are reasonable expectations that leverage Director talents to establish effective cyber oversight. I'll do this using a mnemonic to guide program governance internally and externally - TRIC: Threats, Risks, In

Episode 02 - The CISO Board Director

In this episode, host Jerry Perullo explores the opportunities and challenges for retiring tech executives and CISOs in the Board room. Hear about how Boards need business leaders first and specialists second, and what you can do today to groom yourself in that very direction. 01:57 Background 07:45 The Traditional Board Director 09:50 Episode BLUF 10:19 Landing a Seat 14:32 Your Board Profile 16:08 t-3: What You Should do Now 28:40 Recap Episode 02 - The CISO Board Director | RSS.com

Cybersecurity Governance

To be sustainable, effective, and defensible, a cybersecurity program must begin with governance. Adversarial helps firms establish, operate, and review both internal and external cybersecurity governance programs with an emphasis on engaging non-cyber business leaders and leveraging their strengths. Internal Governance Often overlooked, establishing a cross-functional CyberGov committee is an essential step to involving business leaders in appreciating and setting the cybersecurity mission. A

Making Sense of Geographic Network and Travel Restrictions

There is a lot of confusion when it comes to cybersecurity "geo restrictions" on networks, and just as much when it comes to corporate travel protocol. While the topics are distinct, they are often conflated and share enough underpinning facts to discuss together. First, let's talk about geographic network restrictions. We can organize that topic by ingress - or inbound restrictions, and egress - or outbound. INGRESS Ingress geographic network ("geo IP") restrictions apply to restricting wha

Cybersecurity for Investor Relations and Corporate Governance

In addition to new rulemaking and interpretive guidance on cybersecurity from the SEC, public companies are seeing their cybersecurity disclosures and assertions weighed directly by investors, ratings agencies, and insurance providers - not to mention prospective customers. Investors and analysts are capturing cybersecurity maturity alongside other Environmental, Social, and Governance (ESG) priorities, and agencies are performing algorithmic reviews of public filings to score companies on their

Cybersecurity in the Three Lines Model

Since 2010, the Three Lines of Defense model has been widely adopted as an authoritative framework for operational and financial enterprise risk management across the globe. The model was not intended to dictate new positions and roles within an organization per se, but to evaluate existing structures to ensure sufficient coverage and independence to provide effective risk management. Even if you are not evaluated against the model today, it is a useful framework to gauge the maturity of your or

Briefing Your Board on Cybersecurity part 3/3: Board Committees - Metrics and Materials

Cybersecurity is arguably the most concerning topic across corporate board rooms these days, with Directors clamoring for data not just on risk, but on general education around this new and complex subject. This collection of tips mirrors a talk I gave at the FS-ISAC annual summit in April 2018 and I hope follow CISOs, security practitioners, corporate governance professionals and corporate Directors may find it helpful. Episode 1 introduced core Corporate Governance concepts for Security Profe

Briefing Your Board on Cybersecurity part 2/3: Full Board Meetings

Cybersecurity is arguably the most concerning topic across corporate board rooms these days, with Directors clamoring for data not just on risk, but on general education around this new and complex subject. This collection of tips mirrors a talk I gave at the FS-ISAC annual summit in April 2018 and I hope follow CISOs, security practitioners, corporate governance professionals and corporate Directors may find it helpful. Episode 1 introduced core Corporate Governance concepts for Security Profe

Briefing Your Board on Cybersecurity Part 1/3: Corporate Governance 101 for Security Professionals

Cybersecurity is undeniably one of the most concerning topics in corporate board rooms today. Directors are looking not only for assurance around the obvious risks, but for general education around this new and complex subject. Clarity is sought around what is expected of Directors, how exposed a firm is to the latest breach on the news, how management assesses cybersecurity risk, and how a firm's program stacks up in independent reviews. A knock-on effect of this is a raft of questions among CI

What are they after? A threat-based approach to cybersecurity risk management

I'm pleased to be a part of the publication of a substantial Cybersecurity Guide for Directors and Officers announced yesterday. I hope you will visit www.securityroundtable.org and enjoy the entire book and more. Following is my contribution (Chapter 27): What are they after? A threat-based approach to cybersecurity risk management Intercontinental Exchange & New York Stock Exchange - Jerry Perullo, CISO Given finite resources and the ongoing threat of the “next big hack,” cybersecurity is