CybeReady’s Hi-5 brings together InfoSec leaders for peer-to-peer sharing via five short questions and insights.
Christophe Foulon is a cyber risk strategist, cybersecurity-focused career coach, adjunct professor, and also co-hosting a podcast focused on helping people who are trying “Breaking into Cybersecurity” by sharing stories of those who have done it to inspire those looking to do it.
What is the biggest challenge security leaders face today and how are you looking to tackle it?
The biggest challenge is the mounting technical debt in their organizations, combined with the rapidly evolving threat landscape. They need to be able to find ways to simultaneously work on paying down that technical debt, staying ahead and aware of the threat landscape, all while enabling the business to be successful in their business mission.
In your view, how important are security awareness programs, and what’s a CISO’s main role in making them effective?
Security awareness programs are a critical aspect of an organization’s security program, and ultimately should be engrained into organizational culture. The CISO / Security Leader’s role is to help bring the risk conversation to life and to help demonstrate at all levels of the organization the role that employees play in living out that security culture through awareness and reminders of how they help. This usually means more custom-tailored messaging programs for different levels and roles in the organization for everyone from the receptionists to the developer and even to the C-Suite. This culture needs to be demonstrated and embodied by all for it to be ultimately successful.
What’s the one thing you’ll never tell an employee who’s made a security error, and how would you suggest handling the situation instead?
Blaming a user or someone who made a mistake for a security error is not likely to lead to added trust and valuing of the security program, instead turn it into a learning moment of how it could be improved for the next time. Additionally, a root cause analysis of why a major error occurred would help tweak any awareness or messaging approaches that the organization uses. Maybe the individual was not aware of the risk of that potential error or did not even consider it an error from lack of potential awareness.
When it comes to recruitment – what approach do you take to attract and keep the best talent, and what would be your best tip for a new hire?
We defiantly need to open up our doors to more diverse groups of individuals from different backgrounds and ways of thinking. While education and certification requirements might have been useful to demonstrate a level of knowledge, it also leads to bias and discrimination for those who do not have access to them. Build up recruiting pipelines in local schools and universities so that students are aware of cybersecurity roles earlier in their careers. Look at the resources inside your organization already, who might be interested in cybersecurity but might be in a different role, cross-train and prompt those individuals.
Finally (just for fun): if you could have dinner with any renowned figure (dead or alive), who would you choose and why?
It would be a toss-up between Jeff Bezos and Bill Gates. They are both amazing entrepreneurs and have demonstrated a diversified interest in many of the different major challenges facing the world today. Having the opportunity to learn about their approaches to a diverse set of topics and learn from them would be amazing.