I’m no HBO, but I am pleased to say I have just posted a video of my talk at RSA onto YouTube, entitled “Playing the Game of Thrones; Ensuring the CISO’s Role at the King’s Table. Recorded by my good friend and evil twin brother Kai Roer (@kairoer) it is the session in its entirety along with pertinent slides throughout.

I was pleased with my personal performance at the time, but of course watching it I see many areas I could improve upon. (I am planting my feet better, but still by no means do I stand still for instance.) The staging of the room was very poor, but unfortunately there was not a lot that could be done about that, and many other speakers had to put up with the same issues.

The full abstract for the talk (from the initial submission) is:

Why is is the CISO constantly frsutrated with being required to report to areas of the business that either don’t understand it or conflict with so many of the core deliverables of the role? Too often it is beholden to the agenda of the technology focussed CIO or blinkered by the financial constraints of the CFO. How has the role even got to this place?

Starting with a brief historical look at where the CISO role was borne from in the first place, progression to this current state of affairs is shown to be inevitable.  What is needed is a plan to disrupt this status quo and ensure a CISO is in a position to not only understand the power of the business intelligence that is produced in a well managed environment, but how to ensure it reaches the board in a way that is understood.

Through the use of a universally understood information security model, the CIA triangle, the presentation explores three key areas to assure the success of the CISO in being asked to report to the board rather than being summoned to it.

Initially the actual source of the information, its gathering, the methods employed and the common pitfalls often seen are explored and clarified. What are the common mistakes, how are they rectified and how can you recognise when the data gathering programme is going awry?

Secondly, how is it being pulled together, and what is it saying? How to understand the audience it is being presented to and what can be done to improve its chances of being understood.

Finally, how does the CISO make the final push for the board? What are the key principles that need to be understood about supporting a successful business, what home truths about the information security industry are rarely mentioned and how can the CISO differentiate themselves from those that came before?

This presentation seeks to broaden a CISO’s skills beyond the technical and the post nominal focussed industry accepted norms and into those that actually help a business do what it does best.

The content from this and my other recent talks will start to appear on this blog as I put my ideas down more into the written word rather than a presentation format. I have just one more speaking engagement before the end of the year now, and one in the first two weeks of the new year, so I hope to find more time to write rather than created decks.

I hope you enjoy the video, and as always I would greatly appreciate your feedback both positive and negative/constructive.