S26 Ep3: Steve Durbin & Juliette Foster - Good Cyber Strategy Begins and Ends with Alignment to Business Priorities

Recently, British journalist Juliette Foster interviewed Steve for a feature in The European, and today we’re listening to that conversation. Steve and Juliette explore a range of topics, including how to get buy-in to your security strategy at all levels of the organization, how much security should cost, navigating the regulatory landscape, and which industries and enterprises Steve believes could be templates for security.

Key Takeaways:
1. Good cyber strategy aligns with business strategy, is quantifiable, and involves all employees.
2. Durbin suggests involving security in project planning to avoid retrofitting security measures.
3. Durbin suggests that security teams need to spend more time explaining security implications to business leaders in a way they can understand.
4. Durbin suggests that leaders must create a personal investment in security by providing feedback and justifying costs in a way that resonates with each individual’s role and responsibilities.
5. Durbin highlights the evolving regulatory landscape, with a shift from standardization to protectionism and complexity for organizations.
6. Durbin highlights the evolving threat landscape, including malware, ransomware, and phishing attacks.

Tune in to hear more about:
1. Aligning cybersecurity strategy with business goals and outcomes (1:36)
2. Cybersecurity strategies, testing, and budgeting (10:42)
3. Regulation complexity and its impact on businesses (18:00)
4. Cybersecurity investment, risk management, and emerging threats (22:44)
5. Evolving cyber threats and the importance of resilience (26:58)

Standout Quotes:
1. “What is important for organizations is not to become over fixated on the threats — that’s necessary, obviously, to have a good defense — but also to figure out this whole notion of resilience. How quickly could we get our systems back up and running? How quickly could we get our organization functioning again? How are we going to recover our data? Where are we storing it? Those sorts of things.” - Steve Durbin

2. “... the crux of good cyber strategy is having an alignment with a business strategy happening in alignment with what it is that the organization is looking to do on a daily basis, which in the majority of cases is: increase revenue, increase shareholder value, deliver back to employees, customers, and to further the ideals of the organization.” - Steve Durbin

3. “So the role of the security leader in any budget cycle is to try to align whatever spend she or he wishes to have with the future direction of travel of that organization. And if you can start to do that, then the whole conversation becomes very much easier. But I'm not a huge fan of setting fairly random percentages, because I think it sends entirely the wrong message. You run the risk of overspend or underspend. And what you actually want to be doing is spending appropriately to deliver the right level of protection for your critical assets, for your company, for your employees, for your shareholders, so that you can continue to provide a thriving environment.” - Steve Durbin


Mentioned in this episode:

• ISF Analyst Insight Podcast
  
  

Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.