Speakers
Synopsis
Cyber security is one of the business domains in which return on investment is most challenging to calculate. After all, it's about loss prevention: you spend a lot of money and in the best-case scenario nothing happens.
Against this backdrop, guidance on how to make decisions is mainly descriptive and based on experience, it lacks empirical guidance, and it can result in sub-optimal actions. A mix of ‘gut feelings’, regulatory pressures, media headlines, together with 'semi-empirical' information extracted from facts and metrics make up the evidence that most companies utilise when making cyber-decisions. A consolidated approach to making cyber-decisions does not exist.
In this presentation, I will report the findings of a research project that saw the participation of 6 large organisations and a total of 36 cyber decision-makers: SOC analysts, security administrators and engineers, GRC specialists, security operations managers, risk managers, CIOs, CISOs, etc. The presentation will show the factors that mainly impact how we make decisions in cybersecurity at the operational, tactical, and strategic levels. What considerations does a SOC security analyst make on a daily basis? How do organisations go by selecting security products and vendors? What factors do boards assess when deciding whether or not to pay a ransom? And whether or not to take up cyber-insurance? These and many more questions will be answered during the session.
A little sneak peek: we make decisions in cybersecurity based on dynamics at the individual (e.g., psychology, expertise, own experience), team (e.g., leadership, colleagues' experience), organisational (e.g., culture, budgetary constraints, competition) and industry levels (e.g., regulations, over-arching bodies).
The breakout session will be concluded by the presentation of an evidence-based framework for cyber-decision making at the operational, tactical, and strategic levels. The framework is evidence-based and was built on findings from our research and existing literature in the field. By using the framework, cyber decision-makers attending the breakout session will have a holistic understanding of the factors they ought to consider to make solid cyber-decisions.
The session will be highly interactive: I will throw in several questions for the audience, which I expect to be extremely varied in terms of job titles, background, and roles in cybersecurity. This will be ideal, as the contents of this session equally apply to the youngest of the analysts and the most experienced CISO. After all, the research presented in the session was explicitly intended to be as holistic as possible, an exercise incredibly rare in the hyper-specialised world of cyber security.
