As part of a series of articles where the Cyber Security Tribe brings to focus key members of the cyber security community, Dorene Rettas, Co-Founder of Cyber Security Tribe, engaged in a captivating conversation with Marc Crudgington, a seasoned Chief Information Security Officer (CISO) and author. Their discussion provided profound insights that go beyond the usual recital of facts, offering crucial perspectives for cybersecurity professionals.
Crudgington, a distinguished figure with extensive experience in the US Air Force and as a CISO at prominent institutions, shared an intriguing narrative about his journey into the world of cybersecurity literature. His first book, "The Coming Cyber War," and its follow-up, "The Cyber War is Here," were born out of real-world experiences and a sense of urgency to shed light on the ongoing cyber conflict and national security risks.
The genesis of Crudgington's literary venture came from a conversation with Colonel Cedric Leighton during the Gartner Cyber Security Risk Conference in 2016. Against the backdrop of global cybersecurity incidents like Russian interference in elections, he realized the magnitude of an ongoing cyber war. This revelation motivated him to gather insights meticulously, resulting in the creation of his book series.
Relationship Dynamics Between Boards and CISOs
Crudgington brings up the importance of the relationship dynamics between corporate boards and CISOs. He emphasizes the need to redefine the concept of having a "seat at the table," considering the different interpretations across organizations. He advocates for regular interaction between CISOs and board members, regardless of formal reporting structures.
The conversation delves deeper into the ethical and integrity-based considerations that are at the core of a CISO's role. In today's landscape CISOs find themselves faced with an ethical dilemma when it comes to reporting risks. With the emergence of SEC cyber disclosure rules, the pressure on CISOs to disclose vulnerabilities and breaches has increased significantly.
Crudgington sheds light on the conflicts that often arise between CISOs and CIOs in this regard. While CISOs prioritize the security of the organization and the protection of sensitive data, CIOs may be more concerned with the smooth operation of systems and the avoidance of any negative impact on business operations. This clash of priorities highlights the need for open and transparent communication between the two roles.
However, Crudgington goes beyond merely highlighting the challenges and instead proposes a paradigm shift within organizations. He advocates for an environment that fosters ethical decision-making without penalizing individuals for mistakes. This means creating a culture where proactive vigilance is rewarded, and where the focus is on learning from incidents and continuously improving security measures.
