Has your CISO attended a cybersecurity therapy session? It's the latest trend in proactively managing the heath of the security group. What are the risks they fear the most? Listen now to the stories that that they tell sitting around the campfire shining flashlights under their chins.
Many thanks to Kevin Ford for bring this topic into the open in this blog post.
You can probably add in first party breach and regulatory investigations to that list.
They are often the end of a CISOs tenure, as they're a tendency to throw the CISO under the bus.
OK, how come there are two different copies of this same topic? Creating two different threads?
The Forumites loved this, and one of them noted:
> Therapist: Now that we have exposed the issue, we need to recover. First we need
> to admit we are powerless over our hacker and our network is unmanageable.
So, I continued with:
2. We came to believe that a Power greater than ourselves could restore us to sanity.
3. We made a decision to turn our passwords and our networks over to the care of ISC2 as we understood it.
4. Made a searching and fearless port inventory of our networks.
5. Admitted to Bruce Schneier, to ourselves, and to another mere mortal the exact nature of our wrongs.
6. Were entirely ready to have Bruce Schneier remove all these defects of controls.
7. Humbly asked Him to remove our vulnerabilities.
8. Made a list of all users we had harmed, and became willing to make lame apologies to them all.
9. Made direct patches to such people whenever possible, except when to do so would exploit them or others.
10. Continued to take system inventory and when we found unpatched apps promptly admitted it.
11. Sought through study guides and simplistic practice questions to improve our conscious contact with ISC2, as we understand it, praying only for knowledge of our AMFs and the CPEs to carry that out.
12. Having had a technical and managerial awakening as the result of these Steps, we tried to carry this message to CISOs, and to practice these principles in all our systems.
It's for the ex Naval personnel.
You've got to tell, then tell them you've told them.
Unlike to Army, where you have to tell them what you're going to tell them, tell them and then tell them what you've just told them.
Unlike the Air Force where you just tell them ....
It's an old joke 🙂
Just a quick FYI - I merged the two posts together, so there is just one now. This usually happens as the result of a connection issue where the Post button was hit twice and it creates two posts.