Gaining the Technology Leadership Edge, Episode #76
The Power of Safe Practices: Building Resiliency in Cybersecurity
Show Notes
About the Guest(s):
Chris Foulon is a seasoned cybersecurity strategist with over 15 years of experience. He serves as the mastermind behind CPF Coaching LLC, providing Virtual CISO (V CISO) and information security management services. Chris has helped numerous organizations enhance their cybersecurity resilience through coaching and continuous process improvement. With a background as an adjunct professor and a supporter of the Full Cyber Human Initiative, Chris is dedicated to educating current and future cybersecurity professionals.
Episode Summary:
In this riveting episode of “Gaining the Technology Leadership Edge,” host Mike sits down with Chris Foulon, a veteran in the field of cybersecurity. With a rich history spanning the Caribbean to the present-day United States, Chris delves into the essential components of effective cybersecurity measures. He highlights the importance of incremental process improvements, data classification, and the significance of a human-centric approach to cybersecurity.
Chris shares real-world examples from his extensive career, illustrating how his unique coaching methods have transformed organizations, making them more resilient and prepared for cyber threats. He also discusses the ever-evolving landscape of cybersecurity, emphasizing the need for continuous learning and adaptation to emerging threats like ransomware.
Key Takeaways:
- Coaching over Commanding: Chris uses a coaching approach rather than a directive one to help organizations improve their cybersecurity frameworks.
- Incremental Changes: Emphasizes the importance of executing small, incremental improvements over large, sweeping changes in cybersecurity protocols.
- Supply Chain Vulnerabilities: Highlights the significant risks associated with not understanding the vulnerabilities within an organization’s supply chain.
- Human-Centric Security: Advocates for using the term “safely” rather than “securely” to make cybersecurity concepts more relatable for business stakeholders.
- Disaster Preparedness: Stresses the critical need for disaster recovery plans and underscores the importance of regular testing and iteration.
Notable Quotes:
- “When you do it safely, they understand that. They understand what human safety is. I use the word coaching because I come in and rather than saying, you need to do this, you need to do that.”
- “You’re never going to achieve big, massive jumps in culture, in process, in anything. So what you have to do is look at incremental ways that you can do it.”
- “If their Yahoo account gets breached now, the threat actors can go, okay, this username and password combination, let me go try it at their current organization.”
- “If you’re not customer-centric, then why are you here? Why are you trying to help people?”
- “If you don’t understand the supply chain that feeds into those vendors, you’re going to be inheriting risk that you’re not aware of.”
Watch Episode #76 on YouTube
Subscribe on YouTube
Episode Details
Mastering Cybersecurity Strategy: Insights from an Expert
Key Takeaways
- Emphasize “safe” over “secure” to bridge the understanding gap between technical teams and business executives.
- Incremental changes and continuous process improvement enhance an organization’s agility and resilience against cyber threats.
- Data classification is fundamental to effective cybersecurity management and ensures that critical information is adequately protected.
The Genesis of Cybersecurity Passion: Early Intrigues and Napster Days
Understanding cybersecurity’s significance begins with a personal journey, as illustrated by Christophe Foulon’s early fascination with technology. Foulon recalls, “I was a kid in the Caribbean and the island PC tech was working on our business’s computer, and at eight years old, I saw all these computer parts and I just got intrigued.” This early exposure laid the groundwork for a career committed to safeguarding information.
Foulon’s formative years coincided with the rise of Napster, a pivotal moment for many diving into the cybersecurity realm. “As Napster started to take off, everyone started getting viruses and they needed a way to figure out how to remove them,” Foulon recalls. “I was the one that was interested in helping them. So I started to figure out ways to change behaviors behind the initial infection, and that started me down the path of cybersecurity.”
Foulon’s narrative underscores the role of intrinsic motivation and early tech exposure in cultivating cybersecurity experts. His story sets the stage for a broader discussion on the pressing need for continuous education and behavioral changes in the cybersecurity landscape.
Emphasizing Safety Over Security: Bridging Technical and Business Language
One of the most poignant takeaways from Foulon’s insights is the significance of communication. In his coaching and consulting roles, Foulon noted a critical disconnect between technical security measures and business leaders’ understanding: “I try to use the word safely rather than securely, because when you do it safely, they understand that.”
Bridging this gap involves more than just semantics—it requires a thorough understanding of business objectives. Foulon explains, “You have to figure out, when working with the business, what drives their revenue, and then how can you enable them to do it.” This nuanced approach ensures that both security and business objectives are aligned, fostering a culture where safety is perceived as an enabler of business success, not a hindrance.
This alignment is further exemplified in the realm of process improvement. Foulon emphasizes incremental changes over big leaps, “You’re never going to achieve big, massive jumps in culture, in process, in anything. So what you have to do is look at incremental ways that you can do it.” This perspective is crucial for maintaining agility and resilience in an ever-evolving threat landscape. Continuous, small improvements ensure organizations can quickly adapt and respond to emerging vulnerabilities instead of being bogged down by extensive, disruptive changes.
The Essential Role of Data Classification
Foulon strongly advocates for data classification as a fundamental cybersecurity measure: “I would start with data classification because you really need to understand what data is living where and how critical it is to your organization.” This foundational step is crucial because it enables organizations to prioritize their protection efforts based on the criticality of the data.
In the complex ecosystem of modern business, understanding data flows and data sensitivity allows for tailored security controls that protect the most vital assets. Foulon recounts a practical example from his experience: “If you live anywhere in the United States, close to a tornado alley in the midwest, make sure that you plan your disaster recovery and you test it because a tornado happens like that and if you’re not properly planned for switching over to another site, you could lose your business overnight.”
Data classification doesn’t merely streamline cybersecurity procedures; it also empowers organizations to maintain business continuity under stress. By knowing precisely which information is crucial and where it resides, businesses can craft more effective disaster recovery plans and ensure the swift restoration of critical functions after an incident.
The Coaching Philosophy: Transcending Traditional Consulting
Foulon’s approach extends beyond typical consulting frameworks—he adopts a coaching philosophy aimed at empowering clients to self-manage their cybersecurity processes. He elaborates, “I use the word coaching because I come in and rather than saying, you need to do this, you need to do that, I understand what you’re trying to achieve and work with them to achieve a maturity and a continuous process improvement to have more resiliency in their organization.”
Coaching denotes a collaborative relationship where the focus is on teaching and enabling rather than dictating. This strategy is particularly valuable in the realm of security awareness training. Traditional annual training sessions often fail to engage employees effectively. Foulon offers a solution: “That drives hesitancy for someone to invest as we’re talking about 60 minutes of time to watch something, and then you have to drag through it and they put it off all the time. But if you break that into chunks and present it in a way that they can take back to their personal life, they then take that security awareness, bring it into their personal sphere, and then it improves both their own safety awareness and the businesses safety awareness.”
By incorporating real-world relevance and digestible, practical lessons, Foulon’s coaching method enhances both employee engagement and overall organizational security. This dual focus on personal and corporate security fosters a more vigilant and informed workforce, crucial in the age of sophisticated cyber threats.
Foulon’s insights reveal a cybersecurity landscape where the lines between personal and professional safety blur—a reality that demands a holistic approach to educating and safeguarding an organization’s human element.
Final Thoughts
Expert insights from the transcript outline the compelling necessity of bridging the language gap between security and business through relatable concepts like safety. The incremental approach to process improvements emerged as a core theme, underscoring the need for agility and continuous resilience against evolving threats. Moreover, data classification surfaced as the bedrock of an effective cybersecurity strategy, stressing its role in protecting critical information and ensuring business continuity.
Foulon’s coaching philosophy shifted the focus from conventional consultant-client dynamics to a more engaging, empowering relationship. This paradigm shift encapsulates the essence of modern cybersecurity practices, emphasizing education, practical relevance, and a collaborative drive towards a secure yet agile organizational environment.
Adhering to these principles can transform any organization into a resilient fortress, equipped to navigate the complex and ever-changing landscape of cybersecurity challenges.
Contact Information for Christophe Foulon
LinkedIn: linkedin.com/in/christophefoulon
Website: cpf-coaching.com/
Timestamp | Summary |
---|---|
0:00 | Achieving Business Resiliency Through Incremental Cybersecurity Improvements |
9:55 | Staying Updated on Cybersecurity Threats with RSS Feeds |
18:44 | Debunking Cybersecurity Myths and Emphasizing Practical Solutions |
26:48 | Planning and Testing Disaster Recovery for Hurricanes and Tornadoes |
27:38 | Building Resilient Security Programs and Staying Connected |