Hello. Welcome to the cybersecurity leadership and management course. Today, we'll be discussing cybersecurity leadership; the task force committee. My name is Cicero Chimbanda, and I will be your instructor for this course. Cybersecurity leadership task force committee. The role and responsibility of a cybersecurity leadership task force is to define the strategy, execute and assess the improvement of the organization within cybersecurity. In this course, we're going to be discussing and answering the following questions: what is a cybersecurity leadership task force committee? Why have a cybersecurity leadership task force committee? Lastly, we will discuss how to construct an effective cybersecurity leadership task force committee. What is a leadership task force committee? The definition and the purpose of cybersecurity leadership task force comes from the executive management model, where usually our organization operates with assigned and appropriated specific committees to deliberate tasks that are initiatives from the board or senior management. In this example, you see where you have senior management and usually, the CEO sits at that and they facilitate with the board of committees, the different types of committees. You see there's a risk committee, audit committee, compliance committee, pay committee, and there's a corporate governance committee, which typically is where the cyber governance committee lies. I must say this will depend on the type of organization. Obviously, if it's a privately held company, it will operate in a different way. If it's a not-for-profit organization, if it's a governmental agency, if it's a publicly traded company, all those organizations will function in a different manner. But for the most part, the leadership task force committee will start by the head of the cybersecurity program, which in this case is the Chief Information Security Officer. As we looked at the last previous course, we discussed how important is the role of a CISO within organization and different types of CISO. You can refer back to the previous video. But the main deliverable that we will discuss, in order to be an effective leader within the leadership task force, a CISO must assume the responsibility of delivering the three main components of the SDS. We will look more into detail how that is done. But security, trust, and stability becomes the focus of where the CISO wants the cyber governance committee or the leadership task force committee to deliver its tasks. You've seen this model. We believe that STS, or security, trust, and stability has two main components delivering out of it. One is leadership skills, and the other one is managerial or management skills. This is what is needed for the cyber leadership task force committee. What is a leadership task force committee? Well, as we discussed, the definition of information security is to understand and bring the ultimate responsibility of confidentiality, integrity, and availability. You see, corporate has assets, and there are bad actors out there. The goal of the bad actors is to try to infiltrate and to try to get to the corporate assets. By providing confidentiality, integrity, availability, one will do this with, as we discussed, SDS, the security, trust, and stability, and in turn delivering what the ultimate goal of business alignment, and that's assuring that the cybersecurity program being led by the leadership task force committee delivers organization strategy so that the cybersecurity program is aligned with the organization's strategy. It assures that the cybersecurity program is meeting all the regulatory obligation , or regulatory systems. Lastly, that the cybersecurity program, through the leadership of the task force, keeps in mind that operational excellence is at the utmost because the clients, the organization, the shareholders, stakeholders, really rely on the operational excellence of the organization, the stability. This leaves us to that formula that we've seen before, and we'll continue to talk as we progress in this course, STS bring CIA, which brings OS/RS/OE. You've seen this model. We'll discuss this a lot more in our 4th course, where we're talking about the business models. But one of the models that we're addressing in this course is the business change model, the 7S McKinsey change model. We've seen and defined this before, that the top structure of the hard skills of leadership is strategy, structure, and systems. This is where the leadership task force committee will show that the confidence of the management board understands that they will carry out what is aligned with the hard skills, which is the structure, the strategy, and the systems. In addition, managerial skills of the cyber task force will continue to make sure that the style of the corporation, the skill sets of the organization, the staffing, is all aligned with the cybersecurity program so that there will be success. Lastly, within the core, we have the shared values. It's important that whatever cybersecurity program is put in place, that the leadership task force committee understands that it's got to be aligned with the shared values of the organization. Why have a cybersecurity leadership task force committee? Going back again to the CIA triad, the CIA triad is also known specifically as confidentiality, integrity, and availability. Confidentiality is looked at the disclosure of unauthorized users. You want to make sure that there's confidentiality in the data that you are providing. You want to make sure that there is no improper modifications, which brings the integrity within the CIA triad. Also, the non-access of resources or the resources are also available when users are authorized to access that information. You've seen this slide before. If we look at the specific controls that will bring confidentiality as we look at the confidentiality model, it's the cybersecurity domain. It's a term that is our line with the principle of least privilege; the principle that requires the system to be granted restrictive privileges at the lowest clearance. One way to bring that confidentiality, is by adopting encryption mechanisms. This will provide sensitive information from being leaked or stolen, or if they are leaked or stolen, then they will not be able to be breached or disclosed because they are ciphered from plaintext. Integrity. Well, the importance again of bringing integrity is protecting data from being changed or deleted. Non-repudiation is the ability to have digital signatures that could provide the validation of who sent what, when it was sent; having an accountability module. Then a WORM is write once read many. These are disks or software devices that will allow data to maintain its integrity for no one to right over, or delete, or erase inadvertently or intentionally. Availability. The ability to provide business continuity, high availability in the event of a disaster, natural or a cyber attack, eliminating single points of failures, making sure that your assets, or your resources are not brought down because of attacks such as distributed denial of service as DDoS. Again, the importance of security, trust, and stability is where you want to be in by introducing the information's controls, you will assure these components to be in place. Again, as we talk about the importance of STS. Continuing, task force intentionally focuses on alignment, bridging the cybersecurity to the business success. Security is the quality or state of being secure, such as freedom from danger. For example, safety as well a measure is taken to be safe, to be protected. One can achieve this by making sure that you gain visibility. You make sure that your posture is visible to internal clients, to shareholders, to partners, to clients, to vendors. Promoting risk awareness. You want to make sure that trust is also built by optimizing risk. Understanding your risk tolerance, understanding what are the vectors for those risks, and then also maintaining compliance. Understanding your regulatory obligations, the industry that you're in, what are some of the laws that you must adhere to? All those components must go into the inputs of building that trust. Lastly, stability. There is no way you will be able to convince a board that you deserve to have a seat at the table if your organization is not stable. You have to prove that your program assures and keeps the areas accountable to have stability by having increased resilience. This is done in ways such as enhancing security controls that will uphold the organization's ability to deliver the intended outcome continuously despite the events, whether it be natural cyber attack. Once you are doing these controls, information security controls, you are increasing your posture, you're increasing your value added, you're increasing the strength of your organization in the area of cybersecurity. Now, this doesn't happen overnight. You have to institute a lifecycle that can bring the organizational strategy, the regulatory systems, the operational excellence. I submit to you here that one is able to do this by approaching it in a phase manner. We'll talk more about that phase, but you have to design your cybersecurity program with all these components in mind, you have to execute and then you evaluate and you have a continuous lifecycle in your cybersecurity program. How do we construct an effective cybersecurity leadership task force committee? The process of constructing an effective cyber leadership task force committee begins with the key leadership relationships. The finding and executing an assessment for continuous improvement within the cybersecurity program. As we looked at it earlier, it starts with a CISO. At the design phase, the CISO begins by putting together the cybersecurity program. It gets that buy-in or sponsorship or authority from the board, the CEO or the board of directors. It's very important before you begin, you need to be deputized. You need to be backed. Then once the CISO brings in security, he partners up with the chief compliance officer or a legal professional or somebody. If you don't have an internal, you can always use your external legal practice, engage them to help you convince the importance of building trust within your cybersecurity leadership task force. Then you also want to have either CIO or a CTO, now that technology Functions to be part of your task force. Now typically these can be co-chairs. All three of them can be co-chairs or co-chairs can be between CISO and the CCO, or the CISO is the lone chair. But nevertheless, what's important, it would vary in organization or it would vary in different functions, the maturity of the individual that's in roles. But it's important that you have at least the representing in that board. At minimum, the CISO which brings security, the chief compliance officer which brings trust, and then the chief information officer or the chief technical officer, which brings the stability of the portion of the STS. Along with these individuals, you want to make sure that you bring in your CFO or a representative of your financial responsibilities, the CEO, the COO, the chief operating officer if there is one, if a company has one, the operations side of the house, and lastly, the human resources, which will focus on the employees, the implementation and making sure employees are adhering or being treated fair in the policies that are being implemented and enforced. Lastly but not least, definitely, you need to make sure that your business units are part of your leadership task force committee. I would say that the biggest hindrance of the success of a task force is not having enough business representation. It is not a technical problem, cybersecurity is not a technical. Technology is one third of the components of cybersecurity posture, one-third. The businesses need to make sure that they are involved because obviously you got the elements of procedures, and you got the elements of people, the other two-thirds. Businesses need to be involved, the head of businesses of different areas, these are individuals that are responsible for the P&L. The higher the responsibility of P&L, the more interested they will be in assuring that your cybersecurity does not hinder business, but also does not add liability where they can lose businesses. Leadership task force, cybersecurity task force, bringing security, trust, and, stability. You do it through leadership, you do it through management. In doing so, in the phases of design executed evaluation, these are some of the implementation and delivering points that you want to make sure is in place. At the design phase in defining and developing your cybersecurity plan program life-cycle through your task force, you want to make sure it provides a forum for the key business areas to prioritize in perspective. This is the information that will be gathered at the design level. Then at the execution level, you want to make sure that the implementation and delivery , there is accountability. Assure that the key performances and key risk indicators are defined and measured, that's the accountability. You want to make sure there's recognition, proper recognition, that visibility. If proper controls are in place to address the key performance and key risk indicators. Then the last phase, which is evaluation, the assessment and reviewing, you want to make sure that feedback is in place, they'll create a forum for feedback to senior executives, feedback to the employees, regulatory agencies, the clients, the vendors. Communication, input of that communication to improve your life-cycle, and then lastly, the assessment and evaluation, which then becomes an input back into the first phase of the design when you're improving your program. Once a cybersecurity task force is assembled, the committee, you want to make sure it delivers success. Success starts at the top, it starts with the chief information security officer. It starts by him or her developing their leadership skills, as we were talking about in this course. With all the different components, and then the management skills, making sure developing and growing in those skill sets. Then using the task force committee to assure the successful delivery of the cybersecurity program. Again, STS, security, trust, and, stability, these are the main core cells that you want to keep in mind as you are growing in your leadership, growing in your management skills. Because that is what brings that confidentiality, that integrity, that availability that's required for any information security program. In doing so, you have alignment to the organizations' strategy, you have alignment to the regulatory systems that the organization must comply with, and you can assure operational excellence, which is demanded by any organization in order to prosper and to grow.