Making Cyber Risk a Company-Wide Priority

SINC Fireside Chat: Security Is Everyone's Job: Aligning Cybersecurity and Business Through Leadership and Trust. Aligning Cybersecurity and Business Through Leadership and Trust. Cybersecurity isn't just about protection but instead about performance. When security is embedded into the organization's fabric, aligned with business objectives, and championed by leadership, it becomes a catalyst for growth, resilience, and mission success.

Cybersecurity is a Business Imperative

Boards and executive leadership increasingly recognize cybersecurity as a core business risk. Awareness is high, but execution gaps remain. Regulators and investors expect demonstrable governance, transparency, and effective cyber programs that protect revenue, enable strategic initiatives, and preserve brand trust.

The most mature organizations treat cyber risk as enterprise risk. Risks are measured, prioritized, funded, and owners are held accountable to the  business. Frameworks such as NIST CSF and CIS Controls offer practical structures to operationalize these principles.

Governance turns to Execution

Cybersecurity governance must extend from the board to the CEO, CISO, CIO, and business leaders. Integration starts with:

1. Incoporating security into workflows — embedding controls into product development, procurement, onboarding, and vendor intake.
2. Ensuring security habitual — through frictionless solutions such as single sign-on, passwordless access, automated patching, and secure defaults.
3. Defining role-based responsibilities — integrated into job descriptions and performance reviews.
4. Delivering contextual learning — just-in-time nudges within email and collaboration tools.
5. Embedding security champions — within business functions like engineering, HR, and sales to act as internal service partners.

Risk Translated into Business Terms

Start with a value map connecting critical business assets revenue streams, intellectual property, and customer data to that of cyber controls. Define risk appetite and thresholds to clarify acceptable downtime or data loss. Translate these into measurable KPIs such as:

• Percentage of revenue-impacting systems patched within SLA
• Mean time to detect and remediate incidents
• Frequency of resilience and recovery tests passed
• Risk exposure and ROI of cyber investments
• Third-party assurance levels for critical vendors

Measurements that show business impact and risk trend lines help leadership make informed, strategic decisions.

Quantifying and Communicating Risk

Adopting Cyber Risk Quantification (CRQ) enables leaders to evaluate potential financial impacts: lost revenue, remediation costs, fines, and compare them with other enterprise risks in a shared business language.

Run tabletop exercises that use these quantified scenarios to prepare the board for tradeoffs, investment decisions, and communication strategies. Brief leadership concisely — focus on scenario impacts, not technical detail.

Embed cyber oversight into board committee charters (audit, risk, or dedicated cyber committees) and establish standing agenda items for top risks, readiness, and compliance updates. Use leadership pipelines to influence vendors, reinforce supply chain security, and restore customer trust after incidents.

Build a Culture of Security

Technology without culture is brittle. Sustainable resilience depends on the synergy of People, Process, and Technology. An emphasis my co-presenter established which each reinforcing the other.

• People are the first line of defense and most vital element to maturity and success. Leadership must model secure behavior and psychological saftegy, reward good security habits, and foster psychological safety where employees report issues without fear of blame. 
• Process provides structure and balance between the other pillars. Embed security governance into workflows, performance measures, and decision-making routines across business functions.
• Technology amplifies capability and supports the structure built. Invest in frictionless, adaptive solutions that enable security by design and reduce complexity for users.

Together, these pillars create a resilient ecosystem where security becomes second nature not a separate discipline.

Measuring Readiness

Run annual board-led tabletop exercises to test decision-making and communication readiness. Track key indicators such as time-to-decision, time-to-public communication, and exercise frequency. Maintain pre-approved playbooks for communications, legal response, and escalation paths.

Leadership should:

• Approve the top 5-10 enterprise cyber risks and risk appetite definitions.
• Endorse funding for a CRQ pilot and prioritized CIS Controls implementation.
• Commit to an annual tabletop exercise and a monthly top-risk dashboard.

Conclusion

It's an honor to help empower cybersecurity and business leaders with strategies that transform technical risk into business urgency and position cybersecurity as a true business driver.

A modern take on the Security "CIA Triad" extends beyond confidentiality, integrity, and availability to include:

• Communication — telling the "why" story that resonates across the enterprise.
• Integration — fostering genuine, enterprise-wide partnership.
• Adaptation — driving innovation to advance the organization's mission.

This discussion extends and deepens the conversation around cybersecurity as a business imperative. A leadership discipline that drives trust, resilience, and competitive advantage.

Software Supply Chain in Crisis

CISO panel discussion at Cyber Defense Conferences on evolving third-party and AI supply chain risks

Third-party and software supply chain threats are escalating in complexity and frequency, driven by trusted access, automation, and the rapid adoption of AI. Traditional governance models reliant on static assessments and siloed controls are no longer sufficient. A shift toward continuous, integrated, and behavior-based security is imperative.

Key Insights

• Fundamentals still matter
  Core security principles including strong credentials, least privilege, layered defenses, and Zero Trust Architecture (ZTA) remain foundational. These principles must extend across third-party ecosystems.
• Third-Party risk is a growing threat vector
  Attackers exploit trusted relationships, leveraging vendor access, CI/CD credentials, and automated update pipelines to bypass controls. The software supply chain remains fragile due to fragmented ownership across AppSec, CloudSec, and Vendor Risk.
• AI-Native Dependencies Expand the Attack Surface
  AI vendors introduce opaque models, broad API integrations, and sensitive data flows. This creates new risks: model tampering, data leakage, and abuse of delegated access.
• Velocity Outpaces Governance
  The scale and speed of modern development particularly with GenAI have outstripped traditional security and compliance models. Manual vetting can no longer keep pace.
• Nation-state and ransomware threats converge
  Adversaries increasingly target SaaS and developer ecosystems for espionage, disruption, and extortion. Supply-chain compromise offers persistent access and high-leverage impact.

Strategic Actions

1. Modernize vendor governance
   Transition from static questionnaires to continuous trust models. Require SBOMs, runtime attestations, CI/CD hygiene evidence, and enforce phishing-resistant MFA and rapid credential revocation.
2. Institutionalize continuous validation
   Adopt CTEM-like models for third-party and supply chain risk. Automate dependency scanning, runtime enforcement, and least-privilege enforcement for connectors and APIs.
3. Govern AI-generated code
   Implement CI policies requiring AI-generated code to be flagged, scanned, and reviewed especially for critical modules. Make this process auditable and enforceable.
4. Prepare for supply chain campaigns
   Develop cross-functional incident playbooks. Simulate package compromise scenarios, enforce CI runner isolation, and ensure rapid token rotation and rollback capabilities.
5. Unify ownership across domains
   Assign a supply-chain risk owner e.g., CISO, Legal, and IT lead) with authority to enforce cross-team controls. Align SLAs and runbooks across AppSec, DevOps, CloudOps, and Vendor Risk.

Securing today's dynamic and delicate supply chain eco-system demands more than tools but a strong third-party risk management program rooted in risk-based tolerance approach through execution of  enterprise-wide partnership, trusted vendor relationships, and continuous validation. Next up, 4th-parties...

October Cybersecurity Awareness

A Day of Cybersecurity Leadership, Technology, and Collaboration

What an inspiring day surrounded by cybersecurity leadership, technology, and collaboration. It was incredibly rewarding to see an entire organization come together to learn, share, and innovate toward a more secure future.

The morning began with a technical deep dive into an Application and Developer Security Platform that engaged participants across disciplines of developers, architects, analysts, and even non-technical team members eager to understand the benefits of an integrated BizDevOps and DevSecOps approach across the SDLC and vulnerability management lifecycle.

Key highlights included exploring capabilities that deliver visibility across the developer's path to production, from code inspection checkpoints to coverage spanning multiple languages, frameworks, and platforms that include infrastructure, containers, and workflows. Visibility and discovery remain essential to strong security postures, and the ability to scan environments for flaws, misconfigurations, and dependencies enhances protection from the start. Through SAST, DAST and SCA techniques, participants witness how pre-deployment and runtime vulnerabilities can be detected earlier, reducing risk and remediation costs. 

This "shift-left" approach not only embeds security into development but also strengthens collaboration between business and technology that create actionable remediation and continuous improvement opportunities.

Fireside Chat with Security Leadership

The day continued with a company-wide fireside chat, moderated by the CISO, featuring security leaders in the organization. The session began with a creative twist of introductions without using the words cyber, security, or technology. With the CISO set the tone, "I promote the company vision and protect member information," the discussion blended humor, engagement, and depth. Key topics covering leadership journeys, personal motivations, and practical insights. A light-hearted "Would You Rather…Lead this Way" segment sparked great energy, while the conversation delved into meaningful areas such as:

• Cyber maturity and leadership evolution – highlighting how strength, curiosity, and adaptability shape effective teams.
• Personal passions and superpowers – underscoring empathy, adaptability, and awareness as key leadership traits.
• Security at home – emphasizing that cyber hygiene applying to family memebers: strong passwords, MFA, phishing awareness, and router security.
• AI and innovation – exploring both opportunity and responsibility, balancing progress with privacy and ethical guardrails.
• Resiliency as a core principle – reinforced through the importance of backups, continuity, and operational safeguards.

Audience participation was lively, with thoughtful questions on topics such as password managers, MFA vs. passwordless authentication, and AI's evolving role in cybersecurity.

The session closed with scenario-based questions that brought humor and reflection. Purposefully debating situational but practical scenarios including:

• Building a rock-star team with no experience but eager learners or, seasoned veterans but overworked and burnt out.
• Short-term wins that boost morale or, long-term goals but suffer short-term pain.
• Budget cuts toward innovation but safeguard core operations or, cutting operations for future growth.

Afternoon Sessions

The afternoon featured a showcase of the organization's security pillars, including Compliance and Governance, Security Operations, Incident Response, Architecture, Security Awareness, and Third-Party Risk Management. Each security pillar leader shared updates and priorities, reinforcing how aligned security functions drive enterprise resilience.

The day concluded with interactive trivia focused on industry best practices and concluded with prizes and giveaways, recognizing participation and celebrating strong partnerships with leading security vendors and solution providers.

Key Takeaways

• Integration matters: Embedding security into every stage of development enhances visibility, collaboration, and faster remediation.
• Resilience requires preparation: Backups, testing, and awareness are vital both at work and at home.
• Leadership through partnership and collaboration: Cybersecurity thrives when technology, business, and people share responsibility.
• Balance innovation and governance: AI and automation drive progress but require ethical and strategic guardrails.
• Culture is the differentiator: Awareness, engagement, and shared accountability strengthen the entire security ecosystem.
• Power of partnership cannot be overstated, as security excellence is reflected across business lines that strengthen us through collaboration with our vendors, third-party partners, and trusted service providers.

 See my LinkedIn post for vendor and product solution partner names.

If You Only Listen to One Podcast

Mel Robbins joined by Emma Grede 

Success, in leadership and in life, starts with understanding yourself. Self-awareness is knowing your values, strengths, and blind spots. It's a continuous process: set clear, near-term milestones to measure progress, and seek constructive feedback from trusted mentors who challenge you to grow.

To sharpens decision-making and deepens empathy, it's vital to broaden your perspective by expanding your network and pursuing diverse experiences. While deep expertise is essential, becoming overly protective of your domain can limit collaboration and innovation. True influence stems from how you show up and not always what you know. Your presence, attitude, and openness define your leadership impact.

My daughter shared a podcast that resonated with me and so I look notes mid-flight. Below are key reflections and personal takeaways that I've adapted into my own leadership mindset:

1. Remember your roots – Honor where you come from and the lessons that shaped you
2. Own your accountability – Growth starts when you stop assigning blame and start looking inward
3. Practice the art of letting go – Inspired by Japanese philosophy, accept what is and release what holds you back
4. Protect your energy – Focus on what's within your control; don't dwell on what drains you
5. Pursue your higher self – Surround yourself with people and environments that challenge your growth
6. Take pride in your actions – Lead by example, beginning with self-care and personal wellness
7. Consistency matters – How you do anything is how you do everything; manifestation requires action
8. Redefine perfection – Aim for "your version of good enough" and avoid comparison traps
9. Make decisions boldly – Perfectionism can paralyze so, commit then course-correct as needed
10. Be present and intentional – Your mindset shapes your path, own where you are and where you're going
11. Embrace the Rule of Thirds – Expect a mix of good, bad, and in-between days every day; perspective is power
12. Leadership is earned – Experience builds wisdom and every challenge is part of your leadership journey
13. Be passionately curious – Immerse yourself in your craft; know your domain inside and out
14. Value relationships – Networking is a tool, but authentic connections drive success
15. Seek mentorship – Great leaders don't go it alone; wisdom is often shared, not found in isolation
16. Tell your story well – Craft a compelling narrative with clarity and authenticity to win hearts and minds
17. Back confidence with knowledge – Deep understanding of your field and markets builds credibility
18. Embrace feedback – Listening and acting on input is a mark of maturity and resilience
19. Adopt innovation early – Leveraging AI and emerging tools isn't optional, it's progress
20. Stay grounded in self-awareness – Adapt with purpose, stay true to your values, and lead with intent

Every journey is both personal and professional. The key is balancing ambition with reflection and knowing when to push forward, when to pause, and how to grow with clarity and conviction.

Life's a journey, not a direct flight — growth happens between takeoff and landing. So keep flying, learning, and adjusting your course along the way.

2025 Leadership Summit

AAA Leadership Summit was an extraordinary event organized by our L&D team, featuring impactful keynotes from board members, officer-led speakers, and associate-driven presentations. The sessions sparked reflection, inspiration, and provided valuable networking opportunities across all levels of the organization.

One lead with laughter, highlighting how humor , when used appropriately, can demonstrate confidence, build rapport, and increase engagement. Storytelling techniques such as the "rule of three" (premise, point of view, and the twist) were emphasized as powerful tools for communication. For example: I asked for a coffee, a donut, and a raise. The rhythm and structure reinforce memorability and impact.

If humor isn't your strength, the question becomes, what is your superpower? When identified and consistently applied, it enables you to articulate your value, sharpen your focus, and build trust and influence. Coupled with other key leadership practices, these insights can make you indispensable within your organization:

• Pursue an organization that motivates you and aligns with your core interests
• Ensure the culture you operate in reflects your beliefs, as misalignment can limit your potential.
• Set realistic short-term goals to build momentum through progress and achievements.
• Recognize the power of networking as it should always remain top of mind.
• Learn from setbacks by recovering quickly, comfort in asking for help, and applying lessons learned.
• Know when to stay and make an impact, and when it's time to seek other opportunities that better fit your passions and values.
• Be confident even when it feels uncomfortable, as discomfort drives growth.
• Surround yourself with leaders who both challenge and support you on your journey.
• Establish boundaries to balance organizational demands with personal well-being.
• Lead with intention as authentic leadership inspires and sustains long-term success.

No summit these days would be complete without a discussion on AI. Its promise is no longer theoretical. The value is emerging now through company-approved platforms such as Microsoft Copilot or enterprise-class OpenAI licenses. AI can deliver actionable insights, drive automation, spark innovation, and improve efficiency. When aligned with business strategy, clearly defined objectives, and targeted use cases, AI transforms from concept to tangible results with measurable business impact. With this opportunity comes responsibility. AI without guardrails risks inconsistency, hallucinations, and ethical challenges.

Ask AI to generate your professional bio, then evaluate the accuracy of the output. This illustrates both its potential and the critical need for oversight.

Blending collaboration, innovation, and community impact, the Summit highlighted new ways forward and included a putt-putt activity that raised support for the Second Harvest Food Bank of Central Orlando.