Security Innovation Roundtables (SIR) have become a featured aspect of Stratascale’s Cybersecurity Horizon Report process. After publishing our perspective on a critical industry topic, we host sessions for security leaders, learning from their perspectives on the issue and sharing highlights from our research. The SIR following Cybersecurity Strategy for the Looming Regulatory Quagmire was a perfect example of how this approach helps stimulate executive-level discussion, enabling security leaders to calibrate their own approaches and positions through peer-level dialogue. The session, which was at capacity with 6 guest CISOs/compliance leads and 6 Stratascale SMEs, examined 5 key assumptions underlying our Governance, Risk, and Compliance (GRC) research. The energy that all participants brought to the discussion provided vivid proof of the importance of GRC and the complexity associated with plotting a comprehensive security strategy for a major corporation.
The first 2 research assumptions were coupled under the header “Balancing risks and threats”: the belief that CISOs need to address what McKinsey describes as “cyber-risk” – one of many classes of risk that is managed at a senior leadership team (SLT) of board of directors level – and “cyberthreats” – the constant whirlwind of threats, attacks, and vulnerabilities that security teams deal with on a daily basis.  The roundtable discussion revolved around 4 major themes:
Focusing on/the importance of compliance. Key quote: “What you find is, people assume that they know what they have to comply with – ‘Oh, it’s patient records!’ and so forth – and vendors come to you and say, ‘We’re HIPAA compliant or HIPAA certified’ – but you have to understand what’s really happening, what it means to be compliant, because everybody – CMS, state inspectors, joint commission on accredited hospital organizations – comes in to audit you.”
“Table stakes” vs. specific requirements and actions. Key quote: “It’s almost like there are two buckets here. One is ‘doing the things you need to do from a governance standpoint’; the other is, ‘where GRC meets security practices.’”
Balance is achieved through a journey – and it can be upset by factors outside your planning scope. Key quote: “CISOs need to be able to effectively tie specific requirements to meaningful executive metrics – and also need to be prepared for the need to respond to wild card events.”
There is a reckoning coming. Key quote: “The finance guys can’t promise us that we’re always going to make budget. And I can’t promise you that we’re never going to get hacked.”
The second half of the conversation focused on the other 3 core research assumptions: the importance of frameworks to align controls with compliance requirements, use of common tools to reduce cost and complexity, and the need for innovative thinking to hold back the regulatory quagmire.
The discussion of frameworks became quite detailed, with participants debating benefits of different approaches, and explaining how they were using frameworks (in part, in whole, or in combination) to develop and articulate their GRC approaches. The common tools discussion, which originated from a point made in the research report, also spurred spirited debate: Which tools enable businesses to meet multiple objectives – both GRC and other requirements – and what is the best way to identify and deploy them? At this juncture, we hit the end of our reserved time – if we hadn’t, the conversation might still be going! All of the roundtable guests were very focused on GRC issues and eager to discuss them in more detail. To close, participants were asked if the roundtable represented a good use of time. Responses illuminated a key reason why the Security Innovation Roundtables are so important to Stratascale clients: Even the client firms attending (all of which have billions of dollars in annual revenue, ranking as high as top 50 on the Fortune 500 list) have a need to connect with peers and validate their directions.
Stratascale is pleased that we are able to provide a context that is helpful to senior security leaders via our Security Innovation Roundtables and committed to making these a feature of our cybersecurity research streams. The next Security Innovation Roundtables, on Zero Trust, are scheduled for July 26th (10:00-11:30 EDT) and July 27th (1:00-2:30 EDT). Seating is extremely limited: there are only 12 available seats, and some will be claimed by the security leaders (4 client CISOs and 3 external industry experts) who have contributed to this research series. If you would like an invitation to one of these executive-only sessions, please contact your Stratascale relationship manager, or follow this link to the registration form.
 The cyber-risk/cyberthreat distinction is used frequently by McKinsey: examples include Boehm et al., The risk-based approach to cybersecurity. McKinsey & Company, October 8, 2019 https://www.mckinsey.com/business-functions/risk-and-resilience/our-insights/the-risk-based-approach-to-cybersecurity and Boehm et al., Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity. McKinsey & Company, January 29, 2020