ICIT Certified Content: This content has been reviewed by ICIT and deemed valuable content for the community.  We encourage you to study it and socialize it with your networks. The essay, authored by Malcolm Harkins, ICIT Fellow and Chief Security and Trust Officer, Epiphany Systems, was initially published in the Spring 2022 Issue of United States Cybersecurity Magazine.

In the relentless battle to protect their companies, CISOs must fight on two fronts with two very different adversaries and competing missions – two battlefields in essence. First, there is the external visible battlefield we hear about every day: the threat actors, malware, vulnerabilities, all that type of stuff. The other battlefield is internal and largely invisible: the budgets, bureaucracies, and behaviors within an organization. Navigating this internal battlefield is just as daunting but is more critical to the choices that our organizational leadership must make to manage business risks, specifically, with respect to how we prioritize investments to prevent, detect, and respond to cyber risk.

Malcolm Harkins’ essay explores how CISOs can become more effective choice architects and data storytellers to evoke the engaged and emotional responses, properly frame risks and rewards, and lead their organizations along the path of security-conscious decision-making.

Read the Full Essay

Malcolm Harkins is an ICIT Fellow and the Chief Security and Trust Officer at Epiphany Systems. He is responsible for information risk and security including security and privacy policies, peer-outreach activities to build understanding of cyber risks, and best practices to manage and mitigate those risks. His focus areas include the ethics of technology risk, social responsibility, total cost of controls, and industry accountability. Malcolm is an independent board member and advisor to many organizations. He previously served as Chief Security and Trust Officer at Cylance and was Chief Security and Privacy Officer at Intel. He is the author of Managing Risk and Information Security: Protect to Enable, now in its second edition.