Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf

MAGAZINE
TOP CYBER NEWS
JANUARY 2023
HOW STÉPHANE NAPPO, 2018 GLOBAL CISO OF THE YEAR, VICE PRESIDENT , CYBERSECURITY DIRECTOR &
GLOBAL CHIEF INFORMATION SECURITY OFFICER, GROUPE SEB, FRANCE, R ETHINKS CYBERSECURITY
STÉPHANE NAPPO
WITH

The Strategic Leaders’
on Emerging Trends
Perspectives
Source: Imgur

Fore
Word
“Sometimes people come into your life and you know right away that they were meant to
be there, to serve some sort of purpose, teach you a lesson, or to help you figure out
who you are or who you want to become. You never know who these people may be
(possibly your neighbour, co-worker, longest friend, or even a complete stranger) but
when you lock eyes with them, you know at that very moment that they will affect your
life in some profound way.”
Cybersecurity Community desperately needs a positive and warm-hearted approach to
confidence building, developing people, assisting in raising awareness and identifying
key issues to support a culture of cybersecurity. It needs leaders, role models that
encourage and inspire for transformations to be made. Mr. Stéphane Nappo is one of
these leaders. 3
3
Top Cyber News MAGAZINE - January 2023 - All Rights Reserved

Innovation in Cybersecurity
Dr. Rudy SNIPPE, Netherlands
4
4
During a conference where I was talking about
innovation, I was approached during the break by a
man who introduced himself as Henry. ‘May I ask
you something’, Henry asked, and went straight on
without waiting for my response. ‘In your
presentation you stated that language is an
important barrier for innovation, but also an
important tool. Can you explain this to me again?’
Despite his somewhat rude appearance, Henry
seemed like a nice guy, so I replied:
Wow, this is quite a broad question for a short
break. Language is, of course, only the first
problem organizations face in development &
innovation. The way in which organizations are
structured is an even bigger problem, but language
also plays a role here.
I won't make it too complicated. Let's do a short
experiment. ‘When you think of the word ‘secure’
from your history, what do you think of?’
Dr. Rudy Snippe is the Founder of the FASS Theory (Strategy & Leadership / Complex Social Systems). Founder,
Chief Executive Officer, Partner of Stocastic. World-Strategic Innovation Dynamics platform. Thesis Research
Supervisor (MSc) at Nyenrode Business University.
“We think in language and through language we
create our own world of thought. The language in
which we think, and our own world of thought,
have acquired meaning in our past. That's fine
until we want to develop something new and keep
thinking in a language from the past. In addition,
everyone has a different past and thus gives a
Henry looked a little suspicious and said:
‘On trenches, a suit of armour, defensive walls,
something impenetrable.’
“Do you see any of this thinking in the approach to
cybersecurity?”, I asked. Henry smiled. “Secure
contains cure”, I continued. “Suppose you invent a
system that heals very quickly after an attack?”
different meaning to
language and ideas. In order
to innovate or develop, we
must therefore look for new
meanings, perhaps even for
new words.”
‘I work in cybersecurity
development’, Henry said. ‘As
you know, cybersecurity is
comprehensive and complex.
That is why we work with
highly developed experts who
really know what they are
doing. Can these experts also
give an impulse to
development and innovation
in our company through
language?’
“Or imagine that the concept
of secure does not consist of
defending and protecting, but
that you can continue to do
what you were doing?
The (re)definition of concepts
is key in development and
innovation.
You should always ask
yourself what effect you want
to cause and try to put this
into words as well as
possible.”
Henry, lost in thought, said
‘goodbye’. We walked back to
the conference room.

Stéphane NAPPO, France
Vice President, Cybersecurity Director & Global Chief Information Security Officer at
Groupe SEB – global market leader, in the small household equipment sector,
including prestigious brands: Krups, Rowenta, Tefal, Supor, WMF, Emsa, Calor,
Moulinex… And present in 150 countries.
Stéphane Nappo is an internationally recognized cybersecurity leader and a senior
level cybersecurity executive with over twenty-five years' worth of experience in
international finance, banking, digital services, and industry.
Previously: Global Chief Information Security Officer at Société Générale International
Banking and Financial Services (responsible for cybersecurity of 40 major banks in 67
countries); Group Information Security Officer at OVHCloud – European leader in
cloud computing, with a presence in 138 countries; Head of Cybersecurity Consulting
dept. for Banking & Finance at VINCI - world leader in concessions, energy,
and construction, in 120 countries. Throughout his career, Stéphane
has taught, trained, and worked
with hundreds of talented
cybersecurity professionals.
Named Global CISO of the Year,
and awarded the European
Excellence Trophy in Digital
Security in 2018, Stéphane Nappo
is chosen the Global Security
Executive Influencer by the
prestigious IFSEC Global, and
ranked the Top Five Influential
French IT & Cybersecurity expert
by FORBES for the Year 2021.
Actively supporting diversity and
Women in Cyber, Mr. Nappo was
named Ally of the Year 2021 by
the United Cybersecurity Alliance
USA.
Passioned for innovation and
business’ digital protection, his
leadership skills have been
recognized throughout the world.
His articles and renowned quotes
are being cited in numerous books
by leading experts and publishers.
5

By Stéphane Nappo
6
>>
Everything is a risk, nothing is a risk…
the dose makes the risk
A risk generally results from an unwanted
outcome or negative consequence. When it
comes to cybersecurity, a risk usually relates to
the potential for a cyber attack or data breach to
occur, which could result in financial loss,
reputational damage, or other negative impacts.
As the zero-risk does not exist, as well as all
actions and decisions can lead to negative
consequences, it is possible to state that
“everything is a risk”.
However, as the risk sensitivity and appetite can
vary from an organization to another, and the risk
level can also greatly vary depending on the
specific situation, context or duration, it is
possible to state that “the dose makes the risk“.
It means the likelihood and potential impact of an
unwanted outcome are closely related to the
level of exposure, vulnerability, and tolerance of
the target to that risk.
A higher level of exposure, vulnerability, or
business intolerance to a risk will generally result
in a higher likelihood and stronger impact of an
unwanted outcome on the resilience capacity.
“The evident non-tech basics are
fundamental, and quite often overlooked…”
Seeking for simplicity
Cybersecurity complexity is skyrocketing, led by
new business models, new technologies, and the
ever-evolving threat landscape. Literally
overwhelming the cybersecurity current model,
at the very moment we need it, this trend has
four main drivers: Technologies changes,
Regulatory strengthening, Operational trans-
formation, and Cyber threats sophistication.
In this context, simplifying cybersecurity is a
necessity to help organizations to better protect
sensitive information, manage their digital
ecosystem, comply with regulations, and reduce
evolution costs. It can also make it easier for
employees and contractors to apply security
practices. However, rethinking cybersecurity
requires a cultural and strategic comprehensive
approach that goes far beyond the sole IT
dimension. To succeed, we have to accept that
the solution does not lie in more technology, but
in cybersecurity philosophy re-engineering.
To secure or not to secure…
That is the response, not the question!
Cybersecurity is first of all a response, both
proactive and reactive, to the constantly-
sophisticating digital threat and need for
resilience. It usually relates to the protection of
the digital systems, data, and users, from
unauthorized access, disclosure, use,
modification, disruption or destruction.
To secure or not, is a decision that must be
driven by business stakes, situation and the
potential consequences to do nothing. It’s usually
important to secure things that are critical to
operations, regulation, reputation, etc. However,
in some cases, when the cost or effort of
securing may outweigh the potential benefits,
then the decision to not secure and adapt the
business ambition, may be appropriate as well.
to keep pace with threats and digital evolution

7
>>
Cybersecurity must be considered a
business value, rather than a balance
due
Nowadays, cybersecurity must be considered by
businesses as a value, rather than a fate or solely
as a cost center.
Whether it comes for IT, OT, IoT, or online
services, cybersecurity can enhance
organization’s reputation and customer trust,
which can be beneficial for business growth,
company valuation, and long-term success. It is
not only a way to protect from negative events,
but also to enhance overall performance and
reputation.
Conversely, as a result of cyber attacks level and
impact severity, to simply wait and see, or
reacting to incidents after they happen, is for
long no longer a profitable approach.
Overall, the situation today highlights the
importance of organizations to promptly adopt a
comprehensive cybersecurity approach, which
may be positively driven by business ambition,
risk management, and relevant cybersecurity
measures related systems, processes, and users.
Cybersecurity is much more than a
matter of IT…
It encompasses a wide range of topics, including
technology, processes, regulations, geopolitics,
and human behavior. Effective cybersecurity
requires a holistic approach that takes into
account the various factors that contribute to an
organization's overall security posture, including
its interactions with its business strategy, and its
ecosystem.
Cybersecurity is, therefore, truly a
matter of resilience.
The risk management is the process of
identifying, assessing, and prioritizing the risks to
an organization or individual and then taking
steps to mitigate or accept those risks.
The goal of risk management is to find a balance
between the cost, the effort of mitigating a risk
and the potential negative impact of the risk if it
were to occur. Ultimately, the decision to secure
should be based on a balance of risk, business
ambitions, and costs. In the aim to effectively
identify, protect, detect, and especially “respond
to” and “recover from”, a cyber attack.
One of the main cyber risks is to think
they don’t exist. The other is to try to
treat all potential risks…
Picking battles according emergencies, demands,
or audits, can be risky. It may lead to hasty or ill-
informed decisions. It can also result in
resources being directed away from important or
long-term issues. It is important to consider the
potential risk driven consequences and prioritize
accordingly.
“Fix the basics, protect first what matters for
your business and be ready to react properly to
pertinent threats. Think data, but also business
services integrity, users’ awareness, customer
experience, compliance, and reputation”
By Stéphane Nappo

Cybersecurity is the most immediate, financially material
sustainability and ESG risk that organizations face today.
It has been weaponized by nation states, and it has
become an invisible high-stakes battlefield. Covert
operations can be carried out without the risk of physical
retaliation, making cyber attacks an attractive option for
countries to use as a means of projecting power and
influence. In addition, cybercrime has become a highly
profitable and growing component of GDP for some
nation states, while the chances of hackers being caught
are extremely low. According to the World Economic
Forum 2020 Global Risk, only .05% of crimes are
detected and prosecuted. In addition, the reporting of
cybercrimes remains low, making it hard to assess how
big cyber risk has become across every aspect of the
connected world we live in today.
As a human-created risk, it seems logical that cyber risk
should also be a manageable risk compared to natural
disasters, and yet the entrepreneurial nature of
motivated hackers requires a more pro-active approach
to protect connected organizations. The internet
connectivity, data and distributed systems that power
enterprises have become an integral part of modern
society. Distributed work forces utilizing a variety of
personal devices across corporate networks, make
managing corporate networks even more challenging
than ever.
Regulators across the globe are enforcing the reporting
of cybercrimes and breaches by passing new laws that
impose financial fines to encourage timely disclosures
and active defense and management of corporate
networks. The United States Cybersecurity and
Infrastructure Security Agency (CISA) has issued
guidance, while many states have passed local laws
requiring organizations to report cyber incidents. The
European Union General Data Protection Regulation
(GDPR) introduced a groundbreaking directive, and the
financial impact of the fines alone could implode a
company. These fines present a sustainability risk that
could bankrupt companies that provide critical services
to society.
“What greater sustainability risk than cybersecurity
risk does an organization face today?”
Cybersecurity is Critical for Sustainability
Cristina Dolan, Global Head of Alliances, NetWitness
8
Sustainability and ESG have become popular topics for
investors, and yet most investors lack the visibility or
understanding of cyber risk. Regulatory requirements for
public companies are increasing. Corporate directors are
now expected to understand cyber risks in the context of
corporate sustainability. The disclosure of management
practices, controls, audits, and policies will be required
in financial reports and regulatory filings.
“Will 2023 be the year where cybersecurity risk is
finally viewed by investors, executives and leaders
and the most immediate and financially material risk
that organizations face today?”
Cristina Dolan, Global Head of Alliances,
NetWitness and co-author of Transparency in ESG and
the Circular Economy: Capturing Opportunities
Through Data

by Stéphane Nappo
The Swarm Cybersecurity
Frequently associated too exclusively to the
subjective value of trust, cybersecurity is mainly
a response to the need of resilience and digital
development of nations states, organizations,
businesses, and individuals. In this respect, far to
be a balance due, cybersecurity is a pilar for the
creation of value and sustainability.
Cybersecurity practitioner for more than 25
years, I have profound respect for peers and
professional practices in this very challenging
discipline. However, I strongly believe that
cybersecurity and resilience paradigms have to
evolve in shape and strategy to keep pace with
the threats’ Darwinian evolution and the fact that
they are boxing with no rules.
The traditional security approach aims, in most
cases, to rely in fine on a central authority or
system, to manage and coordinate the defense
against threats. Increasingly eroded by the digital
transformation and the constant threat evolution,
this traditional model leads to two growing major
challenges: 1. if the central authority or system is
compromised, the entire security system can be
defeated; 2. this traditional model can hardly deal
with information systems opening to third
parties, SaaS, Cloud, and outsourcing trends that
impact Business, IT, and Security activities.
9
a way to repurpose & strengthen resilience?
After decades of pure competition-based
model for companies’ and individuals'
development, the “togetherness as a pack” is a
real cultural challenge to address for
cybersecurity. In parallel the (outdated) vision
of the cybersecurity as a taboo still makes
many actors reluctant to “unite to defend”.
Over and above that, the inability to act as a
Swarm is also the weakness used by cyber
threat to attack one by one its preys.
Of course, the interest of communities is not
new, nevertheless the swarm model aims to
share action (detection, reaction, recovery…),
far beyond to only share information.
To act as a pack increases synergies and can
leverage a lot of efficiency relying on the "less
is more" model for real.
Finally, the swarm must strengthen a “versatile,
organic and modular” cybersecurity swarm,
with attention to not create new systemic risks.

One key advantage of using a swarm approach
to cybersecurity is that it can be highly scalable
and consistent with the today outsourced and
delegated digital ecosystem. As the number of
devices in the information systems increases,
the capacity of detection/reaction of the swarm
also increases. Additionally, because the swarm
elements are decentralized, it can be more
difficult for an attacker to target a specific device
or compromise the security of the entire
system.
Another benefit of swarm cybersecurity is that it
can be more adaptable and responsive to fast
evolving threats. Because the devices in the
swarm can communicate and coordinate with
one another, they can share information about
potential threats and work together to respond
to them in real-time. This can be especially
useful in detecting and responding to
sophisticated cyber attacks that may be able to
evade traditional security measures.
As usual, the first challenge is to support the
idea that it can be possible to achieve more with
many existing things. (I can hear now some:
“there is nothing new in this”, “and so what!?”,
… ;-)
When in doubt, do remember that cyber
attackers are significantly ahead regarding
swarm ecosystems. Crime as a service, Dark
Marketplaces, Botnets… Are effective
demonstrations of their ability to federate self
organized and heterogenous systems to
converge toward a collective purpose, with an
adaptative resilience to deal with technology
evolutions and fight back methods. If they can
do it for - offence -, so can we for - defense -.
The swarm cybersecurity notion refers to the use
of a large number of elements (tools, people,
processes) or other "swarms" to provide
enhanced security for a network or system.
These elements can be anything from IT with
computers, servers and network, to OT with
industrial robots and specifics, IoT devices such
as connected products, security cameras or
smart thermostats, as well as teams and experts.
The idea behind swarm cybersecurity is to create
a decentralized network of means that can work
together to detect and respond to security
threats.
As an adjunct to current practices, the Swarm
Cybersecurity is one interesting approach to
consider and drill down that aims to address
these challenges by using a decentralized
network of interconnected organizations or
devices to defend against threats.
Overall, the goal of swarm cybersecurity is to
create a network that is highly resilient to cyber
threats, and able to quickly and effectively
respond to any attacks that do occur.
10
By Stéphane Nappo

11
By Stéphane Nappo
How to swarm
1. Think different, envision the whole value
chain & its unity beyond boundaries or
interoperability gaps:
• Shift the scope from supply chain, to end-to-
end value chain, including third parties and
outsourced services.
• Encourage the systems thinking. This
discipline is helpful to quickly and efficiently
encompass the cybersecurity needs.
2. Adopt a swarm model wherever possible,
starting from inside your organization:
• Strengthen cybersecurity by design with a
systematic first level of self defense, alerting,
or monitoring for each item (software,
equipment, processes, projects, products…).
• Implement the zero trust as well as SASE
principles must be a systematic reflex and rule
in your organization (configurations, access
rights, administration levels…).
• Break the silos when it comes to security
especially between IT, OT, IoT dimensions. And
do remember, the first silo to remove is the
false impression that a perimeter fence
protection still exists.
• Do remember, Swarm is not incompatible with
segmentation. Quite the contrary!
3. Unite, and aim to hyperconverge with your
fellow beings
• Although you may think otherwise, this change
is anyway underway. Your organization is
hyperconnected, with Internet, digital business
processes, and you share a lot of assets and
stakes with the Cloud, SaaS, etc. Then, try to
benefit from it. Share, share, share! Alerts,
best practices, forces conjugation, red button
procedures, cybersecurity agreements,
requirements.
• The goal of Swarm is not to target
completeness, but to cover each and every
win-win possible mesh.
4. Define and enforce a set of coordinated
“behaviors” to protect your fundamentals
beyond your organization’s boundaries.
• Invest in behaviors beyond IT systems, is
important. This can include communication
protocols, do’s & don’ts, decision-making
algorithms, triggers status, and detection,
reaction, recovery techniques.
• Additionally, you will need to develop a
system for monitoring and controlling the
swarm proper functioning by parts and “as a
whole”, such as a decentralized network.
5. Secure at holistic AND individual levels,
using “primal organic self-defense” principals
• Your enemy is increasingly automated, then
defense must respond accordingly. Attacked
by ro-bots, we cannot fightback only with
humans, SOCs, and computer mouses.
• The principle of primal organic self defense is
key. It must rely on simple, but automatized
alerts, proactions and reactions. It must be
coordinated, but also able to continue to act
individually in case of isolation.
Many things have yet to be thought through,
refined and built. The AI is also working on the
SWARM model, and I thought it was important
to share this approach with you. After all,
SWARM is above all about sharing, without
waiting to build together more and better co-
operative models relying on Swarm principles.
Let’s swarm our opinions and suggestions!
. . .

12

Stéphane Nappo is one of the main references
when talking about Cybersecurity. With a career of
more than 25 years in which he has successfully
demonstrated that the best way to fight
cybercriminal industrialization is the digital
transformation of technological environments, he is
also international keynote speaker, author, PhD
researcher and key opinion leader… He is always a
leadership example of paying it forward.
It is undeniable that people matter to him. I have
been fortunate and honored to know him over the
years.
He is an excellent human being, a humanistic
leader full of qualities who builds teams in high-
performance environments where communication,
flexibility and active listening are an axis capable of
making everyone share a common vision: a
purpose and a horizon to navigate towards together.
Always at the forefront, it offers us an open and
honest vision that goes beyond what we see, that
makes us think outside the box, that invites us to
grow as professionals and people, reaching every
day our best version to offer it to our teams and
collaborators without qualms.
As a CISO, what I have always admired and what
has always struck me about his vision is that he is
not a slave to fads. In fact, innovation is the main
axis of his decisions, he has always had an
excellent risk control and a proactivity focused on
benefits that has led him to be a pioneer in the
field of cybersecurity.
Stéphane’s permanent desire to learn and protect
makes a chat with him totally enriching.
There is freedom to discuss different strategic
visions, and that environment of creativity leads to
the best gains in the fight against cybercriminals. It
is a privilege and an honor to be able to interview
him.
In Search of Excellence - Talent, Made in France
Interview conducted by Isabel María Gómez,
Global Chief Information Security Officer. Madrid, Spain
13
13
I hope and wish to offer a vision that allows all of us
who once chose to dedicate ourselves with
dedication to cybersecurity, to discover a source
and a reference that brings us light on sometimes
unmarked paths, and that make a CISO during the
fog to find a light that is a reference to bring the
ship to a good port. What's next? Let's discover
together “The Journey” and the new direction of
cybersecurity for the coming years...
Global Chief Information Security Officer, Isabel María
GÓMEZ has long tested experience in security and
information technologies, and in the course of her career
has specialized in several areas related to security. Some
of them are: Risk Management, Cybersecurity, Continuity
and Resilience IT, Privacy, Compliance and Digital
Transformation. She has also a widespread legal,
regulatory, technical, and financial background let her
manage and coordinate efficiently different legal and
technical areas. Previously, Isabel has had various
executive roles reporting direct to CEO in information
security in leading companies in their respective lines of
business, such as Atento, SegurCaixa, Bankia, and
Medtronic.

“The Journey”
[Isabel María Gómez] Cybersecurity is a
vocational choice of delivery and service
there is no doubt. What was it that drove
you to dedicate yourself to it?
[Stéphane Nappo] Cybersecurity is not
only a choice of career or a job, but a
choice of a life and service spirit, that a
few might want to live or experience. Often
people ask me how and where I take time
to live my life, to create a family, to build a
house, plant a tree or a garden. In my
thoughts. Then in reality. This is how I
used to operate with my time, my strategic
objectives, knowledge, and desires.
Am I always right? No! Would I choose a
different lifestyle? Maybe not. Did I give up
on my job, my colleagues, my projects,
companies who trusted me with
cybersecurity and highly confidential
business and personal issues? Never did.
Never will.
Like anyone these days, I am a digital
citizen of our world. My peers, colleagues,
friends and family can, and do rely on my
experience and expertise. I highly
appreciate and treasure this trust. I build
on this interest. I try everyday to innovate,
strategize and live this trust, that is in
reality hope of opened hearts and
connected minds for our lives. In this
respect, global CISO is really a mission
that I am proud of.
I am grateful for cooperation and support
of my peers, colleagues, followers and
partners, in the world and among the very
dynamic French SEC in France.
Interview conducted by
Isabel María Gómez, Global
Chief Information Security
Officer. Madrid, Spain
14

15
[Isabel María Gómez] All of us who work in
cybersecurity know that our day-to-day work is
going to take place in a changing environment
that requires a lot of “resilience”. We are always
going to be far from a comfort zone. What are,
in your opinion, the skills and virtues that have
helped you the most throughout your career in
cybersecurity?
[Stéphane Nappo] Thank you for this question,
Isabel. The truth is, we are all bounded,
sometimes blinded by agreements, legal or
personal and motives, more often than we would
wish for. The most difficult moments are those
when we have no crisis situations; when our
minds and our senses can and must have
tranquillity and serenity.
The cybersecurity profession requires and
expects the devoted professionals to ‘never
logoff’. Am I different? No. Do I or did I pay the
price for my decades ever constant focus and
never resting senses? I did and I do have, like
any hyper-committed professional my fair share
of the ‘professionally created price to pay’.
Obstacles in cybersecurity activities, have, like
life itself, the ‘colours’ that we give them. I try to
choose the bright and inspiring colours and
tunes for the music I play.
[Isabel María Gómez] What has been the
innovation that has inspired you the most?
[Stéphane Nappo] Inspired first by my two sons
and peoples’ cultures, but also electro and pipe
organ music - my forever first love and twenty
five plus years of active contribution, is in
performing as well as possible to make digital
places as safe as possible.
In life, what took first my absolute attention were
the engineering drawings of Leonardo da Vinci.
Yes, this memory goes half a century back…
Not only did I create my own drawings of
motors, airplanes, and power plant, but I
collected tools and materials from little bricks
and tiny seashells to wheels, and compasses.
From more recent innovations – Internet, and
applied Artificial Intelligence, of course.
Like many professionals around my age, I grew
up with the computers’ emergence in our lives,
and I received a second birth with arrival of
Internet. And finally - digital photography. Photo
art could probably be compared to art of
painting. My masterpieces are, of course,
amazing pictures of my two sons and some
moments of life. This is the Stéphane Nappo that
my colleagues never knew and could only
imagine…
Interview conducted by Isabel María Gómez
>>

[Isabel María Gómez] One of your reference
phrases is "Knowledge is the only matter that
grows when we share it". In cybersecurity, we
sometimes err on the side of secrecy. What are
the forums you recommend most to break this
tendency?
[Stéphane Nappo] Exactly and precisely the
point that I always amplify when speaking at the
conferences, digital and live events, meetings
with peers and followers. In France, we have
professional forums (ANSSI, Campus Cyber, Le
CESIN) and specialised conferences (FIC, Les
Assises de la Sécurité, Hacktiv’ Summit… ).
Cybersecurity is interconnected and can be a
complex matter, we all must teach, train and
learn. This is what brings us all together as a
community. This is what makes the
Cybersecurity community so special and valued
among professional circles. Incredible open and
free platform is the emerging phenomenon of
Top Cyber News MAGAZINE, which I highly
support and recommend.
[Isabel María Gómez] All of us who work in
cybersecurity know that our day-to-day work is
going to take place in a changing environment
that requires a lot of resilience. We are always
going to be far from a comfort zone. What are,
in your opinion, the skills, virtues that have
helped you the most throughout your career in
cybersecurity?
[Stéphane Nappo] From the very first memories
that take me to my beloved Provence, in France,
all my future life decisions and actions, I
developed, spirit of mission, sense of eagerness,
justice, respect and quest for positive and
devoted faith in life purpose. This leads me
through all the difficulties, moments of success,
doubt dispelling, and happiness. As security
pathfinder, board advisor, business enabler and
strategist, I believe each CISO must act as a
guide with strong leadership and deep
pedagogy. Each CISO has to face unpredictability
and take responsibility for his / her decisions
and actions.
>>
16
”CISOs Need Strategic Thinking to Be Effective”
Emilio IASIELLO for Top Cyber News MAGAZINE
October 2022 edition
The Chief Information Security Officer, or CISO, is fast-becoming one of the more difficult
C-Suite positions to fill. The CISO role has been plagued with turnover, the average tenure
lasting anywhere from 18 to 26 months. This doesn’t come as a surprise as the CISO is
inundated with an array of challenges that include a nonstop barrage of diverse cyber
threats seeking to exploit the enterprise he watches over, internal competition to secure
budgetary resources to aid in his defense efforts, lack of authority to instil necessary
change, and convincing the larger C-Suite as to why certain security measures are needed
regardless of their cost. Indeed, in many ways, the modern-day CISO is the cybersecurity
equivalent of Sisyphus struggling to protect the network enterprise only to see another
incident set him back on progress.

[Isabel María Gómez] One of your great
passions is sharing your knowledge through
writing and public speaking, giving conferences,
for example. Where will we be able to listen to
you in 2023?
[Stéphane Nappo] Thank you for this question,
dear Isabel. My 2023 and beyond plans are
continuously in deliberate development and
change. It will very much depend of many
factors where the role of the global CISO will
change; developing me personally, while
planning and strategizing.
From the good news: In France, we have paid
vacations. I often use this time… days and
weeks… to pre-schedule my speaking
arrangements. In the last five years, for example,
I delivered keynote addresses or participated in
panel discussions in Paris, Zurich, Dubai, Beijing,
Moscow, Prague, Berlin, New Delhi, Amsterdam,
New York City, Montreal, Porto, Monaco,
Deauville-Normandie, Brussels, Miami, Tel Aviv,
Casablanca, Nairobi…
[Isabel María Gómez] Have you ever been
tempted to leave the world of cybersecurity and
redirect your career to another discipline?
[Stéphane Nappo] When times are challenging
like these days and in the foreseeable future, I
will be very open and honest. I will never let my
personal success or difficulties to prevail.
[Isabel María Gómez] One of the main
responsibilities a leader has is to work on his or
her own skills. Sometimes looking in the mirror
is more complicated than it seems. What advice
would you give us to keep evolving for the
benefit of our teams? What do you think are the
keys to work, for example, with the new
generations of cybersecurity?
[Stéphane Nappo] Learn from your heart. Give
and share your knowledge. When chosen, follow
your own choices and decisions. When
impossible… Do remember.. Nothing is
impossible.
There is probably more unknown unknowns to
explore and unlock. I see more devotion, more
enthusiasm, more aspiring actions and strategic
leadership in my younger colleagues than I
could imagine just a few years ago.
Better understanding, communication and
prepared talents are the future of Cybersecurity
work force.
17
I choose to give my knowledge and expertise to
my employer, my country, my European and
international colleagues and peers. For collective
success.
For greater than personal, for devoted and
desired security and safety for the world. I am a
global citizen and I give my all to work well.
>>

“One of the main cyber-risks is to think
they don’t exist. The other is to try to
treat all potential risks.”
“It takes 20 years to build a
reputation and a few minutes of
cyber-incident to ruin it.”
“If you think you know-it-all about
cybersecurity, this discipline was
probably ill-explained to you.”
“Even the bravest cyber defense will
experience defeat when weaknesses
are neglected.”
“Education has always been a profit-
enabler for individuals and the
corporation. Cybersecurity education
is a part of the digital equation.”
“The five most efficient cyber
defenders are: Anticipation,
Education, Detection, Reaction and
Resilience.
“IoT without security = Internet of
Threats.”
“Threat is a mirror of security gaps.
Cyber-threat is mainly a reflection of
our weaknesses.”
“Technology trust is a good thing, but
control is a better one.”
“Digital freedom stops where that of
users begins... Nowadays, digital
evolution must no longer be offered
to a customer in trade-off between
privacy and security.”
“Privacy is not for sale, it's a valuable
asset to protect.”
Do remember: "Cybersecurity is much
more than a matter of IT.”
18
Renown quotes by Stéphane Nappo
>>

20
Let's face it, CISOs are the most sought-after executives
in cybersecurity. From start-ups to big companies, they
all want to get their products in front of and win them
over as a champion. The old way of attempting to build
relationships with the CISOs are the events such as
CISO dinners that only allow for a few hours of
interaction that result in 2-3 meetings and possibly one
closed deal. These events are losing their effectiveness.
CISOs seek new ways to connect with innovative
cybersecurity and information security vendors. The new
approach is to create a CISO Advisory Board consisting
of security experts who provide advice on the vendor's
direction, products, marketing, roadmap, and unbiased
advice, as these advisors are not "drinking the kool-aid."
The purpose of the CISO Advisory Board is to help the
cybersecurity organization gain new insights and advice
to solve business problems or explore new
opportunities by stimulating robust, high-quality
conversations. A CISO Advisory Board acts as a
sounding board for the cybersecurity company to
bounce ideas off and get access to expertise that might
not ordinarily be available. CISO Advisory Boards
provide a competitive advantage and help build the
company's visibility, credibility, and revenues. A properly
constructed and executed CISO Advisory Board will
foster lasting and meaningful relationships with key
prospects and customers of the business.
The vendor is not the only one reaping benefits from a
CISO Advisory Board. Since an adequately built CISO
Advisory Board comprises security specialists,
information security experts, generalists, and critical
thinkers from diverse backgrounds, the CISO advisors
gain knowledge and insights from their peers. Enabling
the CISO advisors to bring back valuable insights to
their own organization.
No organization is too big or small to benefit from a
CISO Advisory Board. For a cybersecurity start-up, it can
be the difference between success and failure. CISO
Advisory Boards are not part of most security
organizations' overall corporate strategy, even though
the input from a CISO Advisory Board can offer game-
changing insight.
Brooke Cook has 20+ years in the cybersecurity
executive relationship building and event space. With a
background in business and psychology, Brooke has
mastered the niche of building trust in an authentic way
with executives around the world and treating them to
first-class event experiences. As the CEO and Co-
Founder of Security Sisters Network™, Brooke brings
her passion, industry knowledge and tenacity to helping
her network of over 15,000+ CXO relationships stay at
the leading edge of their business, cultivate their desire
to learn about new products and surrounding
themselves with their peer group for the benefit of their
own network.

Troels Oerting, Chairman Of The Board at BullWall. Denmark
Qvo Vadis (Cyber) Security?
First, my recommendation is to avoid hype and
fearmongering. Humanity will survive the
Internet and we should not use or promote ‘fear’
as a driver for sale of security solutions. We
should instead instigate, defend and promote
‘hope’ of a safer Internet and digital future and
lead the way forward with an optimistic
approach.
Secondly no such thing as ‘absolute security’
exists. Not in the physical World nor in the
Digital. Security needs to be driven by proper
risk assessment knowing that no one ‘silver
bullet’ does the trick and security can be broken
from multiple angels and from inside or outside
of the network. So, we must be realistic in our
security level and adapt to the level that secure
what’s important without limiting i.e., privacy or
data protection. More security often means less
privacy and usability and the balance needs to
be right and decided after a risk assessment.
The entry into 2023 marks 43 years anniversary
of me starting into Law Enforcement, Security
and Cybersecurity.
A lot has happened during these many years and
the development in speed and complexity
increased.
On the other side I have also noted that the
World is still standing and despite loads of
crises, challenges and uncertainty we tend to
overcome the majority of problems and move
on.
Looking back the many years, knowing that my
generation of security experts will be replaced
by new enthusiastic ones I find the time
appropriate to share some of my learnings and
insight with the coming generations of security
experts.
21
“We, in security,
should not promote fear,
but protect hope.”
~ Troels Oerting

by Troels Oerting
>>
And then you should train and exercise this plan
and adjust it according to reality. Do a tabletop
exercise and test if the plan works and take all
relevant into consideration. And rule number one
– make notes of what you do during an attack.
From the first to the last second. We forget and
you need to be able to remember if insurance or
regulators ask. Shortly, if you fail to plan, you
plan to fail.
Finally. Make security attractive. For the
company and the staff. Too many CISO’s are
under too much pressure. Cybersecurity is not
the enemy of innovation, marketing or usability.
It should be an asset instead. High information
security is a positive sales argument and the
tone from the top should be that security is
important for companies holding private and
sensitive information.
Despite war in Europe, inflation, increasing
prices and interest rates, deadlock in the US
House, covid increase in China, geopolitical
tension and other global challenges we will –
together – improve cyber security and share
more insight faster. I am confident of this.
“Happy New Year and I wish you all in
security a great 2023 and thank each and
every one of you for your service.”
Thirdly the overall security goal should be
resilience. I define resilience in this way: Cyber
resilience refers to an organization's ability to
prepare for, absorb, respond/adapt to and
recover from an adverse situation while
continuing to function as intended. A strong
cyber resilience framework should be adaptable
and account for unknown variables, like new
types of attacks. By focusing on resilience, the
organization is forced to promote a more holistic
and inclusive security strategy involving staff,
training, HR, legal, communications and other
functions important for securing that the
organization quickly recovers from a cyber
incident and gracefully continue with the main
business. If somebody from the outside, ask a
member of an organization leadership or Board
‘who is responsible for cybersecurity in this
organization’ and the answer is: ‘the CISO’ – they
have got it wrong. The right answer obviously is:
‘we are all responsible for cyber security’.
Fourth advice is to prepare. We will all get
hacked at some point. We need to plan for how
we will operate during such an incident. Who is
in the crises management team? Do we have
playbooks on all types of incidents? Do these
playbooks outline a communications strategy, a
press strategy, a legal strategy (is it legal to pay
ransom?) etc. All organizations, regardless of
size, need to develop a security strategy and
discuss and decide what to do when you get
compromised.
22
Troels Ørting Jørgensen, Chairman at Bullwall, Expert Member at INTERPOL
Mr. Ørting is a globally recognized Cyber Security Expert. He has been working in
cybersecurity ‘first line’ for over 4 decades. Throughout career, Mr. Ørting has been working
with governments and corporations to advise on how they react to the increasing
international cyber threats, and worked closely with law enforcement, intelligence services
and cyber security businesses.
Formerly, with the Danish National Police, first as Director, Head of the Serious Organised
Crime Agency and then as Director of Operations, Danish Security Intelligence Service;
Deputy Head, ICT Department and Deputy Head, OC Department, Europol, EU’s Police
Agency; Head of European Cybercrime Centre and Head of Europol Counter Terrorist and
Financial Intelligence Centre. 2015-18, Group Chief Information Security Officer (CISO),
Barclays. Chaired the EU Financial Cybercrime Coalition, of which most banks are partners,
and has very strong experience in cyber security. Since 2018, Head of the Centre for
Cybersecurity, World Economic Forum. Chairman of the Board of World Economic Forum
Centre for Cybersecurity (C4C).

Francis West, Chief Executive Officer at Security Everywhere. England
Why Your Anti-Virus Is Like The Yellow
Pages - Old School And Out Of Date
To be fair, we can’t paint everyone with the same
brush and we know there are some IT
companies that have done just as we did and
went to their customers and said “we have
discovered our solution is no longer fit for
purpose, and there is a better one suited to
today’s needs”. This approach probably cost
them some customers, as they clearly had high
appetite for risk and didn’t think the protection
was necessary for the additional cost.
Some of our clients said “Okay, great. Thank
you”, while others said “We don’t really like the
price and are happier with less protection and
lower cost”. Others simply said “No, we are not
going pay any more and we will be looking for
another supplier” This is the main reason why
most IT companies will not tell you to do the
right thing – they are scared of losing customers
and revenue.
We do have answers, one of which is a very
short, blunt and not particularly politically
correct answer. And then of course, there is the
answer that we would write!
So first, let’s be blunt.
The answer is that your IT advisors are likely not
cybersecurity experts, and so are not on top of
the market, or spend years in the cyber security
market to find the best tool for the job.
They are very likely to have been supplying an
antivirus program to their customers, probably
from a well-known vendor, and it’s not in their
interest to go and tell their customers that it is
not good enough. In many cases, they probably
are not even aware that it’s no longer fit for
purpose.
This only leaves them with the option of telling
their customers that the antivirus is protecting
them and of course it is good enough! After all,
they would look a bit stupid if they went to the
customer that they’ve sold the antivirus to and
said, “We know our antivirus solution is a bit
rubbish”.
23

So, why is it antivirus not good enough?
All legacy antivirus is reliant on doing database
lookups to identify any threats. Every single time
it does a scan, it has to effectively pick up the
Yellow Pages (list of viruses and threats) and go
through the entire book looking for a match. If it
finds a match it to something in there, it’s lists it
as threat. If it can’t match it to anything in the
book, then it’s not a threat and lets it go.
The issue that yellow pages is growing at the
rate of four new entries a second. By the time
it’s printed, shipped out, and everybody’s got
their copy, it’s out of date by thousands or
hundreds of thousands of entries, as there are
345,600 new threats added every single day, and
it’s not decreasing! This basically leaves you with
a solution that just not fit for the purpose of
protecting you against new or unknown threats,
not to mention it is not very effective as it relies
on constantly looking the threats up every time.
But, you say, it does protect me against millions
of known threats, doesn’t it – surely that is
better than nothing!? The problem we face is
that the hackers aren’t stupid. Why would they
use old threats that they know most solutions
can block? That’s why they’re building new ones
every four seconds because they’re looking for
ways around existing security. What you actually
need is a solution that’s going to look for
patterns of behaviour rather than doing a look up
in an antiquated system.
For want of a better example, it’s like the
difference between using live facial recognition
to identify threats rather than relying on
someone walking around with a photo and
putting it up next to everybody to decide who’s a
threat and who’s not. Or even worse, having to
use a multiple massive libraries of photos if
you’re talking about a proper criminal database.
In short, you get what you pay for in life – cheap
can be nasty, and if the advice is not coming
from a confirmed expert or authority on the
subject, make sure you take a look around and
ask what is the motivation for them actually
supplying you. And remember! Antivirus is
usually sold as a product and proper Cyber
security is sold as a managed service!
by Francis West
>>
Francis West, Chief Executive Officer at Security
Everywhere is on a mission to inform and advise a
million business owners on how to stay cyber safe
so they can maximise the advantages of technology
whilst minimising the risks. Having started his career
in the African Army, Francis moved to the UK and
built a million-pound IT support company. In both
professions, his motivation has been to protect
others from potentially destructive and devastating
threats.
Successes in that first IT business included
redesigning a bespoke, cloud-based, global
recruitment platform and contributing to the design
and launch of a remote desktop solution for
Randstad. Whilst providing managed security
services for large enterprises, Francis realised there
was a lack of information and support tailored to
SMEs. In 2010, he launched Westtek Solutions to
educate SMEs on cyber vulnerability and provide a
complete security service.
This was followed by Security Everywhere a
partnership with Graeme Ison. They provide SMEs
with 5 easy, affordable and comprehensive layers of
Cyber Protection, within 24-hours. Francis’ expertise
in his field is widely recognised. He sits on 5 Cyber
Security Panels and is the Cyber Security National
Lead for the FSB (Federation of Small Businesses).
As a mentor for CompTIA, he is also involved in
educating the technology gurus of the future.
24

by Allan Alford
25
One of the pivotal moments in becoming a
leader in cybersecurity occurs when the newly
minted leader makes the decision to postpone
addressing a particular finding from the team
due to reasons of budget, schedule, business
priorities, etc. This critical moment separates
successful practitioners (who should advocate
to address cybersecurity risks) from successful
cybersecurity leaders (who should advocate for
doing the right thing for the organization -
which might well include deprioritizing a given
cybersecurity risk).
If this moment is pivotal in the initial transition to
cybersecurity leadership, then perhaps it serves
to establish a trend for future leadership roles in
cybersecurity as well. As one rises in leadership
ranks, one should inherently become more
aware of the surrounding environment, of the
needs and drivers of peer departments, and of
higher order objectives and goals for the entire
organization. If such knowledge is expected of a
cybersecurity executive, then that same moment
where the fresh cybersecurity leader makes the
call to not address a given risk due to higher
order concerns should occur more frequently as
the leader gains more perspectives on the
greater organization. To put it another way,
CISOs should take more risks than directors,
who take more risks than managers, who take
more risks than individual contributors.
“Without risk there is no business.
Take the smart risks and profit.
Take the wrong risks and lose. ”
It can be argued that business is nothing more
than taking risks, hoping they are the smartest
risks vs. your competitors, vs. time itself, and
vs. market demand. Take the smart risks and
profit. Take the wrong risks and lose.
Investment is risk. Further, all business
innovation is also by definition risk. What if the
newness of a given product or service prevents
its being understood or adopted? Ingenuity, as
with all business moves, requires wilful risk. It is
important for CISOs to remember this as they
dive into their 2023 risk management plans -
that wilful risk is not just acceptable, but integral
and necessary to the success of the
organization.
CISOs debate often about who owns any given
cybersecurity business risk as identified by the
CISO’s team. Most CISOs will tell you that the
CISO’s role is to point out the risk, to clarify it, to
advise on its disposition and let “the business”
own the risk. One can argue, however, that there
is an intrinsic flaw in that argument as indicated
by its nomenclature. “The business” is not
something that exists over there while the
cybersecurity team is over here. To refer to the
rest of the organization as “the business” is to
divorce oneself from one’s vital leadership role in
the business. The mantra is not “Enable the
business!” The mantra is “Be the business!” To
this end, CISOs need to bear more ownership of
risk despite conventional approaches.
Taking Ownership of Risk

by Allan Alford
The CISO should then state that, “It is my
recommendation that we…” Being firm on
disposition while encouraging mutual ownership
begins the process. Note that this approach can
never be embraced until the CISO has
internalized it and applied it to their own
personal career risk:
“I am accepting and owning some
career risk with each business
decision I make. This is the price of
executive leadership, and I will not
let it worry me as I charge forward in
my role.”
The vital aspect of this method is two-fold: First
the CISO is not shirking or dodging, avoiding, or
placing themselves in a position of helplessness.
The CISO is demonstrating authority by publicly
declaring accountability. Authority is given far
less than it is taken, and authority is rarely
successfully held by those who do not publicly
own the outcomes of authority, both good and
bad. For the CISO who embraces this philosophy
and approach, Step Two manifests in two ways:
One: Authority has grown to meet the
accountability that the CISO led with. Two:
Career risk is actually diminished, not increased,
due to the CISO’s demonstrating real leadership,
real ownership, real business savvy, and real
accountability from a business standpoint. To
demonstrate these qualities is to weather at
least most storms that might blow in when a
given risk-taking decision backfires. We all are
capable of gambling on the wrong outcome.
Doing so with authority and accountability, doing
so with the mutual respect of peers who
recognize that accountability has been
maintained, most likely results in commiseration
rather than termination.
To paraphrase the common saying,
“Accountability is everything.”
If this model is valid, then the CISO’s ownership
of risks and of specific risk acceptance should
grow commensurate with the awareness of the
greater organization. By the time one has
achieved the CISO rank, one should see oneself
first and foremost as a vital co-leader of the
business, as a peer to other business leaders
from other departments, and as someone who is
well informed as to those other leaders’ goals,
drivers and obstacles. The “Chief” in “Chief
Information Security Officer” mandates business
leadership over cybersecurity leadership.
Getting back to the CISO debate as to risk
ownership, the conclusion that unfolds regarding
the cybersecurity leadership trajectory is that the
CISO is as much a risk owner as their fellow
executive business leaders, and no less so.
One cannot be the business without inheriting
risk ownership, in other words. That ownership
is shared across all the business leaders, and
the CISO does not have an inherent right to
claim an advisory-only role with regards to any
given risk they have identified. The ownership of
risk is mutual and mandated for all executives.
The CISO job is hard. The hours are long, the
stakes are high, and the stress levels seldom
dissipate. Often CISOs are scapegoated, being
summarily dismissed when a risk they pointed
out to the business months ago turns into an
active incident.
CISOs are held accountable and blamed for
things they often have no authority over. Every
CISO, no matter how competent, devotes some
portion of their thinking to a fear of an untimely
end to their role. Given this climate, how can
CISOs embrace risk ownership? Part of the
solution is in addressing this notion of
accountability without authority.
Step One is for the CISO to do what they have
(presumably) always done: identifying and
categorizing risks to surface to their fellow
business leaders. Not to the business, but to
their fellow leaders. The CISO should then have
a recommendation at the ready for the risks
being addressed and should firmly and clearly
state that recommendation.
26
>>

CISO and Cybersecurity Consultant, Mr. Allan Alford has led security functions in companies from 5 employees
to 50,000 and executes a risk-based approach to security, as well as compliance with many frameworks.
With Master of Information Systems & Security and a Bachelor of Liberal Arts with a focus on Leadership and
twenty+ years in information security, Allan has served as CISO five times in four industries, with a strong history
in technology, manufacturing, telecommunications, litigation, education, cybersecurity and more. He parlayed an
IT career into a product security career and then ultimately fused the two disciplines. This unique background
means that Allan approaches the CISO role with a highly business-aligned focus and an understanding of an
organization's greater goals, drivers, methods, and practices.
Allan Alford gives back to the security community via The Cyber Ranch Podcast, by authoring articles, speaking at
conferences, teaching, mentoring, and coaching aspiring CISOs
About Allan Alford Consulting
Mr. Alford launched his boutique cybersecurity consulting practice in 2022, with the intention of helping
organizations efficiently implement and manage security programs and projects. Allan keeps the practice small,
bringing in a hand-selected team of subject matter experts only as required, to forge long-term relationships with
each client and to intimately understand and fulfil each organization's unique needs.
27
Allan Alford, United States

by Steve King
Cybersecurity Leadership
cooperation that is not always forthcoming. The
relationship between the board, C-suite and the
CISO is often ill-suited to the execution of
actionable programs as the definitions of
accountability and responsibility are soft-peddled
and generally ignored by the senior party. This
translates to responsibility and even
accountability on paper but not extended in fact
or downright withheld in practice, leading to
mis-trust and an inordinate amount of anti-
productive meetings, analysis and proposals.
My experience is that the board simply does not
trust either the IT or Security leadership; they
don’t trust that either team understands the
business nor could make the right executive
decisions were they in charge, and as a
consequence, the board will not relinquish the
reins of leadership outside of their domains. The
CISO doesn’t seem to be able to grasp business
basics or understand for example the notion of
risk transfer.
We hear frequently that 99% of the global
business leaders claim cyber risk is the greatest
risk facing our economy and when Fed Chairman
Jerome Powell said on 60 Minutes that the
greatest risk to the economy is cyber risk, we
assume that our business leaders are all on the
same page. They don’t worry about inflation,
another financial crisis or another a pandemic
— they worry about cyber risk.
The World Economic Forum (WEF) Global Risk
Report 2021, tells us that the top three short-
term risks to the world, as defined by its survey
of 650 WEF leaders, are infectious disease,
income inequality and extreme weather events.
The fourth, is cybersecurity. Nearly 40% of WEF
leaders cited cybersecurity as a “clear and
present danger” to the global economy. While
we have seen some degree of global
cooperation around the first three issues, we
have not seen that same level of cooperation
around cybersecurity.
Given my background, I empathize with
Cybersecurity leadership and can’t imagine
trying to do the job at current expectation levels
during the storm in which we find ourselves. The
competition between business unit owners
driving toward the 4th industrial revolution,
pockets of shadow IT running unknown
quantities of cloud sessions, increased
dependencies on supply-chains, open-source
everywhere, new heights of network complexity,
a lack of available resources to fill the gaps, and
increased sophistication and smarter attacks
from cybercriminals along with promises of
safely and security from 4,000 point solution
vendors would drive anyone crazy.
If you have a CISO who appears to be keeping
the lights on, make sure s/he is happy. For every
competent CISO, there must be a dozen who
aren’t.
But CISO leadership is not limited to technology
choices, maturity programs, operations and
governance and the provisioning of adequate
detection and protection capabilities to assure a
computing environment is safe from bad guys. It
is responsible to the company and shareholders
to do everything possible to assure maximum
protection and the implementation and support
of well-thought out and carefully designed layers
of defense, leveraging the best and most
effective technology tools, the optimal use of
available resources, the appropriate levels of
education and training delivered to the right
people at the right time and communication with
C-suite and Board members at a level where
both sides can operate from the same page of
the play book, at all times.
In addition, in most corporate IT environments,
the relationships between the IT leaders and
the security leaders appear opposed or operate
with a substantial amount of friction. One
requires the absolute cooperation with the other
to enable their programs and achieve their goals,
28

by Steve King
“What we need is for the CISO to step into
the breach – to embrace a true leadership
role – which translates to defining a path
forward that will minimize the probability of
a catastrophic event. It is now time for the
CISO to report directly to the CEO or the
BOD. We are swimming in a new ocean now
and if we expect CISOs to be held
accountable with personal liability and
fiduciary care duty, then s/he needs to have
the appropriate reporting and decision
authority as well.”
Following the Joe Sullivan verdict, I will be
surprised if our next shortage isn’t the CISO role
itself. Would you risk 8 years behind bars to
defend a dysfunctional company’s assets without
controls or authority for $500K year? Of course
not and when Sullivan’s sentencing becomes
real for folks, there will be few willing to take
that risk.
True leadership means having the courage to
architect and promote an alternate approach to
layered, defense in depth security models. It
means embracing an enterprise-wide Zero Trust
strategy. One that begins with third party
assessment, a rigorous identification of critical
assets, an isolation of these assets through
micro-segmentation and access protection
through granular identity management and
policy engines with a fully saturated monitoring
of lateral activity beyond initial entry through to
behavior while on the networks and upon
session exits, the dedication of fully staffed
cybersecurity hygiene programs, and the
discipline to adhere to best practices throughout.
It means translating that strategy into language
that the board will understand and
contextualized outside the standard
threat/consequence matrix, so that professional
risk decision makers can make determinations
aligned with realities that they can now
understand. We may not be able to fix leadership
issues at the national or international levels, but
nothing stops us from doing so within our own
domains. Other than fear.
The Convention on Cybercrime (AKA the
Budapest Convention) has been ratified by 65
nations, but focuses primarily on nation states
assisting each other in the prosecution of
cybercrimes, not addressing today’s nation
states attacking private sector companies at will.
Are 65 companies asleep at the wheel or have
they all signed up for Chinese protection under
the BRI initiative?
Even though we have seen these attacks in
action now for years, we still have no
Convention-like treaty that establishes rules of
engagement for nation states in cyberspace and
provides a legal framework for the international
prosecution of violators.
And as a consequence, nothing will change the
global landscape for private or public leadership
with regard to cyber-crime and cyber-attacks.
Without modernized laws at a whole of global
government level, it is impossible to impress
upon the decision makers in private companies
to break from the pack.
Risk transfer will remain the Sleepeze for board
members unless and until our CISO leadership
community determines that it is their
responsibility to force reality into their
presentations in a way that the board can both
grok and understand the details of liability as
they relate to their fiduciary responsibilities. Or
until Cyber-insurance disappears as a risk-
transfer option. Until then, business as usual.
As a result, without changing the way that
CISO’s manage within their organizations, the
lack of leadership will always be one of the
great Achilles’ heels of the Cybersecurity
space. It is the equivalent of laws that protect
retail criminals from prosecution if all they steal
is valued at or under $950.
As even casual observers will recall, it only took
Colonial one day to decide on a $5 million
ransomware payment, in spite of aggressive
Federal and Law Enforcement advice to the
contrary. That is risk transfer in action and it did
nothing to help prevent another attack, either to
Colonial or its brethren’s pipeline companies
worldwide.
29
>>

30
Mr. Steve KING is the Founding Board Member and Managing Director of CyberEd.io, the leading Cybersecurity Education
On-line Learning program in the world. His other day-job is helping Cybersecurity clients get their brand story, positioning
statements and messaging squared to the appetite of their targeted audience, as Managing Director of CyberTheory, a full
service digital marketing, branding and advertising company. Both organizations are part of the ISMG global media family, the
largest media group focused only on Cybersecurity in the world. Education in Cybersecurity is Steve’s passion and he feels
lucky to have this amazing, broad, popular, far reaching and active ISMG network to promote and advise on their way toward
CyberEd.io’s North Star, which is to CLOSE THE GAP in Cyber education.
Steve got his start in InfoSecurity as a co-founder of the Cambridge Systems Group, which brought to market, ACF2, the [still]
leading data security product for mainframe computers – Cambridge sold their product suite to CA back in the 1980s. In the
year 2000, as businesses struggled to get their message out to the web, Steve started a few businesses to help make that
easier. From ESI, a digital branding business that helped companies like Harley-Davidson, Abercrombie and Fitch and Lucky
Brands get to the digital markets, to Blackhawk Systems Group, an early player in the SIEM/SOC/MSSP space. Blackhawk and
its partners aggressively pursued the Chinese markets between 2012 and 2017 setting up offices in Beijing, Shanghai and
Shenzhen. Many consider Steve an expert in Chinese Cybersecurity as a result. Prior to the focus on Cyber, Steve served as
CIO for a large, international Computer and Storage Systems manufacturing company, with responsibility for both IT and OT.

People Are The Crown Jewels
Anne Leslie, Cloud Risk and Controls Leader Europe at
IBM Cloud for Financial Services
Anne Leslie is Cloud Risk and Controls Leader Europe at
IBM Cloud for Financial Services where she focuses on
supporting financial institutions to securely accelerate
their journey to the cloud and transform their
cybersecurity operations to adapt to a hybrid multi-cloud
reality. An accomplished public speaker, Anne is a
passionate advocate for upskilling initiatives related to
cyber talent transformation and applying human-centered
approaches to some of the most wicked problems facing
cybersecurity practitioners. Irish by nature and French by
design, Anne lives happily with her three children in Paris,
France which has been her home now for over twenty
years.
31
In the context of cybersecurity, people are frequently
referred to as an organization’s biggest vulnerability. And
while there is an element of truth to that assertion, it is a
framing that negates the hugely positive impact that
harnessing human energy, engagement, and
commitment can have on an enterprise cybersecurity
program.
The truth is that, with the right enablement and
environment, people will naturally want to contribute
because as humans we are motivated by being of
service and united in something that is bigger than
ourselves.
Cybersecurity professionals are often characterized by
an innate drive to protect. To many practitioners,
information security is much more than a job; it's a
cause they want to defend. The most progressive
organizations are exploring how to leverage human-
centred methods, such as design thinking, as a way of
identifying how to design security programs that channel
the best of what makes us human and complement
these capabilities with processes and tooling that
augments people’s skills instead of hindering them.
Such an approach involves interacting with cybersecurity
practitioners and enquiring of them, “How might we go
about making your day go better? How could we go
about allowing you to have more impact? What might we
be able to do to take obstacles out of your way?”
Again, these are seemingly simple questions. However,
rare are the organizations where such questions get
asked and where the answers are genuinely acted upon.
While many cybersecurity professionals start out in their
careers with a powerful desire to serve and defend, the
weight of organizational bureaucracy, misaligned
objectives, and executive disinterest can end up diluting
even the most robust resolve.
Leaders who are authentically seeking to enable
their cybersecurity team to achieve a bigger
collective impact for the business and more
individual fulfilment should never underestimate
the power of consistently showing that they care
about their people.

Scott D. Foote
Managing Director at Phenomenati Consulting
Introducing Risk Level Agreements™ (RLA)
for the C-suite and the Board
strategic Risk Profile and the decisions made
regarding how those Risks will or will not be
addressed.
Phenomenati refers to these as “agreements”
because they codify the shared awareness,
assessment, negotiation, and decisions between
the organization’s leadership and its
infrastructure providers (both internal and
external), with respect to the balance of benefits,
costs, and Risks in any aspect of the business.
The RLA then becomes a formal business record,
persisting the context and tradeoffs of critical
business decisions, across changes in the
organization, until such time as any decision
needs to be revisited.
Typically, development of RLAs will include a
series of quarterly Executive team meetings that
employ high-level Risk Scenarios to support
cross-functional, collaborative decision making
regarding whether the leadership team Accept,
Reject, Mitigate, and/or Transfer each identified
strategic Risk.
While these RLAs greatly improve strategic level
planning and reporting, they also provide very
clear corporate records which concretely
demonstrate the Due Diligence and Due Care
applied to the organization’s overall Risk
Management efforts.
Each RLA includes discussion of 6 key topics,
discussed briefly below:
32
o facilitate discussions between
executive teams and their boards,
Phenomenati has created the concept
of Risk Level Agreements™ (RLAs)
(www.risklevelagreements.com) which
concretely document an organization’s
Risk Tolerance ("Appetite")
Each Phenomenati RLA begins by documenting
the organization’s current benchmark for Risk
Tolerance.
The U.K.’s Institute of Risk Management defines
Risk Tolerance or Appetite as “the amount and
type of risk that an organization is willing to take
in order to meet their strategic objectives”.
the organization’s Risk Tolerance, Risk
Scenarios, Inherent Risk, Recommended
Controls to mitigate risk, Risk Mitigation
Decisions, and remaining Residual Risk that is
either accepted, transferred, or avoided.

by Scott D. Foote
>>
• e.g., a threat actor attempts to steal customer
records, 4-5 times per year.
Next, across the organization, any Vulnerabilities
relevant to that Threat are identified. This should
include the Severity of the Vulnerability.
• e.g., use of single-factor authentication [weak
passwords] on accounts with bulk access to
customer records.
Finally, the potential Impact of specific Threats
exploiting specific Vulnerabilities is characterized
in terms of Consequences to the business (e.g.,
potential losses). These Consequences should be
assessed both qualitatively and quantitatively.
• e.g., a possible $xM in regulatory fines, a potential
20% loss of customers, and potential 35% drop in
revenues due to reputation damage.
To effectively characterize each Risk in terms of
numeric “amounts”, Phenomenati applies
conventional Risk Assessment discipline
including both Qualitative and Quantitative
assessment of each Risk Scenario that has been
identified. Deeper explanation of Risk
Assessment techniques is a topic for another
article.
A qualitative approach to characterizing an
organization’s Risk Tolerance/Appetite might use
a subjective spectrum from “Risk Averse – to
Risk Neutral – to Risk Seeking”.
A quantitative approach to characterizing an
organization’s Risk Tolerance/Appetite might use
an objective, numerical threshold to describe
specific levels of acceptable loss (e.g., % of
revenue lost). In practice, most organizations find
that their Risk Tolerance is situationally
dependent upon the circumstances of each
specific Risk Scenario that has been identified.
So, a single “threshold” value is often
impractical.
Risk Scenarios
Any serious discussion about “Risk” must
transform abstract concepts into concrete
expressions using concepts such as the “Risk
Scenarios” mentioned above. A “Risk Scenario”
begins with identifying a specific Threat that is
directly relevant to specific Assets of the
organization (e.g., business systems or business
information). Discussion of Threats should
include the Likelihood or anticipated frequency of
each Threat materializing.
ID Risk Type Threat Metric Vulnerability Metric Consequences Metric SLE ARO 0 - 25
Annualized Loss
Expectency
(SLE x ARO = ALE)
R0001
Legal, Reputational
(Cyber)
Criminal Theft / Extortion 5
Need to improve Data Loss Prevention.
Do not adhere to Least Privilege principle.
Need to improve Segregation of Duties.
End-point Protection on cloud assets.
Monitoring & Detection on cloud assets not well
integrated into Security Ops (Sophos 24x7 SOC
service).
Need to review the protections on DevOps pipeline.
4
First Party Privacy Breach - Loss of Client
Confidential material
5 4,000,000
$ 0.25 22.5 1,000,000
$
33
Figure 1 - Example “Risk Scenario”
The example “Risk Register” in the diagram
below includes a short set of example Risk
Scenarios (rows) where each has been
Qualitatively and Quantitatively assessed.
Those aggregate Risk “scores” appear in
columns to the right, and are used to prioritize
the overall list of Risks as well as inform
subsequent Business Cases (e.g., Cost-Benefit
Analyses) regarding investment in additional
Controls.
Inherent Risk
Inherent Risk is traditionally thought of as the
“untreated” risk in a process or activity. Meaning
nothing has been done to either reduce the
“likelihood”, or mitigate the “impact”, of potential
threats. In Phenomenati’s RLAs, the Inherent Risk
is captured as the collection of potential
Consequences from the Risk Scenarios that have
been identified. Effective methods for
communicating the set of “Inherent Risks” to an
organization include: a tabular “Risk Register”,
and/or a simple “Risk Matrix” diagram.

5 10 15 20 25
4 8 12 16 20
3 6 9 12 15
2 4 6 8 10
1 2 3 4 5
Current Aggregate Risk:
Risk Landscape
10,940,000
$
Impact
Likelihood
ACTUAL
R0001
R0002
R0003
R0011
R0004
R0005
R0010
R0006
R0007
R0009
R0008
R0012
R0013
R0014
R0015
R0016
R0017
R0018
R0019
R0020
0
1
2
3
4
5
6
0 1 2 3 4 5
The very familiar example of a “Risk Matrix”
in the diagram above illustrates how the
Qualitative scores for each of the Risk
Scenarios from the Risk Register can be
plotted along the traditional attributes of
“Likelihood” and “Impact”. Risks to the
upper right of the risk matrix (in the yellow,
orange, or red cells) are typically considered
to have Inherent Risk that is above the
organization’s Risk Tolerance.
Below the matrix, the “Current Aggregate
Risk” sums up the Quantitative monetary
values of the current Risk Scenarios from
the Register. Presenting this value along
with the traditional Risk Matrix has proven to
be a powerful catalyst for discussion among
Executive Leadership teams, as well as with
Boards.
by Scott D. Foote
>>
Risk Level Agreements™ (RLAs)
Qualitative Quantitative
Annualized Loss
Expectency
(SLE x ARO = ALE)
R0001
Legal, Reputational
(Cyber)
service).
4
5 4,000,000
$ 0.25 22.5 1,000,000
$
R0002
Operational, Legal,
Reputational
(Cyber)
Ransomware 5
service).
4
Loss of Availability of the SaaS platform leads to
Reputation damaage (loss of Trust, Credibility) and
Lost Business (clients, revenue)
5 2,000,000
$ 0.5 22.5 1,000,000
$
R0003
Operational, Legal,
Reputational
(Cyber)
Compomise of Service, Injection of Malicious
Software into the SaaS offering
4
Need to review protections on DevOps pipeline.
Need to expand/improve Application Security
Testing (AST) (e.g., scanning of all sw
dependencies.
5
Loss of Integrity in SaaS Infrastructure leads to
loss of either Client or Company Intellectual
Property (IP) damages valuation.
5 5,000,000
$ 0.2 22.5 1,000,000
$
R0011
Legal, Reputational
(Cyber)
High Expectations of Security & Privacy from
Prospects
5
Overall Information Security & Privacy Program
has not yet been certified.
4
Lost revenue opportunities.
Losses to valuation in financing rounds.
4 1,000,000
$ 4 18 4,000,000
$
R0004
Operational, Legal,
Reputational
(Cyber)
Insider Threat 3
Administrative Controls need improvement: e.g.,
background checks for privileged staff w/ "Need to
Know"; more specific policies on Data
Classification, Access Control, Data Handling,
Data Retention; add'l NDAs; special access
training; team experienced with Insider Threat
Investigations.
Technical Controls need improvement:
e.g. No monitoring of Annotators while in system.
e.g. No monitoring of engineering and operations
staff w/ full privileged access.
e.g., No UAM/UBA platform to tune monitor User
Behavior effectively.
Physical Controls TBD
4
Loss of Client Confidential intellectual property,
leads to Reputation damage (loss of Trust,
Credibility) and Lost Business (clients, revenue)
5 4,000,000
$ 0.5 17.5 2,000,000
$
Risk Levels
Qualitative Assessment Quantitative Assessment
Figure 2 - Example “Risk Register”
34
34

Some controls will attempt to reduce the Impact of a
possible compromise.. e.g., use of backups or
replication, or obfuscation/tokenization of customer
information. Each Control is assessed for practicality
based upon Benefits (e.g., reduction in Likelihood or
Impact to reduce the Risk) related Costs, and any
additional Risk use of the Control may introduce.
Recommended Controls
For the highest priority Risk Scenarios, Controls (also
called countermeasures) which may directly impact
each scenario are enumerated and assessed for
practicality. Some controls will attempt to reduce the
Likelihood of a specific Threat exploiting a
Vulnerability. e.g., use of 2FA for privileged accounts.
35
For each Risk Scenario, Phenomenati’s RLA captures the current inventory of Recommended Controls using a
simple table called a “Control Matrix”. The example in the diagram above illustrates how Controls might be
proposed and communicated to a non-technical audience, in support of an RLA discussion, for the common
Risk Scenario of “Insider Threat” (InT). Note that each Control is placed in the matrix based upon the Control
Type (Administrative, Physical, or Technical) and the Control Objective (Preventative, Detective, or Corrective).
The total Costs of the recommended Controls are estimated and then added to the evolving Risk Register (see
the diagram below) to support the Cost-Benefit Analysis of the proposed investment (ref. the far right columns).
Simplistically, quantitative reductions in Risk that outweigh the associated Cost of additional Controls are
considered a good investment. A deeper discussion of this Cost-Benefit Analysis is out of scope for this article.
Figure 4 - Example “Control Matrix”
by Scott D. Foote
>>
Annualized Loss
Expectency
(SLE x ARO = ALE)
Administrative Physical Technical
Annualized
Cost
R0001
Legal, Reputational
(Cyber)
service).
4
5 4,000,000
$ 0.25 22.5 1,000,000
$ 100,000
$ -
$ 100,000
$ 200,000
$ 5.00
R0002
Operational, Legal,
Reputational
(Cyber)
Ransomware 5
service).
4
5 2,000,000
$ 0.5 22.5 1,000,000
$ 100,000
$ -
$ 300,000
$ 400,000
$ 2.50
R0003
Operational, Legal,
Reputational
(Cyber)
4
dependencies.
5
5 5,000,000
$ 0.2 22.5 1,000,000
$ 100,000
$ -
$ 100,000
$ 200,000
$ 5.00
R0011
Legal, Reputational
(Cyber)
Prospects
5
4
4 1,000,000
$ 4 18 4,000,000
$ 300,000
$ -
$ 500,000
$ 800,000
$ 5.00
R0004
Operational, Legal,
Reputational
(Cyber)
Insider Threat 3
Investigations.
4
5 4,000,000
$ 0.5 17.5 2,000,000
$ 100,000
$ -
$ 5,000,000
$ 5,100,000
$ 0.39
Risk Levels Cost/Benefit
Analysis
Qualitative Assessment Quantitative Assessment Controls
Figure 5 - Example “Risk Register” Including Simple Cost-Benefit Analysis

approved or rejected by senior leadership.
Based upon this due diligence, the leadership
team will document their decisions on whether to
Accept, Reject, Mitigate (through additional
Controls), and/or Transfer (e.g., to insurance
underwriters) the Inherent Risk within each of
the Risk Scenarios that have been identified.
These decisions regarding investment in
additional Controls, including the Residual Risks
for each Risk Scenario, complete the
organization’s Risk Level Agreements (RLA). The
executive team (and board as appropriate)
document their agreement regarding what
investments will be made (or not), including what
Residual Risk will be accepted (ref. the additional
columns on the far right in the diagram below).
Residual Risk
Finally, any “Residual Risk” (those Risks
remaining unaddressed) are clearly documented,
often using the same Risk Register described
above. The Residual Risk is then compared to the
overall Risk Tolerance of the organization. Where
Residual Risk still exceeds the organization’s Risk
Tolerance, additional Risk Mitigations may be
considered, or the Residual Risk should be
explicitly Accepted or Transferred.
Risk Mitigation Decisions
Within the constraints of both Budget and Risk
Tolerance, the Controls with the most optimal
Benefit/Cost/Risk balance are selected,
recommended for implementation, and either
Figure 6 – Example “Risk Register” Including Executive Agreements
Our team at Phenomenati hope you find this concept of Risk Level Agreements to be as useful as we
have in improving strategic level planning and reporting between your Executive Teams and your Boards.
Annualized Loss
Expectency
(SLE x ARO = ALE)
Administrative Physical Technical
Annualized
Cost
Avoid Accept Mitigate Transfer CEO COO CSO CTO Product Eng
India
GM
Date Decided Last Reviewed
Next
Review
R0001
Legal, Reputational
(Cyber)
service).
4
5 4,000,000
$ 0.25 22.5 1,000,000
$ 100,000
$ -
$ 100,000
$ 200,000
$ 5.00 X X AB CD EF GH IJ KL MN 2022-02-01 2022-02-01 2023-02-01
R0002
Operational, Legal,
Reputational
(Cyber)
Ransomware 5
service).
4
5 2,000,000
$ 0.5 22.5 1,000,000
$ 100,000
$ -
$ 300,000
$ 400,000
R0003
Operational, Legal,
Reputational
(Cyber)
4
dependencies.
5
5 5,000,000
$ 0.2 22.5 1,000,000
$ 100,000
$ -
$ 100,000
$ 200,000
R0011
Legal, Reputational
(Cyber)
Prospects
5
4
4 1,000,000
$ 4 18 4,000,000
$ 300,000
$ -
$ 500,000
$ 800,000
$ 5.00 X AB CD EF GH IJ KL MN 2023-02-01 2023-02-01 2024-02-01
R0004
Operational, Legal,
Reputational
(Cyber)
Insider Threat 3
Investigations.
4
5 4,000,000
$ 0.5 17.5 2,000,000
$ 100,000
$ -
$ 5,000,000
$ 5,100,000
Risk Levels Cost/Benefit
Analysis DECISIONS
Qualitative Assessment Quantitative Assessment Controls Authorities Dates
by Scott D. Foote
>>
About the Author:
CISO, CPO/DPO, Cybersecurity Executive, Board
Advisor, CISSP, CCSA, CCSP, CISM, CDPSE, CIPM,
CRISC, CISA, currently a Managing Director with
Phenomenati, Scott Foote is a globally recognized
thought leader and subject matter expert with more than
35 years of technology leadership experience in
cybersecurity and the broader software industry, Scott
is an experienced cybersecurity executive, designing
security and privacy into digital transformation initiatives
for his clients. Scott has an acute ability to understand
and map organizational needs to security models,
architectures, solutions, and technologies.
36

https://intelligence-sec.com/events/
t. +44 (0)1582 346 706 | e. info@intelligence-sec.com

“Cybersecurity, like life,
has the colours that you give it”
Stéphane NAPPO
38

“KNOW THYSELF”
39
The Ancient Greek aphorism "Know Thyself" (Greek: γνῶθι σεαυτόν, transliterated: gnōthi
seauton; also ... σαυτόν … sauton with the ε contracted), is one of the Delphic maxims and
was inscribed in the pronaos (forecourt) of the Temple of Apollo at Delphi according to the
Greek writer Pausanias (10.24.1). The phrase was later expounded upon by the
philosopher Socrates who taught that: “The unexamined life is not worth living”
An unexamined business transformation strategy is not worth implementing. To facilitate and
maintain the confidentiality, integrity, and availability of data and business operations, consider
creating roadmaps to digital transformation; designing a reliable system, where your security
strategy is a part of your digital transformation strategy. People are an imperative part of the
system.
In essence, automation should NEVER create a function. In the aim of preserving corporate
identity and user/customer experience, automation must be driven by a clear functional need and
relevant compliance knowledge. For automation (just a tool) to provide a global vision, monitoring,
interoperability, traceability, orchestration and steering features, NEW holistic and strategic vision
is required. To preserve corporate identity and adequate user experience, automation must be
driven by a clear functional need and relevant compliance knowledge.
As truly successful business decision-making relies on a balance between deliberate & instinctive
thinking, so does successful digital transformation rely on interconnectedness & interdependence
of the state-of-the-art technologies. In information and cyber security, to identify adversaries, to
find unknown security vulnerabilities, to reduce cyber risks and envision potential future threat
landscape is crucial. To understand, develop and cultivate remarkable resilience is vital. Have in
place an ever-evolving cyber resilience blueprint. Arm your business in the face of future cyber
threats. Mind the systemic nature of a cyber threat landscape. 'Know thyself' to increase your
cyber-resilience. Strive to inform and educate. Education has always been a profit-enabler for
individuals and the corporation. Education, both conception and delivery, must evolve quickly and
radically to keep pace with digital transition. Education is a part of the digital equation.
Ten Recommendations for Cyber Resilience Strategy:
Identify, Protect, Detect, Respond and Recover (NIST CSF domains for managing cyber
threats), remain fundamental steps, then the race is on. And, therefore, it is crucial for
an organisation to adhere to these ten recommendations while aiming a high level of
cyber resilience:
• Align information and security strategy with business digital transformation strategy.
• Adopt a comprehensive cyber risk management attitude.
• Identify the most critical information and assets.
• Find and Manage vulnerabilities.
• Reduce cyber risks in projects and production.
• Optimize strategically chosen systems reliability.
• Evolve your security to a prevention-based strategic architecture.
• Pledge to employ the state of the art digital and defence solutions.
• Regularly instruct your teams to empower and strengthen their resilience.
• Scale your success by sharing the knowledge and intelligence.
By Stéphane Nappo

MAGAZINE
Human Centered Communication Of Technology, Innovation, and Cybersecurity
TOP CYBER NEWS
AN AWARD -WINNING DIGITAL MAGAZINE
ABOUT PEOPLE, BY PEOPLE, FOR PEOPLE
Ludmila Morozova-Buss
Editor-In-Chief
Doctoral Student
Capitol Technology University

Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf

More Related Content

What's hot (20)

Similar to Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf (20)

Recently uploaded (20)

Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf