ModernCISO – Dallas

ModernCISO – Dallas

Kudelski Security Vice President of Global Advisory Services Mark Carney and Tony Spinelli, COO/President of Cyberdivision at Fractal Industries are back with another installment of ModernCISO. This time they’re in Dallas, Texas. Tony and Mark will be discussing three pieces of advice on how to be a successful CISO.
Modern CISO Web Series: Washington D.C.

Modern CISO Web Series: Washington D.C.

Welcome to the debut of our brand new Modern CISO web series. This series is a platform for security leaders to gain insights from their industry peers on cyber security topics. Presented by Mark Carney, VP of Global Advisory Services at Kudelski Security and featuring Tony Spinelli, former CISO from Capital One and current Chief Operating Officer of Fractal Industries Inc., this installment revolves around cyber board communication and metrics.

A Shift in Mindset for the Modern CISO: An Investment Portfolio Approach to Cyber Program Management

A Shift in Mindset for the Modern CISO: An Investment Portfolio Approach to Cyber Program Management

In the spirit of bringing fresh perspectives to cybersecurity leadership, Kudelski Security has been reconsidering the way CISOs approach cybersecurity program management. The Investment Portfolio approach builds on the fundamentals of financial management, enabling CISOs to optimize their security programs by managing them along the lines of a financial investment portfolio.

This approach not only provides a strong structure to the organization of a cyber program, it also enables CISOs to answer the age-old question of how to generate buy-in from C-suite colleagues and boards of directors. It helps create a culture of shared cyber risk ownership across the organization, and challenges the antiquated notion that cybersecurity is principally a technical problem or an exercise in compliance.

A cursory comparison between what high-net-worth portfolio managers and CISOs do reveals a high degree of commonality in many broad thematic areas. Underlying concepts include:

  • High-trust businesses
  • A focus on risk management and maximizing investments
  • Progress unnoticed until poor performance happens
  • A need to manage complexity in hyper-dynamic environments, while looking to predict stock market movement/emerging threats
  • The continuous evaluation of portfolios
  • The use of models and analysis for decision making
  • Continuous communication of performance to stakeholders

Unpacking each of these concepts is the starting point for CISOs interested in adopting a portfolio management mindset that can help focus cyber investments on the highest-impact/greatest risk-reduction priority areas.

The similarities center not only on the broader thematic areas and underlying concepts listed above, but relate also to the operating models, frameworks and analysis techniques that both professions use to manage business risk.

There are several models that need unpacking. Below we summarize one of them – Research Analysis: Stocks & Components.

Research Analysis: Stocks & Components

To create a strategic security organization, CISOs need to learn and evaluate their business like a CEO. High net worth portfolio managers perform detailed analysis on stocks within their investment portfolios, yet at the same time learn those businesses in order to understand growth, opportunities, threats and risks associated to those same companies at a macro level.

Continuous evaluation of the business and the cyber program components is a challenging, though important part of the CISOs role.  When done effectively, with KPIs and appropriate metrics, it can enable CISOs to consistently make smart, risk-aligned decisions and to communicate persuasively with senior leadership and board.

High Net Worth Portfolio Managers consistently evaluate a key set of attributes of stocks within their managed portfolio and new stocks.

Cyber Component Research

Corporate Security Leaders consistently evaluate a key set of attributes for each aspect of their cyber security program.







A mindset shift towards looking at your cyber program as a set of comprehensive capabilities will enable you to evaluate the maturity, threat, risk and investments of your cyber program. This investment portfolio approach can help CISOs better communicate decisions and build confidence in the eyes of executive management team and board members.

Our first CISO Fresh Thinking webinar, “An Investment Portfolio Approach to Cyber Program Management,” explores this and other key issues in greater depth.

You can download the webinar now to hear Mark Butler, CISO at Fiserv, have a conversation with Kudelski Security’s Mark Carney, Vice President of Global Consulting Services and learn how this particular shift in mindset can help you fulfill your mandate better.