Cyber Threat Management Strategies for Local Leaders

The UK just told every FTSE 350 CEO to PRINT their cyber response plan on actual paper. Here’s why that might be the smartest thing they’ve said in years: The National Cyber Security Centre (NCSC) is advising leaders to literally print out their cyber incident response plans and keep them offline. The thinking is simple (and blunt): When a cyber breach hits, assume your entire digital infrastructure is gone. • email locked • servers offline • collaboration tools dead If your plans are stuck inside those systems, you’ll be flying blind in a crisis. This might sound like fearmongering at first glance, but it's a reflection of the new reality. The UK has faced 204 nationally significant cyber-attacks in just 9 months. • Jaguar Land Rover • Marks & Spencer • Co-op These are just 3 of many that have stopped production lines cold and, in the worst cases, cost lives in hospitals. Under every big name, hundreds of smaller suppliers, partners, and vendors are quietly being used as a way in. I think the advice is dead right and wildly overdue. In traditional disaster recovery (pre-cloud), we always had a printed plan in a grab-and-go folder. It wasn’t cutting-edge, but it worked. Today, attacks are more sophisticated, faster, and nastier. But most SMEs don’t even have a basic cyber incident plan. Forget paper copies – they’ve got nothing to print. And even worse, many still believe they’re not targets because they’re not household names. That’s the real vulnerability. If you’re an SME leader, start with 3 steps: 1) Write your plans down. Your incident response plan should live outside your IT systems. If your systems are offline, you’ll still be able to lead your team through the chaos. Print your plan. Store it in a physical location. Make sure leadership knows where it is. 2) Run tabletop exercises regularly. Test your incident response plan before you need it. Plans on paper are useless if no one’s practiced them. Reality never matches theory on the first run. Schedule sessions every 6–12 months. Simulate realistic breach scenarios. Update the plan based on what goes wrong. 3) Build resilience into your architecture. Most businesses still treat security as a bolt-on. When the system goes down, it goes all the way down. Resilience engineering means designing your systems to fail gracefully—not catastrophically. Use failover systems, redundant data centres, or separate core infrastructure from non-critical services. The more uptime your service needs, the stronger your resilience must be. ––– If you haven’t reviewed your cyber resilience in the last 6 months, you’re already behind. Get serious before you're forced to get reactive. When the lights go out, it’s too late to Google what to do next.

The speed of cyberattacks has become an executive leadership issue. When attackers can move laterally, escalate, and exfiltrate data in compressed timelines, the question is no longer whether security teams are working hard enough - they are. The question is whether the organization is built to respond at the speed the threat now requires. For leaders, I would focus on three actions: 1️⃣ Reduce manual bottlenecks: Look at triage, escalation, approvals, and containment workflows. Any process that depends on manual coordination during a fast-moving event is worth pressure-testing. 2️⃣ Clarify decision rights before an incident: Who can isolate systems? Who approves customer communications? Who decides when to involve external partners? Those answers should not be improvised under pressure. 3️⃣ Measure response speed in business terms: How quickly can you contain material risk? How quickly can you restore critical operations? How long can the business tolerate disruption? Human judgment will always matter. But in this threat environment, it has to be supported by automation, clear escalation paths, and leadership readiness. Speed is no longer just a technical metric. It is a measure of resilience. Palo Alto Networks Unit 42

Every time I host a session on Cybersecurity, it still never fails to amaze me and learn new things. This time, here's what I learnt. Cybersecurity is now a war of proxies. So many actors, each with different motives, make it extremely difficult attribute and manage. Yet, it's precisely because of this, Cybersecurity is not a tech problem. It’s a leadership one. QED just wrapped up an intense, no-holds-barred leadership session co-hosted with our friends from Ensign InfoSecurity to explore “Leadership in the Age of Cyber Risks and Opportunities.” Instead of just another tech talk, we made it a strategic dialogue at the Board-level. So here are my key takeaways... I did say I'm learning, right? 😉 1. When sh*t happens, who decides? Clear ownership is critical when a breach happens. If everyone’s responsible, no one is. 2. Assume you’re already breached. Incident response plans are 3-parters what should cover before, during and after a breach/attack. 3. Boards must prioritise the top 3 cyber risks. Not everything can be defended equally—focus on protecting your critical assets and ask how can you recover... if at all? 4. Metrics that matter. Boards should ask the right questions, not just more questions. Assess resilience with clear indicators. Watch out for vanity metrics that feel good, but does absolutely... nothing! 😅 5. Cyber hygiene is culture, not compliance. Regular simulations. Employee training. Strong passwords. Make it a daily habit and not something tedious nor optional. Ensign also shared their 2025 Threat Report which focuses more of the situation across APAC rather than elsewhere. Top three points: – Ransomware is still king – GenAI poses new challenges/complexities – Geopolitical tensions are reshaping the attack surface A huge thank you to Charles Ng and the great team at Ensign for the comprehensive deep dive and to all the leaders who shared, questioned, and connected with the purpose of being safer and better guarded together. Special thanks to our amazing panelists Lily Low, Audrey Ong, and Charles + our wonderful QED Fellow and moderator Ramakrishna Purushotaman for cutting through the noise. Your various vantage points help us all see a more complete picture of the challenges! 🙏🏼 Here's something for you to ponder: 📣 If you're a Board Director, but haven’t discussed cyber in the last 90 days, it’s overdue. Do you know what are the right questions to ask your management? 🤔

In the U.S. alone, cybercrime caused $16 billion in damages in 2024 - a 33% increase from the year before. And most of these breaches weren’t due to complex hacks or advanced malware. They happened because of simple human errors: misconfigured systems, unsecured devices, careless behavior, or being tricked by a convincing phishing email. That’s why the human factor is often the weakest link in cybersecurity, but also where the biggest gains can be made. So how do we build a human-centered security culture? It’s about shaping behavior and habits. A proven approach is Neidert’s Core Motives Model, which helps leaders guide employees toward secure behavior through three stages: 🔹 Connect – Build trust and rapport. People follow leaders they like and feel connected to. Gamified training sessions, team bonding, and small acts of reciprocity go a long way. 🔹 Reduce Uncertainty – Show credibility and social proof. When senior leaders take part in security efforts, or when teams see peers taking security seriously, they’re more likely to follow suit. 🔹 Inspire Action – Reinforce commitments. Use nudges, timely reminders, and even friendly competitions to encourage continuous attention to cybersecurity practices. A collective mindset where everyone feels responsible for protecting company assets, and each other. Security doesn’t live in IT alone. It lives in everyone’s daily choices.

I’ve advised cyber leaders for over 16 years. The pattern is painfully consistent. After 20+ years advising CISOs to CEOs, they ask "where do we start, we know we have risk." 🧙🏼♂️ Here’s the pattern: If you don’t know what you have, you have no idea if you’re spending money in the right places. Cyber risk is not abstract - It's tied to revenue You can only do that if you know where the revenue is generated. Asset management isn’t an IT spreadsheet. It’s the foundation of your entire cyber risk program. Most leaders think asset inventory means: → Laptops → Servers → Cloud accounts That’s not it. Real asset clarity means: → What data do we have? → What systems generate revenue? → What process would hurt us if it stopped? → Who actually owns each one? Ownership is not IT or the CISO The business owns the asset. <-This is what I see so many miss. Security informs the risk. Leadership decides what to do about it. They fund the mitigation or accept the risk. This is how you get heard and get budget⤵️ ✅ Step 1: Inventory it all. Not just hardware. Data. Apps. Vendors. Identities. Core workflows. ✅ Step 2: Run a Business Impact Analysis (BIA) Ask simple questions: → If this system goes down for 24 hours, what happens? → What work stops? → How much revenue drops? → What contracts are at risk? → What regulators get involved? Now you’re not talking about “critical vulnerabilities.” You’re talking about business impact. This changes the boards understanding, it informs ✅ Step 3: Build Data Flow Diagrams (DFDs) → Map how data actually moves. → Where it starts. → Where it’s stored. → What touches it. → Where it leaves your company. → Who has access. When you draw it out, blind spots show up fast. Unnecessary copies. Over-privileged access. Vendors with more data than they need. Systems no one remembers approving. This is where you show impact, value. Instead of: “We need another security tool.” You say: “$18M in annual revenue depends on these three systems. They are lightly monitored and poorly segmented. Here are our options.” That’s a decision. Boards don’t fund vulnerability counts. They fund protection of revenue, trust, and survival. I’ve watched companies overspend on shiny controls while their most critical data lived in forgotten systems. I’ve also watched leaders build calm, defensible programs because they started with asset clarity. If you can’t name your top 10 assets, their owner, their revenue impact, and their data flows — you don’t have a cyber strategy. You have a tool collection. 🔁 If this resonates, your board needs to hear it. Repost 📲 Follow Wil Klusovsky for cyber explained at executive and board level — decisions, trade-offs, consequences.

“Cybersecurity isn’t failing because of tech, it’s failing because of leadership.” Last year, my team and I were called in to support a company after a major ransomware incident. The tech stack looked strong on paper: – EDR across endpoints – 24/7 SOC monitoring – Regular red team assessments But within the first hour of the incident briefing, the CFO said something that stuck: “We had the best tools. Why did everything still go down?” And that’s when it became clear— They had tools. They had dashboards. But they didn’t have the leadership structure to act decisively when it mattered. 🚫 No executive-level crisis playbook 🚫 No shared understanding of critical business systems 🚫 No communication bridge between security and the board Infosec spoke in threat vectors. The board needed answers in financial and reputational impact. Two different conversations. 📊 PwC’s 2024 Global Digital Trust Insights found: 74% of executives say their security leaders struggle to connect cyber risk to business goals. That’s the gap. Not lack of talent. Not lack of budget. But lack of alignment at the top. So how do we fix this? Here’s what security leaders can do right now to build better alignment with the board: ✅ Translate threats into impact. Don’t say “log4j vulnerability” — say “potential $3.2M outage risk.” ✅ Map risk to operations. Identify which 3–5 assets the business cannot afford to lose. ✅ Create a board-ready playbook. Define roles, escalation paths, and executive impact scenarios. ✅ Make metrics meaningful. Don’t show patching rates — show how exposure has dropped over time. ✅ Embed cyber in decision-making. Join strategic planning, not just audit reviews. Cybersecurity is no longer a technical function. It’s a leadership mandate. And the companies that thrive will be the ones where leadership owns the risk, not just the report. #CyberLeadership #CyberResilience #BoardroomSecurity #MCS #SecurityThatDelivers #BusinessAlignment #DigitalTrust #CyberForGrowth

The OWASP® Foundation Threat and Safeguard Matrix (TaSM) is designed to provide a structured, action-oriented approach to cybersecurity planning. This work on the OWASP website by Ross Young explains how to use the OWASP TaSM and as it relates to GenAI risks: https://lnkd.in/g3ZRypWw These new risks require organizations to think beyond traditional cybersecurity threats and focus on new vulnerabilities specific to AI systems. * * * How to use the TaSM in general: 1) Identify Major Threats - Begin by listing your organization’s key risks. Include common threats like web application attacks, phishing, third-party data breaches, supply chain attacks, and DoS attacks and unique threats, such as insider risks or fraud. - Use frameworks like STRIDE-LM or NIST 800-30 to explore detailed scenarios. 2) Map Threats to NIST Cybersecurity Functions Align each threat with the NIST functions: Identify, Protect, Detect, Respond, and Recover. 3) Define Safeguards Mitigate threats by implementing safeguards in 3 areas: - People: Training and awareness programs. - Processes: Policies and operational procedures. - Technology: Tools like firewalls, encryption, and antivirus. 4) Add Metrics to Track Progress - Attach measurable goals to safeguards. - Summarize metrics into a report for leadership. Include KPIs to show successes, challenges, and next steps. 5) Monitor and Adjust Regularly review metrics, identify gaps, and adjust strategies. Use trends to prioritize improvements and investments. 6) Communicate Results Present a concise summary of progress, gaps, and actionable next steps to leadership, ensuring alignment with organizational goals. * * * The TaSM can be expanded for Risk Committees by adding a column to list each department’s top 3-5 threats. This allows the committee to evaluate risks across the company and ensure they are mitigated in a collaborative way. E.g., Cyber can work with HR to train employees and with Legal to ensure compliance when addressing phishing attacks that harm the brand. * * * How the TaSM connects to GenAI risks: The TaSM can be used to address AI-related risks by systematically mapping specific GenAI threats - such as sensitive data leaks, malicious AI supply chains, hallucinated promises, data overexposure, AI misuse, unethical recommendations, and bias-fueled liability - to appropriate safeguards. Focus on the top 3-4 AI threats most critical to your business and use the TaSM to outline safeguards for these high-priority risks, e.g.: - Identify: Audit systems and data usage to understand vulnerabilities. - Protect: Enforce policies, restrict access, and train employees on safe AI usage. - Detect: Monitor for unauthorized data uploads or unusual AI behavior. - Respond: Define incident response plans for managing AI-related breaches or misuse. - Recover: Develop plans to retrain models, address bias, or mitigate legal fallout.

The "set it and forget it" approach to cybersecurity is a ticking time bomb. Why? Because cybersecurity isn't a one-and-done deal.  It's an ongoing battle that requires constant vigilance and adaptability. Threat actors are often relentless, constantly sharpening their skills and finding new ways to infiltrate your defenses.  If you're not doing the same, you're leaving the front door open for them to enter and wreak havoc on your business. What can you do to stay ahead of the game?  1. Treat cybersecurity like a subscription, not a one-time purchase. Stay on top of software updates and patches like your life depends on it (because, let's be real, your business does). 2. Continuously educate your team on the latest threats and best practices. Cybersecurity isn't just an IT problem; it's an everyone problem. 3. Regularly review and update your security policies and procedures. The cybersecurity landscape is constantly shifting, and your strategies need to keep up. 4. Conduct regular risk assessments and penetration testing. Identify vulnerabilities before the bad guys do, and plug those holes faster than lightning. 5. Create a culture of cyber resilience. Encourage your team to be proactive, curious, and unafraid to question the status quo regarding security. Staying vigilant and proactive with cybersecurity can feel like a never-ending battle.  But complacency costs far more than the effort required to stay secure.