Digital Transformation & AI for Humans

S1|Ep62 Building a Cybersecurity-First Culture: Key Strategies for Sustainable Business Growth

Dr. Victor Monga Season 1 Episode 62

Share episode

Let’s talk about building a cybersecurity-first culture and uncover the key strategies for sustainable business growth.  We’ll take a closer look at how Artificial Intelligence and Zero Trust strategies are being used to battle intelligent cyber threats, together with my brilliant guest, Dr. Victor Monga from LA, California (USA).

Dr. Monga is a Cybersecurity Technologist & Architect, co-author of Simple Solutions, Complex Problems, founder of VTF University, and co-host/producer of the Zero Trust Journey Podcast

With over 70 industry-recognized cybersecurity certifications, Victor is a highly sought-after speaker at global cybersecurity events, an adjunct professor, and an active board member of premier cybersecurity organizations.

🔑 In this episode, we reveal powerful insights on:
 ✔️ Why cybersecurity is no longer just a technical issue – it’s a cultural and strategic imperative for business growth in 2025 and beyond
✔️ What a cybersecurity-first culture really means – and how it drives sustainable digital transformation
✔️ How C-suite leaders and boards can champion cybersecurity as a core business value – practical steps to embed it into everyday operations
✔️ Why employees are both the first line of defense and the most vulnerable link – and how to build awareness, accountability, and engagement across teams
✔️ The role of emotional intelligence, mindset, and soft skills in strengthening cyber resilience – with real-world examples from forward-thinking companies
✔️ How to align cybersecurity and innovation – so that protection doesn’t come at the cost of agility
✔️ The biggest cyber threats and challenges on the horizon for 2025
✔️ One game-changing piece of advice every business leader and cybersecurity professional should hear to embed a long-lasting, growth-driving cyber culture 

🔗 Connect with Dr. Victor Monga on LinkedIn
🔗 Tune in to the Zero Trust Journey podcast : https://www.ztjourney.com/
🔗 VTF University on LinkedIn: https://www.linkedin.com/school/vtfuniversity

Support the show


About the host, Emi Olausson Fourounjieva
With over 20 years in IT, digital transformation, business growth & leadership, Emi specializes in turning challenges into opportunities for business expansion and personal well-being.
Her contributions have shaped success stories across the corporations and individuals, from driving digital growth, managing resources and leading teams in big companies to empowering leaders to unlock their inner power and succeed in this era of transformation.

📚 Get your AI Leadership Compass: Unlocking Business Growth & Innovation 🧭 The Definitive Guide for Leaders & Business Owners to Adapt & Thrive in the Age of AI & Digital Transformation: https://www.amazon.com/dp/B0DNBJ92RP

📆 Book a free Strategy Call with Emi

🔗 Connect with Emi Olausson Fourounjieva on LinkedIn
🌏 Learn more: https://digitaltransformation4humans.com/
📧 Subscribe to the newsletter on LinkedIn: Transformation for Leaders

🔔 Subscribe and stay tuned for more episodes

Speaker 1:

Hello and welcome to Digital Transformation and AI for Humans with your host, amy. In this podcast, we delve into how technology intersects with leadership, innovation and, most importantly, the human spirit. Each episode features visionary leaders who understand that at the heart of success is the human touch nurturing a winning mindset, fostering emotional intelligence and building resilient teams. Let's talk about building a cybersecurity-first culture and uncover the key strategies for sustainable business growth. My amazing guest today is Dr Victor Munger from Los Angeles, california, a cybersecurity technologist and architect, co-author of Simple Solutions Complex Problems, founder of VTF University and co-host and producer of the Zero Trust Journey podcast. Welcome, victor, I am honored to have you here in my studio. How are you?

Speaker 2:

Good Thanks, Emi. Thanks for having me.

Speaker 1:

Let's start the conversation and transform not just our technologies but our ways of thinking and leading. If you are interested in connecting or collaborating, you can find more information in the description. Subscribe and stay tuned for more episodes. I'd also love to invite you to get your copy of AI Leadership Compass Unlocking Business Growth and Innovation the definitive guide for leaders and business owners to adapt and thrive in. The Definitive Guide for Leaders and Business Owners to Adapt and Thrive in the Age of AI and Digital Transformation. Find the Amazon link in the description below. Victor, it's so great to have you here today and I'm so looking forward to our today's conversation. So, to start with, please tell a few words about yourself, your journey, what brought you into the cybersecurity space, and tell us more about the latest changes and exciting trends for the future.

Speaker 2:

Yeah, well, I'll start with this. We're born and raised in India and currently in Los Angeles, california. For the past 14 years, my journey and culture shift to cybersecurity was something by chance, not by choice, and it's something that I have shared in the other sessions I have spoken, where it was about eye-opener, when I saw how easy it is to hack into my college Wi-Fi and use it or misuse it, and at that time I was given a choice that either they were going to turn me into cops or they were actually giving me a choice to become an ethical hacker. And that's when I realized the power of cybersecurity and what it can impact the lives and the outreach that it needs to be really evangelized what cybersecurity is, and that's what we're going to talk about today. The mindset Past 10 years have been a lot about zero trust architectures.

Speaker 2:

We started the VTF University to help those who can't afford education in cybersecurity or they don't have the prereqs. So we are not in the traditional cybersecurity training where you need to meet minimum requirements or prereqs to earn the education. We help people to train for the real job in cybersecurity. That's what VTF University is founded, based on that. Recently we launched a podcast as well for Zero Trust, where we bring the guests, just like I am here today, to talk about Zero Trust Journey and really cut the noise of all that marketing Zero Trust and talk about the practical advices. How do I actually adopt and institute and instrument Zero Trust in my organization? So I would encourage everybody to check it out. It's called Zero Trust Journey. It's on Spotify, formulazit, youtube, you name it.

Speaker 1:

Amazing Tune in to Victor's podcast. Check for the links below in the description and I'm sure you will enjoy the content, because there is so much value in every episode. Victor. Cybersecurity is no longer just a technical challenge. It is a cultural and strategic imperative. What does a cybersecurity-first culture look like and why is it essential for achieving sustainable business growth in today's rapidly evolving digital landscape?

Speaker 2:

Yeah, let's start with this one, take a step back. So let's talk about cyber or digital, if you think about it. So I'll give you my personal example. My mom has a habit of when she locks the door, she checks it, she verifies it. So she tried to turn the knob to verify that if the lock was actually locked. And as a kid I always get annoyed by that because, like mom, you already locked the door. What's the point of actually turning the knob and verifying it? And she would just look at me and smile and it's more like okay, you're a kid, you don't understand. 30 years fast forward. I understand that now. That is security first culture. That's exactly what it is, if you think about it.

Speaker 2:

In our cyber, digital world, when we are clicking on things, when we are replying to people, when we are actually going to websites and downloading things, how do we verify that it's actually legit, it's not going to harm us? How do we make sure that we actually are protected from the internet or bad guys or adversaries? How do we know and that's what the mindset is that it's not just about my mom's job to verify that lock? It can be my dad, it can be me and all the kids. It's everybody's job to make sure that a house is protected, all the windows are closed and locked. When we leave, doors are locked. We need to verify that. So this is where a shift is happening, where we security people started with this propaganda 20 years ago that security is complicated and complex and only security people understand that. With that. We built this, this, some sort of fear and uncertainty in our business and non-technical people, if you will, that security is all about technical complexity and complicated, and we almost shot ourselves in the foot by doing so. Because now look at this, when you fast forward, we are saying security is everybody's job. Security is not technical. It's about the conversation Top threats, even today.

Speaker 2:

What is it? Phishing, ransomware what happens in phishing? Someone is playing with your emotions. Someone is actually exploiting human side of your empathy and they are trying to break through that. Is it technical? Absolutely not. Do they use technical means to exploit that? Yes, in other words, they're not using the key to break into your home, they're using your emotions. So it's not technical.

Speaker 2:

So the culture is about be curious. The advice is here curious when someone is sending email, text, call, even with deepfakes if you're in front of a zoom camera. Be curious, ask them question about the historical information that only you or the person would know. Ask them those teasers that hey, remember that christmas party that we went to you were drunk, whatever, those personal things that you and the person should remember. Probe about those. That's where the culture is Now.

Speaker 2:

Is it technical? Absolutely not. Is it curious? Yes, back to my mom's example. She's not technical, yet she has that security mindset.

Speaker 2:

That's what we need to apply, that's what we need to transform, that's what we need to bring it into this world, the cyber digital world, because we did, actually, a short survey at VTF University where we said how many people can survive without an online presence today, like phone, computer, without anything that you can survive a day, a week, a month, an year. There's not a whole lot. If you look around, the newer generation is obviously hooked on to it because that's where they are interacting with the world. Even the older generation, who didn't actually was raised or who didn't have these computers around them, look at them. What's going on? They use phone to talk to their grandchildren. They use their phones to pay their bills or online banking. They use computers to send emails. So even when the generation who was not actually raised with computers. Now they're using it. They can't live without it anymore. Right? Telephone is a great example. Telephone, the phone, the mobile phone is a digital cyber thing, if you will, and yet we can't live without it. How are you going to reach anything, even in an event of emergency? We don't have landlines at home. La was faced with a lot of fires. A lot of those homes needed to evacuate and in the hurry they needed to call their neighbors, their friends, their family, to inform them, their relatives, that this is happening. In interesting fact, because of the cell towers were down in the area due to fires, they have no means of communicating. No digital, no life. Pretty much, that's what has happened.

Speaker 2:

And if that importance that this means so much to us and it can impact literally our lives, why are we not checking the knob? Why are we not verifying that we locked it properly? Why are we non-technical? People are not curious about it, and that's a shift. Cybersecurity, yes, you have the technical controls, but I think, in my humble opinion, it's 51% non-technical where we humans have to be curious. What are we doing using the digital means, the phones, the laptops, the computers? What are we doing? What are we clicking? What are we downloading? Why are we doing it? Be curious about it, ask the right questions.

Speaker 1:

I love your reference examples.

Speaker 1:

It is a perfect case study around how important it is to have access to those communications and how big part of our life it represents today clear way that it's not only about the technical skills, it's not about the technology.

Speaker 1:

It is about non-technical people and everybody who is around each and every one coming in touch with cybersecurity area to be in charge for the space we are having our life in and running business in. So it is great to keep it in mind, and I also can see this shift from the mindset where AI and cybersecurity and IT belong only to technical people to those who understand how everything is set up and how it is working and it was super detailed and technical. Now people start understanding that it's not going to help a whole lot if you don't have a broader picture in front of you and if you don't involve everybody into this journey in order to make those technologies land be adopted in the right way, and cybersecurity is a responsibility of each and one. This is exciting. So creating a cybersecurity-first culture requires leadership buying. How can C-suite leaders aboard champion cybersecurity as a core organizational value? Are there practical steps they can take to make cybersecurity a shared responsibility across all levels of the business.

Speaker 2:

This is going to be hard for those who have not done it, but yet I'm going to share on this podcast. Try not to be the smartest person in the room, especially when you're speaking to the board of directors or executives, because when you especially people like me who come from the technical world we have a tendency to turn the notch up when it comes to explaining and over-explaining and mansplaining the things such as what is the technical jibber-jabber? Let me use all the jargons in the world I know about it. Or let me scare you with the recent threats and the adversaries and the exportations. I think the board just wants to know that you're on top of it. How are you going to help the business? Do you need more money? Or you're going to maintain your budget and yet protect me? If you're asking for something culturally shift, are you going to maintain the, the calmness and demeanor in the organization so that it doesn't turn into a shit show? That's what they want to know. But we again I'm including myself in that category where, when we try to explain things, we go all the way technical. I'm going to have presentation. I'm going to talk about the TCP IP. I'm going to talk about the new fancy technology we just implemented and how it has reviewed all the logs, but it can look at the layer 7.

Speaker 2:

Honestly, it's the same principle that my three-year-old daughter applies to me. She comes in, she explains to me everything about what's going on on that toy table. She tells me here's a doll, here are some clothes, here's the painting, here's everything Great. What I want to know? That for next one hour, you're going to play on your toy table and you're going to leave me alone or you're going to be safe. That's all I want to know. I don't need to know all the toys that you have on your table. I don't need to know every aspect of that toy. I just need to know for next one hour, you're going to be safe and you're going to be playing on that toy table. That's all I want to know. Same principle, just with bigger kids, big boys or girls. We just need to tell them that we got it For next one year. Here's my budget, here's the staff people I have in, here's how I'm going to keep your company safe and sound and here's how I'm going to continue working with the business partners. That's all.

Speaker 2:

Now, how you articulate that, that depends on your business terms. If you are into financial, they maybe want to know the ROI of every investment they're doing. If you are into the culture where they care about the satisfaction of your department with the lens of other business units, maybe you put some NPO or those scores. If they care about how bringing new technologies is actually streamlining and efficiency and improving the efficiency of the employees and the job, maybe you provide those stats. Or it could be as simple hey, we are red, green, yellow, we are green today or we're green for next, our past nine months, because of your investment. Maybe provide that stat. That depends on your audience, that depends on your board of directors, that depends on the people you are presenting to what they want to see. Maybe have every slide for each person. That's your way of articulating, that's your way of presenting.

Speaker 2:

But at the end of the day back to my daughter's example all I want to know is for next one hour, you have your toys, you're going to be calm, you're going to be safe. That's all I want to know. And that's hard. That's really hard for us, the smart people, to really hard for us, the smart people, to actually take a backseat and not shine in the limelight because we want to. We want to express all the jibber-jabber and the jargons we know. We want to express how smart we are in the technical world and the person I'm explaining to you're not. I think that's a wrong approach. I learned it the hard way and I think, for those who are listening, if you are my category, then try this new approach. All I'm saying is just take a sample, try it. You don't like it. Maybe it doesn't yield the right results. All back to your behavior of what you're doing. But try this at least once or twice.

Speaker 2:

When you're explaining this to your board of directors or senior people, ask them what do you care?

Speaker 2:

What do you want to know?

Speaker 2:

Is it the budget? Is it satisfaction? Is it the culture? What do you want to know? How can I prove the efficiency? How can I prove that my department is doing the right thing? What does that mean to you?

Speaker 2:

And then start reporting based on that. Not an inch left, not an inch right, not an inch up, not an inch down. Exactly the center of what they asked for, every time, consistently. And that's how you get the buy-in. That's how the leaders in the organization, the board of directors, executives they will start seeing you as the peer instead of the I would say nerd Again.

Speaker 2:

It's going to be very hard. It was very hard for me to take a step back, not explain or mansplain all the technical jibber-jabber and yes, I keep repeating myself on this, but this is one thing it had changed my life and put me into the different category of the leaders. You can become a team lead manager, maybe a senior manager, but if you want to become the actual leader, not the manager type first, first-line manager leadership is about finding the right thing to communicate up and down left and right. Once you really master how to communicate the piece to the target audience, what they are very invested in, it's the same information, just the delivery mechanisms are different. And once you master that and it's not going to be overnight you're going to have to face a few bumps on the road, but that's okay. The leaders will see it that you're trying to change. You're trying to make a conscious effort to deliver what they want, to see what they want to hear and they will support you throughout the journey.

Speaker 2:

And that will change almost the category of the leader you are, instead of being the manager, instead of being that person who just hands the technology, now you lead the business with the leaders. You help the business, you care about the business. Now, of course, we all have specialities. If you go into accountant office, they have specialty of doing accounting. You walk into IT, they have IT. You go into mailroom, they know exactly how to ship and receive. Everybody has specialty, but ultimately the leaders what they're doing collectively, they're helping the business.

Speaker 2:

You become the part of the business accelerator. That's what you need. Technology can do its job, but to get the buy-in from the leadership, you have to act like a leader. You have to act like their peer. Hear them when they're presenting, listen to them how they're talking, try to find the pattern from there and try to articulate next time when you speak to them. And I think that's the best way of getting buy-in from the leaders to be their peers. Even though you're not today, even though you might be three levels behind, if you dress like it, speak like it, you become one of them.

Speaker 1:

This is absolutely fantastic, everything you just shared with us.

Speaker 1:

I'm sure that it's going to help so many leaders worldwide to take that leap and become the leaders of tomorrow, because, as a technical person myself, I've been in those situations as well and I've been learning it by doing and by stepping up and by changing both behavior, but also the mindset, because it is also about changing your mindset and starting thinking the same way they're thinking in order to understand them better, to understand their pain points, give them answers to their questions and communication and other soft skills.

Speaker 1:

It is crucial and that's one of the reasons to why I decided to take the step to start helping other leaders and tech experts developing mindset, emotional intelligence and soft skills, because it is crucial, but it is so missing and it creates that difference between winning or losing on the battlefield of discussions and communication. So it is crucial and you are totally right. Probably most part of technical people need to take that step and review how they share their knowledge and their information, and that's the secret of success in this case. What's the secret of success in this case? Employees are often the first line of defense, but also the weakest link in many organizations.

Speaker 2:

What are the most effective strategies for building awareness, accountability and engagement among employees to foster a strong cybersecurity-first culture and mindset. I have a different approach. Actually, I don't consider employees are the weakest link. The way I see it. I think technologies have failed us the employees, if you will. It became to the point where the technology or the vendors have failed us and sold us the technologies to fix the problem where it never existed to begin with.

Speaker 2:

On the name of weakest link, employees of the weakest link, I think employees are the first line of defense which can help organizations be vigilant and report cautiously. But when we have the vendors created this hype where employees have a weakness link hence you need to buy the license count for all the employees you have it created a fear in employees' mind and heart where I am not effective and efficient doing my job because I'm afraid of clicking a link or replying to someone that maybe it's efficient. I think the culture needs to be shifted With the right technologies. The leaders, technology partners, vendors they need to give the confidence to employees that, no matter what, you can go in and click on anything, you can go reply on anything. We, the technology, will catch it. That gives me the confidence that gives me the excitement as an employee that I can help the organization. Now, if I see something even if I clicked on it, even though I was trying, I clicked on it, even though I was trying to click on it maybe I will be more vigilant. But not be scared, not be afraid that negative reinforcement by saying that employees are the weakest link and how organizations have tried that where, if you click on something, I'm going to send you to this mandatory requirement training If you have replied to a person or phishing attack, then you might be on suspended leave or something Really demoralize an organization Employees feel am I here to work or do the job or keep the company secure?

Speaker 2:

What is my job? Am I going to get hand slapped every time I'm replying an email Because, well, technology should have caught it if it was phishing? It's not my job, it's technology's job. Yes, I can be vigilant, but I shouldn't get hand slapped every time. I shouldn't be labeled as weak link in the chain. As an employee, I am here to help the company. So, again, my approach here is, which is pretty much different than the traditional one, where employees that should be treated as the strongest link because they can make or break the company. That's first. Second, technology needs to step up. I'm sorry it's 2025, technology needs to step up. If, even today, you can't catch phishing emails and phishing links, yeah, you're doing it all wrong. Cyber security is a decent market cap about a trillion dollars. Technology vendors need to step up and come up with the technologies and there are some decent ones out there which can give the confidence to the companies and employees that they shift the mindset from weakest link to the strongest link. So that's one.

Speaker 2:

Second is I think it's at the end of the day, when employees are doing their job, giving them unnecessary access or giving. At the end of the day, when the employees are doing their job, giving them unnecessary access or giving them distractions in the company is also something that doesn't help. I'll give you an example. If in a department you had a promotion and the person knew that department, go to the different department, they might still have some responsibility to the previous department. They might still have access to the previous department. That life management of the access. That's a fundamental problem of all of us, because you give some unnecessary access to those who don't need it and they have to bear the burden and liability because they have been over-provisioned. That access Back to IT security vendors.

Speaker 2:

Vendors you guys better have it. If I'm given exactly what I need to do nothing more, nothing less I have the right tools, I have the right solutions, right platforms to do my day job, to help the company, help the business I can be really confident that I will help the business and that's what we want to bring it. That's the mindset we want to bring it in the company that, even though we have these phishing trainings and even though we have these mandatory requirements for most of the compliance that you train your employees, it needs to be more as positive reinforcement. It should be that, just like accountants go and learn about new accountant things or new ways of doing accounting, just like doctors learn about new things every year, just like drivers still until today, like the professional drivers still go through every year, they learn about how to be efficient at driving. Just like pilots Everybody nurses everybody has a renewal process.

Speaker 2:

Even though this is their skill, they do this every day. They still renew that this should be treated as such, that this is something that is second nature. We need to learn this because there's a lot out there. Not everybody can remember everything. This is just in a way of just refreshing that and building that muscle memory and refreshing that side of the brain Instead of the negative reinforcement where if I clicked on it then I'm put into a hole. With the, with the five-hour mentally training, imagine the motivation of watching that training. Am I really motivated? Absolutely not. But if you make it something that it's useful to me, my personal life, to my professional life, to the business, yeah, I I want to invest myself.

Speaker 2:

I to my professional life, to the business. Yeah, I want to invest myself. I want to invest my emotions. People don't remember what you say. People remember how you make them feel, make them feel right, make them feel important, make them feel desired. It's not about the technology or the stupid policy someone is creating. At the end of the day, people can make it or break it, and that's the positive reinforcement message I want to encourage everyone who is listening today. Try to shift that mindset. Where weakest link are not the employees, not the people. Weakest link is the bad policies and procedures. If it's not implemented, it's a bigger level or the macro level problem, not a micro level. Employees are the strongest link. That's the message I want to convey.

Speaker 1:

I absolutely love how you just redefined the game, and that's actually how it should be, and that's a fantastic reminder to everybody who is listening to us and watching this interview today that it is about time to prioritize what really matters and put the accents where they belong, so that we get right things in place and help our business grow and also make our people feel good, feel engaged, motivated and valued as well. Victor, we often talk about the importance of balancing technical defenses with human centric strategies. We opened up for this topic today as well. But how do mindset, emotional intelligence and soft skills like resilience, adaptability and communication play a role in building a cybersecurity first culture? You already shared a lot around it, but maybe you could share a few examples of organizations where this has been done successfully. It would be nice to hear real-life stories and real-life achievements as well.

Speaker 2:

Yeah, again, it's managing up right. It's usually managing up here If an engineer comes up with a way of communicating their success stories. And again, from both sides, why cybersecurity needs communication, why cybersecurity needs to be resilient, why cybersecurity needs to find a way to communicate, even though there was a lot of focus put on cybersecurity, at the end of the day, we are in a service business. Think of all of us. We are in a service business. Imagine you go into a restaurant and your waiter come in and tell you what do you want to eat? And then tell you, go pick it up from that counter or go actually go wash these vegetables from this counter. You're not going to be happy about it. We tend to do the same with cyber security. If you think about it. We go to people and tell them, if you were doing this way, you can't do it. You're going to go try to do this way or differently. We try to throw hurdles in their way on the name of security. That's how they see us. That's how they feel that when we walk around in the office or in the business, they feel that here's the guy with the hurdles, not with the guy with the solution, and that's where we need to shift it.

Speaker 2:

Success story is when we have projects in organizations or business. If you are brought in towards the last or tail end of it, when the IT needs are coming, that means you need to build more friends in the company. It's a great test which I have applied to myself as well. When I'm working for a company, a new product starts and they invite us or me towards the end of it, when the it requirements are coming, they're like, yeah, victor for the security as well. What do you need? Product has been finalized, po has been cut, the vendor has been selected, everything has everything is finalized. At the end, it's just which server these things are going to run and what security do you need. That's when it's just which server these things are gonna run and what security do you need. That's when it's an eye-opener for me at least, and it should be for others when they are not including you, business is not including you early enough. They don't see you as a business resilient player for the business. That's what I would encourage.

Speaker 2:

If that's happening to you, try to find out why. Try to find out last time when you actually helped someone other than IT or other than your day job in your organization. Try to find how you can streamline someone's work. A good example CISO in front of mine. He had a project in the company where he was a good friend with the CFO and the CFO told the CISO that they're starting a new project to streamline the onboarding of doctors. It's a project not a whole lot of IT or security, yet it's mostly how to streamline the paperwork onboarding, making the calls, getting their credentials. A lot to do with operations. He saw an opportunity to build bridges with operations. He sat down with the operations team to just learn about the project. He was genuinely curious about the project and that's what the part is where you have to be genuinely curious about helping someone in the organization, not just covering your bottom right. At the end of the day, if you just do your bare minimum, that's where you're going to get a return bare minimum. You want to go above and beyond. They will come to you for above and beyond and the culture shift.

Speaker 2:

The example I'm giving you here is that CFO trusted CISO to share this project. Ciso trusted the business owner to discuss what this project is and understood what the project is. Ciso went in and looked at what they will be doing and how they will be doing. He said I can do better 15% of the efficiency. I can improve it Along the process. I will increase at least 70% of the security of the whole project. People didn't believe it. They're like yep, nope, this can't be done. We have an external vendor who's doing this and they have looked at every aspect of it.

Speaker 2:

At the end of the day, ciso genuinely cared about the business. He knew vendors can't, even though the most trusted vendors, they just don't know all the intricacies of your business. At the end of the day, he was able to just a little bit more about the project. He was able to implement single sign-on SAML using SAML for all the platforms where the doctor can just click on with a single sign-on to onboard their documents from there. His account or her account is created from there from all the accesses for application provision automatically. The whole thing was streamlined to the level where it's it's automated no more paperwork, no more calls, no more emails, no more texts. None of that is needed and in the process he implemented single sign-on SAML. So so the life cycle when the doctor is onboarded, literally from the day one to when they are leaving, the access is managed automatically. He proved the security as well.

Speaker 2:

So the moral of the story here is that when we genuinely care about the business projects, when we look at it in a way that it's mine, you will come up with the ideas of your areas of expertise, which is security. If it is, you will come up with fine ways to actually make a transparent security to the end users and the business and they feel that you generally help them. Again, you need to find out what the requirements are where business is, where the KPIs of the project Don't start with security, don't come up with nope. You can't do that because on the name of security, you are not going to open this on the name of security. That's what people hate, the business people, why they don't trust security, why they don't invite security. Because we start with no. Turn that no into something that let's talk about it. Let's understand your requirements. And one let's talk about it. Let's understand your requirements and, one way or the other, be creative, be open-minded.

Speaker 2:

We see a lot of bad stuff in the threat briefing and intelligence. What we see, so everything. We always feel that it's a scam or it's a spam. It's a bad thing. Try to have some optimism in it. I'm not saying just turn it 180 and start opening up everything. Try to find one simple thing that if my business doesn't exist, what's the point of security? That will be your foundation rubric for every decision you make. If the business doesn't exist, what would you do with all the security?

Speaker 2:

At the end of the day, you've got to push forward. You've got to move forward the business along with your security expertise. That's what they hired you for. Technology vendors, partners, enablers, subject matter experts are out there. Why they need you? Because they want you to care about the business. They don't need yet another mouth to say that no, you can't do that on the name of security. They're out there already. There's a lot of bad information or misinformation or disinformation. The business needs you to actually channel that relevant to the business. If the product is there, we need to do it. Find a way to make it happen. Plus security. That's what your job is Enable the business to move forward, plus security.

Speaker 1:

Thank you so much for sharing these invaluable experiences and recommendations. And what an amazing success story, and it reminded me so much of what I've been through from the perspective of data analytics and insights. You know it is exactly the same approach that you have to be interested in what's going on on the business level. You have to genuinely be interested in being involved, in helping out and finding the best possible solution, but it happens outside of your comfort zone, outside of your technical expertise. You need to expand and see the broader picture and then doors start opening and things start changing. So this is amazing. I love your recommendations and everything you shared Golden nuggets In your experience. How can organizations integrate cybersecurity into their business growth strategies without compromising innovation and agility? Are there examples of front-running companies that prioritized cybersecurity for the sake of sustainable business growth?

Speaker 2:

I think Microsoft and AWS are great examples. We don't need to go that far. Microsoft had an open letter from their CEO that we need to put full focus on security and we need to stop everything what we're doing. Aws did the same and they actually brought the public cloud in the market. Security was first in their mind as well.

Speaker 2:

So there are a lot of success stories, but at the end of the day, why security? Why at the forefront? Why at the beginning of it? Why do you need it? And that's a decision as a founder, as a neighbor of the business, you've got to ask yourself it's not a decision made at an engineer level, it's made at the business level. Why security? Where is it going to bring you? Is it going to bring you confidence in the customers that they can come buy products from you, services from you? Is it because of some sort of compliance? Is it because you want to make sure that you actually genuinely have a secure product, secure platform, secure services? Or maybe it's an ROI? If your business goes under because of the minor or something that the security breach happens, then security is at the center of it. So you want to make sure that you put the focus already in there. So the questions are endless here. What I'm trying to make is it cannot be the other way around. It cannot be engineer, administrator telling you because security is important and hence you're putting it there, it will fall through and it cannot be one person decision. It cannot be, because once that person leaves, that security will leave with him or her. It has to be a buy-in collectively for a business. It has to be a business justification case, just like doing everything else.

Speaker 2:

Why do you have accounting in the business? Well, if we don't accounting, how are we going to get money? Are we going to pay bills? Why do you have janitorial staff? Well, if there are leaks, then someone has to fix it. Why do you have marketing department? Well, if there's no marketing, nobody knows about us. That sort of exercise you have to go through it to understand why security first culture, why security first mindset? Because if you can't answer why security is here and the answer is, well, because it's important to have security you're going to lose that battle. You will never get the right budget, you will never be able to hire the right talent and skills and, honestly, it'll always be just that one area that you consider should be there, but you have no idea why, so nobody will be able to focus it.

Speaker 2:

Executives cannot answer why security is there and the generic answer is because, while it should be important, get out, run as fast as you can, or the other way around. It's a great opportunity for you to enable and educate the executives, inform them why security is important to their business. If you really understand their business, if you understand the company you're working for, help them understand where security fits in the larger picture. And again, if you can't as a security leader, ciso or a security manager, if you can't answer that question, again, it's not a right fit. Either the business is trying to bolt on security or security is trying to fit into business. They both have to merge and fit in like a glove in hand because, at the end of the day, leaders need to really understand why security is there for their business and security needs to know what they are helping the business to accelerate. I'll give you another example, actually just an exercise for food for thought to do for our listeners to think about it.

Speaker 2:

When you join a company or when you actually enter a company into a security department, usually look at the mission or the value statements. Every company, most of the companies, have it because that's how they drive the brawl, that's how they actually anchor themselves. That there's a mission, there's a, there's a goal, there's a value statement. Read that, read that again and read that again. Read until you can actually reword that for your department. Reword as in, align, not reword as in. So if the company mission is to drive the sales, what is your departmental goal which aligns with it? That could be as simple as 99.9% frustration-free incidents or security incidents or 99.9% acceleration for the goals when it comes to security requirements. Whatever the goal of the department has to be something aligned with the business. But you need to have that goal as well because it's going to go both ways. Your department goal will drive. Your department aligns with the business. Business is going to see your departmental goal and understand where you fit in the business. A lot of people have OKRs or KPI as their NPO scores.

Speaker 2:

All of that is great, but if simple questions cannot be answered in your department, in your head, right away, then we're doing it all wrong. And the simple answer or the question is that why do you exist in that company? Not because you have a job. That that's an obvious answer. Not because you're there. It's an obvious answer. Why are you here? How do you help the business? How do you help the organization? Punching the clock, collecting your paycheck? That's great, but doesn't help you stand out. It doesn't help you accelerate your career growth. You want to go above and beyond. You see all these smart people. You are one of them as well. The only difference is you're not just actually demonstrating that. In order to demonstrate, go beyond the typical norm, which is punching the clock, collecting the paycheck, ask yourself, why am I here today? How am I helping the business by being here today? That could be as simple as that. I'm making sure that when business projects come in, they actually leverage my security expertise to drive forward. I help the business to stay informed about the latest threats. I make sure that all the business owners actually get informed by the threats and I help them actually translate the technical jagger of the cybersecurity jargons to the business terms.

Speaker 2:

One of the surprising thing I had ever seen a security engineer looking at a company public information. Very surprising for me. The guy worked for me and was passing by, looked at his cubicle. He had public information, the earnings. So he's looking at earnings, the statement. I was surprised. I was like you're a security engineer, what do you have to do with the earnings? Why do you have it printed? Do you have a little highlighted? He's like yeah, I see it.

Speaker 2:

For the second quarter last year we didn't do well, even though we had the new launch for the new product. We didn't do well. Even though we had the new launch for the new product. We didn't do well. He said I wanted to know, I'm genuinely curious. So he went in, he talked to the product leads, he talked to the business unit owners, he talked to the general manager. Actually which was again very surprising for me because I didn't even know all of this but he was genuinely curious. He wanted to know what's going on. He wanted to know what's going on, why that quota was low for us, even though we had a new product launch, and that was eye-opener.

Speaker 2:

As a security engineer, he's so involved and curious about the business, about the earnings of the business and ultimately, he wanted to find out how can we help you as a security person, how can we help you get better at next time and some of the things that he learned that next time, when the RFP comes in from the vendors to get involved in security and help application security. We're going to do it better. We're going to actually have an SLA. By when can security actually just turn it around and move forward the project? Instead of sitting on it for a month evaluating every option, he built a framework that within a week we will finalize the rfp and push forward. That's a game changer, if you think about it.

Speaker 2:

Security person getting me highly involved with what's going on with the business, the earnings, because again, at the end of the day, he genuinely care. If the business is not there, there's no point of all of this security. He generally embodied that principle that if business is not there, what's the point of all of this security? What's the point of all these strict policies of security if the business is not there? He wanted to make it happen for the business. Star player, my star player.

Speaker 1:

Brilliant, such an inspiring example and really he's unique in a way because not many engineers and tech people are so deeply interested in the business side of things side of things, even if they're working for the company, but they own oftentimes their role description and to their department and it's not so often that people is really interested and curious about what's going on in the broader space of their company. But that can give so many clues and so many answers to the questions which will arise later on and avoid several roadblocks just because you care, just because you think through and just because you see several steps ahead and do your best to help the company grow and succeed. So that is amazing. Looking ahead to 2025 and beyond, what are the biggest challenges organizations will face in maintaining a cybersecurity-first culture? Maintaining a cybersecurity-first culture, particularly as new technologies like AI and Internet of Things and blockchain reshape the threat landscape, and how can businesses stay resilient and adaptive in this environment?

Speaker 2:

I think the first thing that I foresee and again this is just prediction, I don't know if it's actually going to happen, but companies are going to make a mistake of their resource reduction. They're going to try to actually get rid of people. To augment and use ai on the name of because now you can reduce him, I think at least 2025 would be a huge mistake because you still need those talent and skilled people in cybersecurity in your team by your side, learning about the business. Who knows about the business?

Speaker 2:

even though AI is there or not, you can streamline some processes of what a human is doing, but not everything. On the other hand, for those who are going to invest and double down in those talents and skills and people who are with you, that's, I think, gonna be game changer for them. That will be the differentiator those companies are gonna be actually be ahead of the curve because now they have ai power in the hand of the bright, skilled people who understand the business that's going to drive the business forward. So 2025, again, there's going to be a camp of people, the business that's going to drive the business forward. So 2025, again, there's going to be a camp of people or the companies who are going to let go their cybersecurity professionals or the talent because they think AI can replace. That's a losing bet, again, in my humble opinion. I don't know, maybe it might not be, but that's a losing bet For those who are going to double down on their talent and skills and actually train their people to use AI efficiently and effectively to drive the business forward. Imagine it's a car For the entire time you were putting this gas, which will only take the speedometer up to 60. All of a sudden, you have the driver, you have the car, but now the new gas you put in it takes up to 120. So, amazing, the engine is a little upgraded with the new fuel and all. But if you lose the driver, if you lose the navigator, if you lose the assistants who actually help the car clean and and keep it rolling and everything, that's a losing bet. So, again, don't let go your people. Who knows about your business, your security? Double down on them. Train them with AI use cases. Help them actually get the right AI to make their day job effectively and streamlined and if by far-fetched, if they have extra time on their hands, try to use those skills to help business. I'm sure there are areas in business that a security person or an IT person can go and accelerate some of those projects. Try to double down on that. So, instead of actually just reducing the cost from letting go people and buying AI, just double down on it. I think, use AI effectively to streamline the day job with a cybersecurity professional, but use those professionals to actually really boost and elevate your business.

Speaker 2:

Second prediction that I have for 2025 is that we're still at the mercy and really at the bottom of this AI use cases. Try to be curious in 2025 if you have not been other use cases, even though they're not relevant to you today, but maybe that's relevant to your business in future. So, as a cybersecurity professional, imagine that you were caught off guard for 12 months. Fast forward your CEO actually purchased this AI solution for the business to streamline the POs, invoicing, accounting, everything. The whole accounting department is almost irrelevant overnight because they think AI can do all of this automatically.

Speaker 2:

Imagine the security burden now, the liability, the things that you have to reinvent the procedures, the policies you had created assuming that a human will be doing it, the trainings, the phishing simulations that you have invested in assuming a human would be doing it. Now a machine is doing it. At the end of the day, ai is a machine. You need to be ready. You need to know what are the AI use cases out there so you can start thinking about if and when it happens in your company. How would you flip the switch and use the security policies, or at least have your trained, skilled professionals help you to adopt that in your company. Cyber security is not going to change right at the end of the day, we care if the money is being fraudulently going out or coming in. They both are bad. How AI is going to actually transform the accounting department by the end of the day. If a wrong invoice, a wrong PO or someone hacked into an AI and almost just withdraw all the PO, that invoice is what's going to happen? Where the data is being written? Who can access it? Person have logged into a computer to access a folder, but ai might have a different way of accessing it. Are you ready? So again, just be curious.

Speaker 2:

In 2025, all the use cases of ai. Start reading about it. Watch ai use cases, seminars and workshops. Attend some conferences this year if you have not been going AI conferences, because that's where people are going to talk about the use cases Again. Chatbots, llms about 1% to 3% of AI use case. I think there's a 97% of the use cases which is going to unveil itself this year or coming years. Start looking at those. So that's my advice Double down on your people. Don't let them go because AI can take over the process or the job. It's not going to be the best. If you don't believe me, try to use a chatbot to draft a good contract with some prompts that your professional does it. You'll see the mistakes.

Speaker 1:

Amazing and I'm so grateful that you shared exactly these recommendations and predictions, because hopefully we just saved the job to at least a few people, because leaders are listening and thinking about how they can apply your recommendations to their decision-making process and hopefully we created that, even if not huge, but some difference on the job market in 2025 and further on beyond this year.

Speaker 1:

So the fact that everybody needs more pieces to the puzzle in order to create new results, new pictures, new outcomes I totally agree with it, and we have to enrich our toolbox, we have to enrich our understanding and approach it with as much creativity and innovativity as possible, because when we apply innovation, when we apply a broader vision, when we apply the helicopter perspective, then we can really use technologies to create something relevant for us, but in the best possible way and without impacting the humans who are in the driving seat, exactly as you mentioned before, but doubling down and creating that impact for business and the business results we all want to see and are doing our best to achieve. So this is beautiful. And finally, victor, what is the one piece of advice you would give to business leaders and cybersecurity professionals to help them build and sustain the cybersecurity first culture, I think, something that I already talked about where be curious about your business, learn about your business and then apply that to security instead of going.

Speaker 2:

And security, going to businesses and saying no or finding a way is to actually stop the project or slow down the project. I think it's all the way around where, if you are curious about your business, if you genuinely, during the day, care about that business exploration and feel that this is your business if this was your business, would you actually stop it? Would you actually not move forward? Would you actually tell them no? And that's the mindset that during the day job that you have to start embracing where security, we don't have to say no, we just have to start opening up the conversation with being creative. We are here to help the business. It's not the other way around. And again, if there's no business, there's no point of security.

Speaker 1:

The security is doing it all wrong. I love it. Thank you so much for sharing your wisdom, your knowledge, your experience and your thoughts with us today. It's invaluable and I'm sure that it's going to help leaders and everybody who has been listening and watching this interview in 2025 and beyond, so I am so grateful for this conversation. Thank you so much for being here today.

Speaker 2:

Thank you for having me. Emi. Thanks so much.

Speaker 1:

Thank you for joining us on Digital Transformation and AI for Humans. I'm Amy and it was enriching to share this time with you. Remember, the core of any transformation lies in our human nature how we think, feel and connect with others. It is about enhancing our emotional intelligence and connect with others. It is about enhancing our emotional intelligence, embracing a winning mindset and leading with empathy and insight. Subscribe and stay tuned for more episodes where we uncover the latest trends in digital business and explore the human side of technology and leadership. Until next time, keep nurturing your mind, fostering your connections and leading with heart.

People on this episode

Head Shot

Emi Olausson Fourounjieva

Host