Enterprise Security from Healthcare to GE: Accountability, Strategy, and Value Creation with Bob Chaput

My first SOC 2 audit as a Chief Technology Officer felt like performance art. Here we were, dancing to the tune of an auditor that had never built a web application, let alone a business. So many of their playbooks were repeated from other businesses and didn’t make us more secure. When we were done I was certainly glad to show off our new ‘certification’ but I wondered how I could implement great security and create value for my company. In this compelling episode of Secure Talk, host Justin interviews Bob Chaput, a seasoned CISO and cybersecurity leader with a rich background in the healthcare sector. The conversation traverses Bob’s extensive career, from his early days at GE to establishing Johnson & Johnson’s first information security program. Bob shares profound insights from his book, 'Cyber Risk Management as a Value Creator,' illustrating the shift of cybersecurity from a defensive necessity to a strategic business driver. They explore the critical role of governance, regulatory accountability, and the implementation of risk management frameworks like the NIST cybersecurity framework. Using real-world cases like Equifax’s post-breach recovery, Bob elucidates the tangible business value of robust cybersecurity measures. Learn about budgeting for cybersecurity, fostering organizational engagement, and integrating security into business operations for enhanced resilience and customer trust. This episode is a treasure trove for experts looking to transform their cybersecurity approach into a strategic advantage. Book:  Enterprise Cyber Risk Management as a Value Creator  https://bobchaput.com/enterprise-cyber-risk-management-as-a-value-creator/ 00:00 Welcome to SecureTalk: Introduction and Host Overview 00:41 The Importance of Scope in Cybersecurity 02:58 Introducing Bob Chaput: Cybersecurity Expert 04:45 Bob Chaput's Career Journey 08:17 Enterprise Cyber Risk Management as a Value Creator 12:20 The Role of Regulations and Accountability in Cybersecurity 17:26 Strategic Approach to Enterprise Cyber Risk Management 21:33 Risk and Opportunity Assessment in Cybersecurity 26:47 Leveraging Security Practices for Business Value 27:58 The Impact of Cybersecurity on Business Value 28:56 Clearwater's Role in Enhancing Cybersecurity 31:03 The ECRM Budget Philosophy 32:59 Maxims for Effective Cyber Risk Management 35:59 Building a Team Sport Culture in Cybersecurity 40:47 Foundational Components of ECRM 44:19 Challenges in Third-Party Risk Management 49:25 Clearwater's Journey and Future Prospects