IsaurabhMittal

26 July 2024

This post is to clear my mind and help move forward

I am writing this post to clear my mind and document where I was in the middle of 2024, a day before my birthday.

The last 4 months have been hard.

There is very little happening in the market.

B2b sales are down.

The pipeline is dry. My days are dead.

There are tons of ideas that I have executed to improve the situation:

Attending conferences to bring in new leads.
Reach out to every contact we have spoken to in the past 2 years. anyone with whom we have first-round meetings, demoss or any type of contact made this list.
Drive inside sales team to industry-focused outreach, dedicated accounts list to reach into named accounts list.
Writing campaigns that have a tremendous open rate but zero inquiries.
Continuous training to the inside sales team on phone calls emails, and LinkedIn.
Writing a ton of content on LinkedIn myself to share what I am learning (and hoping that this will spread the word, and get us established as a thought leader).

Nothing has worked so far.

The only positives have been:

Increased views on LinkedIn. Some of my posts went into 6k views
Strong open rates for emails written by me. these are over 15% open rates. Some of my written emails have been used by my team, which has done well.

I have a feeling of burning out.

However, There have been a few existing customer conversations. [I am planning to get involved deeply there].

What do I enjoy doing the most?

my ultimate favorite thing to do throughout my career is consulting and helping customers. specifically, working on a high-level transformation journey, where I get to study a CIO or CISO goals and turn that into vision. this generally requires understanding pain points across systems, use cases, goals, and systems. almost like a business architect or an enterprise business architect.

The second thing I enjoy the most in my roles is consulting at a granular level. driving initiatives and projects with my team, more like a delivery leader who can sell more and more to customers, by way of delivering results and building a relationship.

None of those are happening right now.

Existing customers are maximized and not the reason for our problems.

We cannot land new customers.

What can happen next?

There are a few scenarios that I can see playing out.

I have seen these play out in my head so many times.

It is worth writing on a piece of paper (or this blog) to get them out of my system.

Status quo- Nothing changes for the next few weeks. After our company is merged with the acquiring company, then we see an uptick in conversations and opportunities.
Finding another opportunity where I move out. This is a low-possibility item, given the market is slow, too many layoffs, and tons of talent in the market.
Finding a new customer via our inside sales efforts. All it takes is one good opportunity that can change everything. this is likely, but inside sales trends have been poor in the past 4 weeks.
I get fired. least likely knowing my CEO. but, if I were at any other place, I wouldn't be around. Most companies and leaders don't like to point things towards themselves, and it is easiest to fire others.

My CEO understands that and also knows that I am the best in the industry with the stack of skills that I bring to the table.

To keep me from going insane, I am spending time reading good material, continuously executing email campaigns, and thinking about how can we keep our message sharp.

Apart from that, I am trying to spend time on other things outside of work (though unable to completely plug it off).

Cheers for now.

25 June 2024

The Joys of Security conferences

The security conferences scene is exploding...
with fluff. Some honest talk is below. 👇

It is a bubble that may last longer than I like.

The keynotes are regurgitating high-level common sense stuff.

The solutions are generic. Vendors are desperate to speak to Prospects.

As a vendor, If you don't attend the conferences, there is this fear of missing out.

Vendors swarm executives.

They may have access to funds.

Not because they are thought leaders.

You realize,

more than half of the "Executives" showed up for free food, to build their social profiles, to skip work, or all of it.
most have no intentions, interest, or authority to make a buying decision [irrespective of their titles].

Who is having fun on whose cost is unclear?

A clear case where selling shovels is more profitable than digging gold.

21 June 2024

How to do deep work and accomplish great things, learnings from Cal Newport

Listening and reading to cal Newport has been refreshing. I have heard great things about his book "Deep Work" and it has been sitting on my table for a few days.

I happened to listen to a couple of his podcasts, and YouTube videos.

I also dive deeper into his book and start devouring some of the chapters. Here are some of the lessons I came out learning from the book, and I thought I would share

What qualifies as deep work?

It must demand brain power.

Things that are hard and need us to think, plan and engage our brains.
It must happen without distractions and context changes.

A zone where we only focus on one thing.

Why focus on deep work?

It moves the needle. It is the Strategy. the Big decisions. The Directional ideas. These are important to our lives, helping us achieve big goals.
Shallow work is necessary as it moves things and keeps the light on. We need to strike the right balance based on our job or work.

Here are a few strategies cal suggests:

Know Your ratio of Deep Vs Shallow work. Each of them is important in its own way but be aware of what is your mix.
Study your work pattern. Establish an approach that works for you. Cal outlined the following:

Monastic approach - Focus on that one thing.Disconnecting from everything else.

Biomodal approach- Shuttling between the two. Turn into a monastic and then return to normal. A few hours a day or a few days a week of distraction-free time.

Rythmic approach - Finding a secured time on a daily or a rhythmic basis to do your goals. This is shorter in comparison to monastic or bimodal approaches. For example, 15 mins to write every day.

Journalistic approach - Making the best use of time when you can find it. Using time emergencies to induce and complete work.

3. Set up a space and a routine for deep work. Make it non-negotiable.
4. Set up a ritual. It may be the desk or the cup or drinking coffee or closing the door of the room. Let your brain knows that it's time for work.

What are the practical tips that have helped you carry out deep work?

Finding where to go is the most difficult thing in the world

The resistance is real.

In enterprise sales, there are days when your calendar is already filled. you have meetings, proposals to finish, pricing calculations to be done, slides to review, executive summaries to write, and deliver presentations.

But, there are days when you are faced with an empty calendar. A blank sheet of white paper.

When those days come right after a grueling work week, it's a welcome change. you relax. organize your work. think about strategy, improve, and prepare for the next thing.

but when these days are followed by empty calendar days, the resistance becomes your enemy.

Breaking the rhythm becomes really difficult.

It becomes hard to differentiate if this is temporary or permanent.

To some degree everyone faces it.

We want our strings attached to someone or something, so they can pull us.

Having a clear direction to march towards is such a luxury.

You are told where to go, and what to do.

But the hardest thing in the world is to put that plan for yourself, let alone an entire organization.

20 June 2024

Why no is reading my posts? Or newsletter? Or cold emails

The above questions have plagued me often.

This is a constant question i ask myself every few days when I notice a plateau.

In my pursuit for engagement, I turn to twitter.

I drown in the ocean of smart writers, great hooks and threads.

They have so much to say, yet the real connection missing. That secret sauce is often behind a sales page in form of a ebook or a guide or a course.
A ton of them offer their highest value product Free. ”only until this friday”. If only you gave them the email ID right now.

But, my question remains open.

This question is like asking

"What is the meaning of life".

There is no one answer.

Plus it may not be worth finding the answer but living and experiencing.
Here is what has what has helped me move forward every time i ask that question.

Clarity and Purpose

What is that i am sending that email? why i am writing weekly? What is the larger purpose behind? knowing this is important. it reminds you of your mission. Doing something without a mission can be disorienting.

Who is this for, What is in it for them

Why should they read? It is important to continue to sharpen the persona for whom you write. It better be not for everything. and, why? Assuming that persona and putting yourself in those shoes, tells you what may be worth their time. Why should they read? why should they get on a call? why should they leave everything and listen to you?

Embrace Trial and Error mindset

This is the life and blood of anyone who works with any creative pursuit. No one knows the recipie. heck, if there is one, it changes. People are doing million things. so, it is important to start with a failure case in mind, and adapt trial and error mindset.

Simplicity of the message is super power

The simplicity is key. writing in simple language. focusing on benefits. not blowing your own horn. keeping the message short. the simplicity matters. Dont over complicate it.

Staying at it if the purpose is noble

The final piece is to pick yourself up and show up. even when you feel like giving up, do it one more time. remind yourself about the goal and the purpose. If the purpose is noble, stay the course.

Here are 7 powerful Daily practices that have a deep impact on my work, personal life, and mindset

The biggest gains in life come from compounding. be it an investment of money, time, or building skills. The longer the time horizon the bigger skill you can build.

A shortcut method will not work. Here are things that give me immediate returns on invested time. I ask you to try them out and include them in your day.

7 hours of sleep

sleep is a game changer. Our brains have neuroplasticity which means they can change. The right sleep and nutrition can do amazing things for us. Lebron James schedules everything around 10 hrs of sleep at night. He knows sleep is at the core of peak performance.

10 glasses of water

Once you start chugging more water, you realize how dehydrated you have always been. Drinking more water gives me higher energy, reduces fatigue, and keeps me active.

Write to untangle your head

I have been guilty of not being regular. The days I write are calmer. Writing down first thing or in the first hours of the morning helps me untangle my mind and reduce anxiety. My tip is not to not write with a pre-set format or prompts. write as your head wants. keep it open-ended. the mind will clear itself.

Exercise to change your state

Exercise is amazing. it has one of the fastest ROIs. you don't need to run a marathon or deadlift 500 pounds to get benefits. a few mins of sprinting can fire you up. Tony Robbins says, change your state to change your mindset and strategy. Something that ups your heartbeat and gets blood pumping can do wonders for our mental state.

2 to 5 mins of Deep Breathing

2 to 5 mins of deep breathing can clear your head. the extra oxygen helps calm the body and reset the monkey's mind. I usually do this a few times a day, and it feels incredible.

5 mins of Meditation

Sitting down and meditating is a game changer. My personal practice is not to use any chants. I sit down with my thoughts. 10 mins of meditation have great benefits throughout the day.

Fasting for 16 hrs

I have been intermittent fasting now for over a year. I eat my first meal at 12:30 and my dinner at 7:45 pm. The mornings are chugging water and coffee. This has been great for me. It has ROIed in reducing weight, making me fitter, more active, and more attentive compared to my old self.

That's it.
What are your favorite activities? The ones that have a quick return on time investment in improving your days?

Controlling what is controllable in enterprise sales

Everyone wants to get the sales, bring more customers, and add revenue.

Every leader wants results.

Outcomes matter. But, are they in anyone’s control?

Spending any type of money, talent or any resources can’t guarantee results.

They can increase your probability.

So, why not leaders and the community start focusing on the process.

What is in their control?

What can they influence?

It’s the effort. The method. The process.

Every leader that asks for results, or wants to deliver outcomes should focus on the quality and direction of the effort.

A strong focused effort will always yield results.

But focusing on outcomes only means results will elude you.

The outcome focused culture only breeds frustration, anxiety and the revolving door policies that a lot of companies in the US are famous for.

If the sales resources/leaders dont bring in revenue, lay the team off, hire a new one and start again.

That needs to stop.

18 June 2024

Notes from the book - Extreme Ownership

This is a solid book. You must have read A lot of the principles in various books. What makes it special is the storyline, and lessons learned from SEAL training & War experiences.

The book has 12 chapters around 12 key principles.

Every chapter starts with an anecdote from a war experience.

That follows a principle explanation

and followed by the “application to business’ section.

This is another way to read the book if you wish to skip the war experience storytelling.

I particularly found application to business helpful.

Here is what I learned from it.

Extreme ownership- acknowledge mistakes, not blame others. It is about leading the team to success.
There are no bad teams, only bad leaders. Extreme Ownership means taking full responsibility for projects, teams, and outcomes.
It is not what you preach, it's what you tolerate. Focus on Quality and performance. Set Benchmarks. Iterate until teams achieve those and provide support to make those happen.
Believing in the cause and spreading the ‘why’. Understanding why something is being done helps teams persevere through challenges.
Team and mission should always be above ego. Operating with a high degree of humility is important for leaders and teams.
Success is always a shared goal. It comes from understanding the end goal and the role everyone has to play to get there.
Complexity compounds every problem. Keeping things simple and concise is important. This applies to communication, protocols, expectations, goals, and everything.
Focus and execute. Determine the highest priority tasks and execute them. It helps not lose focus, or get lost in the details. Communicate priorities. Ask for inputs. then go solve them and execute. Repeat the process.
Setting up decentralized command. setup boundaries and within those, let everyone make decisions and experiment. It is important for leaders to step back and have a bigger and broader point of view.
Planing is the most critical part of executing any mission. Even more important is the post-mission brief. It is critical to reflect and learn. Consider that as your own feedback loop. The purpose of the plan - objectives should be clear to all the folks responsible for executing it.
Leading up/down the chain. The big picture should be always understood by the team. Leaders and teams must understand each other’s roles. They are always working to achieve a common goal. Take responsibility for leading everyone be it superiors or juniors or peers.
Leaders must act decisively amid uncertainty based on available information. The picture is never complete, perfect or 100% data is available.

The 90 day notice Period. Why a dangerous bubble is building in the Indian IT Industry

Great resignation gets a lot of attention. But, Due to the talent crunch, its flip side is companies throwing absurd amounts of money to retain and attract new talents. In a competitive market like India, IT talent with niche skills get 3 to 5 offers each. Candidates use these offers to trade better packages. Here is why I am happy about it, and also alarmed by this trend.

Apart from a few organizations pushing people to return to the office, access to talent has flattened. You could work from anywhere and deliver the goods. The value of good talent has gone up.
Any biased arrangement eventually fails. Indian IT Industry has been running the practice of 2 to 3 months notice period. It is an attempt to strangle talent, of course, making new hiring even more painful. Due to this, Engineers have realized their value appreciates every day while they are on notice period. They are taking full advantage of it.
Hiring companies splurge on an engineer who has 15 15-day notice period vs 90 days. It gives them an edge in fulfilling a requirement for a customer.

I am happy for the IT engineering community to take full advantage of the potential. I won't take any high moral grounds here, because the industry leaders & companies have not set a great example.

However, I see a major downside to this trend:

The flattening of the world is squeezing the contracts. Customers are not paying more. Margins are not going up. Money splurged by the hiring companies will come from these diminishing margins and bottom lines.
Business is not sustainable if the cost of doing business becomes higher than the value it creates.
It is commendable to pocket a great package after negotiating several offers but may come at a risk. Companies that are today involved in bidding wars may become unstable tomorrow. Companies would resort to cutting staff the moment they are unable to meet the revenue & margin targets. This is setting up an approach of hiring and firing for business needs.
The strongest offers don’t mean cutting edge or most exciting projects.
Wealth creation happens on sustained long-term bets. The short-term uptick from negotiations won't help.

Companies should make policy changes with notice periods. Our next progression will come from automation & building a gig culture, and not trying to retain talent by these unscrupulous methods.

17 June 2024

I cut my 7 meals a day down to 2 and I am not going back

For the past month and a half, I've been eating two times a day. The experience has been liberating. In this post, I share my experience and some of my learnings through this change. The outcome has been great, and I am not going back.

Daily Routine Before I made the change

Start of the day: A cup of tea + 2 biscuits
Breakfast @ 9: 3 eggs or oats. A couple of toasts of bread with peanut butter.
Snack @ 11:30: granola bars, fruits, junk sometimes.
Lunch @1: Typical Indian lunch- vegetables, Curry, and a couple of roti (bread)
Snack @3:30: granola bar
Tea time @5:30- 6: some small food serving.
7:00-7:30 I would have a protein shake with water & a spoon of peanut butter after getting back from the gym.
Dinner @ 8:30- vegetables, curry with roti.
late-night snack. (occasionally)
Four Cups of Tea. 2% milk sugar.
One cup of coffee. Pour-over, black & no sugar.

What changed?

I eat two times a day.
My first meal is at 1 p.m.
My second & last meal is around 7:30 p.m.
I drink a lot of water.
Three cups of tea. One cup of coffee. No sugar.
I don't drink any liquor.
No snacking. No binging.
Read and learn about insulin and how the body produces and stores energy/fat

Observations in the past 45 days?

I am much more attentive throughout the day.
No effect or impact on my way of training or resistance training.
No negative effect on my work routine.

This change showed me how much wasteful eating I was indulging in. It cant be useful to my body since what I am operating is far more efficient.

How do you make a shift?

The first barrier is to make a mental shift. There is an adaptation in unlearning eating patterns and shifting over to fasting.
The image of Feasting and fasting has been impactful on me. That is how humans have lived for millions of years as a species. We should not be snacking all day.
Start slow.
if 18 hrs of fasting is not an enticing idea, reduce # of times you eat.
Give a minimum of 4 hrs gaps in between meals. let the body digest what it has gotten, and not always be in a catch-up mode.

This has been a great experience.

Fast forward, a year from writing this post, I documented 7 daily practices that have impacted my life and work in a powerful way

I found the following videos and Doctors as mentors on these subjects

16 June 2024

10 work ethic traits we can learn from Ravish Kumar

If you listen to Indian news, you have heard about Ravish Kumar, NDTV. It does not matter if you like or dislike him, agree with his style or not. You can not ignore him.

I highlight Ten traits we can learn from him and apply to whatever you and I are doing. These are also the reason according to me why ravish continues to be visible and appreciated.

Detailed- Ravish's reporting and analysis is impeccably and sometimes painfully detailed. He comes with specific clauses & snippets from govt websites, international press, and sources. On issues like jobs, immigrants, ravish has built a massive library of reporting work.
Find a new viewpoint- Ravish is a good storyteller. However, his genius lies in finding a fresh point of view when everyone is focused on one viewpoint.
Use facts and backgrounds - Ravish leverages facts and data points heavily. He presents facts instead of using emotions to create impact.
Leverage community - Ravish is seen quoting and leveraging other experts in the community. He shares good work from various reporters, organizations outside of NDTV.
Give credit - He often credits his colleagues, reports, cameramen, and border community for their contribution. He is regularly seen recommending good books and reports.
Focus on substance - He doesn't indulge in bickering around the issues. He focuses on substance. He dives deep into long-tail subjects.
Keep things simple - His reporting style, studio setup, etc are super simple.
Keep it calm - He doesn't invite 20 people to the panel. He doesn't shout. He is not animated or raises his voice.
Show up every day - He shows up every day with detailed work, day after day. It is visible in his reports. He proves there are no shortcuts for doing great work.
Sarcasm - he is highly sarcastic and uses it to wake up listeners.

What did you think of these 10 points? share in Comments.

Ravish kumars book

15 June 2024

What is the likelihood of a cyber security incident? [a better metric instead]

Cyber Security has been a hot topic for the past few years.

It will be discussed furthermore in the coming days with the increasing cyberattacks. I always thought how cool it would be to predict the likelihood of an event? I used that lens to understand what helps ascertain the likelihood of cyber security incidents.

I have tried to cover those findings here. You will understand the factors influencing the likelihood of a cyber security incident but about a more suitable metric. Read on.

Most of the cyber security stats play to the innate fears of people.

Everyone talks about the sky falling. Every statistic amplifies it.

Here are some examples:

There is an estimated cyber attack every 39 seconds. (University of Maryland)
Cyber Crimes have increased 600% due to covid 19
macOS malware up by 165% in 2021
Ransomware attacks have risen by 350% and are estimated to cost $6Trillion in 2021
The average cost of a data breach is $8.19 Million/breach.

💡

These stats scare the executives who worry for their business. 🤯. These stats help consulting companies sell better. 🤑

While it is not a fluke that cyber attacks have increased manifolds and even state-sponsored attacks have gone up in numbers, where is the balance?

How should an executive responsible for cyber security take action?

There are three main approaches:

Identifying vulnerabilities in the systems

Focusing on vulnerabilities was a common approach for years. It gives a good idea of gaping holes in enterprises. Engineering teams go into customer ecosystems and study and compare to the best practices and frameworks(NIST), policies, patches, and guidelines. It is highly comparative with a certain baseline suitable for an organization and maturity levels. There are several tools to scan and identify vulnerabilities across network, cloud, data, Identity, and access management. Typically in these reports, the engineers can also guide how severe these gaps are. As you will see, the approach is not very effective in itself.

Understanding the likelihood of cyber security events

Security professionals have gone after identifying the likelihood for a while. Modern risk modeling takes that into account. But the truth remains, predicting likelihood is a really hard task. Models can be heavily skewed to the quality of data. Moreover, there is significant training and feedback loop required to train the models for accurate predictions. then there are external factors like intelligence from security providers, trends in the market or industries, geolocation data, certain patterns of exploitation, etc. an accurate likelihood prediction must take those into account and spit out something used.
so, while it is a cool metric to chase down, it is a complex task to be able to get into prediction.

A Rather better metric - Impact

How would you feel if we tagged an event with very high likelihood but No or Minimal business impact?

It changes the whole scenario. Isn't it?

The outcome or the impact is far more superior and actionable metric.

Rather than being afraid of the statistics, it is far more helpful to contextualize threats and vulnerabilities for your business.

Furthermore, a business can draw worst-case scenarios and conduct exercises to see their level of preparation in dealing with those scenarios.

It forces you to consider:

What is the impact on our business of this scenario playing out in real life?
Is there a financial risk with this scenario?
Is there is a business disruption?
Is there an impact on our shareholder value? Our partners
How do we recover?
How soon can we recover?

When you connect vulnerabilities, likelihood, and impact, the activity becomes actionable and measurable. A better picture emerges.

It forces you to focus on the top priority items.

Order of Priorities for taking action

Priority 1: Very high or High Impact Items with Imminent or high degree of likelihood

Priority 2: Very high or High Impact items with medium to low degree of likelihood

Priority 3: Low Impact items with imminent, Very high, or Low degree of likelihood

The senior leadership can tie investments to these actions and priorities.

Parting thoughts

Enterprises should focus on business impact and not just vulnerabilities and threats. Enterprises must use assumed likelihood to draw worst-case scenarios. Instead of focusing on the negative sentiment in the broader market, it is valuable to contextualize these threats and ensure they can build resilience in their business by preparing for the worst-case scenarios.

Behind the Scenes | Brainstorming

14 June 2024

Cyber Security Opportunities & Ideas: A long list for a better 2022 & beyond

Should you beef up the cyber insurance? Should you invest in tools? Should you train your staff? Should you focus on monitoring and quick responses? Security initiatives similar to any other program get a finite budget. On the other hand, the threat landscape is constantly evolving. Executives also know there are no silver bullets out there.

In 2022 and coming years, Executives will need to rely on the lens of People, Process & technology to find holistic solutions in firming up their cyber security programs. We would have already solved it if it was just a technology or a tool problem.

So, I have put up this long list of top items for your holiday reading. This list is a mix of philosophies, best practices, and advice based on lessons learned from 2021.

I have put these in bite-sized bullets for digestion.

These should act as reminders.

These may guide new ways to build security programs.

As always, I would love to hear from you about your experiences. Enjoy the read.

Being compliant does not mean being secure. Compliance does not reduce your attack surface.
Investments in Cyber Security do not equal buying insurance. Instead, It is investing in accelerating your transformation.
CEOs want to see ROI correlation to security investments. Cyber Security Executives should use metrics like improvement in business productivity, time to market when thinking about their initiatives, and the impact those have on the broader organization. Cyber Security can not be about keeping you safe. It should be about moving you forward. (Does your new patching solution reduce the need for system downtime? What were the savings in productive hours? for how many people? )
Every security conversation should not lead towards adding more tools. If anything, organizations have too many tools.
Knowing your current posture and Cyber Security blind spots is more valuable than it is realized. Successful & secure companies are proactive.
Organizations that treat Cyber Security as crucial as performance or quality will continue to do well. Rest will learn those lessons the hard way. Pile of technical debt to cover security issues, expensive re-designs, hacks & breaches.
People will (and have been) remain the most crucial asset. They will also continue to be the weaker links on a cyber security front. Investing in people and creating a Cyber security culture will pay for itself.
Cloud has made enterprises inherently more secure. But remember, everyone carrying a smartphone doesn’t automatically become smart. Adapting & applying Cyber security for your organization and your industry standards is key.
The threat landscape is ever-changing. Bad Actors need to be right once. You need to be right every time. Of course, the equation is set up against you. The only way is to stay on top of the game and ahead as much as possible.
Identify your organizational Crown Jewels. They must be secured and audited. But a mechanism to recover & restore them in case of a breach will differentiate men from boys. (Accenture, a great recent example of it where they were able to recover & move on quickly.)
While evaluating products, Cyber Teams focus too much on features. 80-85% of those will seldom be in use. Be it our car, mobile phone, enterprise tool, or software. A security executive must focus on the essential objective & solve it. Think - business capability matrix.
No organization is immune to attack. 80% of enterprises have suffered a security incident in the past 12 months of 2020/21.
About 45% of organizations are not armed to meet the cyber security challenges. At least 50% of the organizations waste significant time investigating low-level alerts and getting lost in the noise.
1/2 of the SMB organizations lack the right tools to detect, isolate, respond and clean up cyber threats. Moreover, massive integration gaps exist within organizations, which do happen to have the required tools.
I am seeing almost every company drawing cyber liability insurances. However, About 50% of the organization would not know when to engage the legal team when an incident takes place. Is an intrusion taking place? Should legal be engaged upfront or post containment? Most organizations do not have a runbook to leverage their legal counsel and operating procedures in such cases.
People directly in charge of an asset know everything is penetrable. They focus on investing in cyber-attack resilience. Those who gloat about their security programs mostly are not responsible for an(any) asset.
"Return to office date is history". "Omnicron may turn into an endemic in 2024". These articles & deep dives confirm- remote work is here to stay. It is high time organizations focus on improving endpoints visibility for employees & associates. For the past 2 years, 55% of executives have been concerned about endpoint security and lack of visibility.
Elapsed time to identify, remediate, contain a threat is critical. In today's day & age, automation in incident management, threat detection, and threat containment is crucial. It is not humanly possible to make a decision based on manually sifting through logs from hundreds of devices & systems which may run in GBs.
A considerable number of enterprises with investments in incident management tools may still lack a disaster recovery plan and incident responsiveness. While companies use NIST and MITRE-based frameworks, fewer than 40% of companies conduct exercises for incident responses.
Enterprises across the board are reeling with talent management challenges. Finding security talent was a challenge, but with the Great Resignation 2021, talent retention has become a headache. Re-skilling your people and leveraging a robust partner ecosystem will be necessary for 2022.
Operational disruption (60%), Sensitive data compromise, or loss(64% of enterprises) is top of the list of damage from a cyber security intrusion.*
Executives from mid-size Organizations seemed to be most concerned with losing sensitive data. At larger organizations, Executives are most anxious about the revenue impact from a cyber attack.
Some of the best tools for identification, detection, isolation rely on interconnection to communicate, exchange information, and recognize patterns. Lack of integration among the tools & systems continues to be low-hanging fruit for executives in 2022 looking to gain rapid mileage from existing investments.
Enterprises invest in purpose-driven tools. New tools may be acquired as the goalpost or the leadership changes. With time, tools overlap, silos build up. These tools can be studied & rationalized. Often it can unlock a significant spend reduction in the license & maintenance costs.
It is incredible how many organizations invest in expensive security tools but do not have the MFA enabled. 45% of the compromises still originate password compromises. Get it done. Now.
Businesses are well versed in tracking traditional risks like delayed projects, cost overruns, or business impacts. However, they need to consider risks originating from digital transformations. Think about Risks associated with PII data, its movement, laws governing data storage, privacy laws, etc. Data and its associated risks are a new frontier in itself.
Inherent biases in the application or data quality issues can lead AI applications can misguide organizational focus. These can also open companies to new risks.
Gartner predicts that in 2 years, privacy laws will cover 75% of the population. With GDPR, CCPA, and more laws in the making, the grip on a consumer’s data, privacy will continue to get tighter & complex. So, CISOs and leaders need to advance and automate their privacy management systems. They need to ensure a process to capture, scrub or remove data if requested by their customers or readers.
Gartner also made a startling prediction- by 2025 threat actors will weaponize technology environments. We are already seeing signs of it. Oil and Gas, Utilities, School districts, Water utilities do not have consumers' PII data alone. The population's daily lives depend upon these utilities/service providers. Hence, It's essential now to prepare for ramped-up cyberattacks towards these spaces in the coming years. They will not come for the consumer data you have, but weaponize your facilities against the customers you serve.
A significant number of Mckinsey's surveyed companies(48%) reported "being able to identify the risk" as their biggest challenge with digital and analytics risks. If you can not identify or measure the risk, it is hard to manage or plan for those.
The majority of companies approach their assets, then study security controls around those assets, and then work on how to fill the gaps, add procedures, tools. It is time the conversation becomes rather business-focused. What are the business crown jewels? What type of disruption is non-negotiable? What is the organization's risk appetite? It is a much approachable problem to solve when the focus is shifted upside down. Once those questions can be answered, focusing on security controls, tools become more meaningful.
It's time to define a data-driven approach to cyber risk assessments. Being able to associate $ values to risks, their likelihood is important to convey and move the business into action. It will also guide security budgets - "Where should we invest, first?". Leaders can prioritize and ask 'what level of financial risk organization is ready to take?'
Communication is the key to garnering attention and improving cyber security within an organization. Cyber Security is top of mind for CEOs/Boards. However, their focus is often on aspects like Shareholder value, business growth & competitive edge. Reporting on Traffic lights (red, yellow, green) won't convey the context and meaning of actual risk to organization vs business KPI. Communication must be in the business language. A tool implementation, a current list of vulnerabilities, and technical details, or a technical roadmap will fog the actual impact or risk to the organization. It will also confuse the non-technical board/CEOs for being unable to get to the crux of the matter.
If as an investor I know you(your company) have the right cyber security practices in place, would you not become a better company to invest in? Am I willing to see erosion in share price value due to an overnight cyber-attack that stuns the enterprise? SEC is already working on a Cyber Disclosure policy in this regards

References: The above insights have been gained from tons of reading materials over the past 3 months and experiences with customers. I am quoting notable links that are a constant source of knowledge.

https://www.garp.org/garp-risk-institute
https://www.mckinsey.com/business-functions/risk-and-resilience/our-insights
https://www.wsj.com/news/cio-journal

Halaman