The Missing Half of Cybersecurity: Security Management

The Missing Half of Cybersecurity: Security Management

Dejan Kosutic explains a common bias in cybersecurity: focusing on implementing controls but not managing them. Using backups as an example, he outlines why effective security requires planning (e.g., setting objectives like RPO and backup frequency), monitoring to ensure controls work in production, internal audits to verify tasks are performed, continual improvement to prevent recurring issues, and management review to escalate unresolved problems, funding needs, or rule changes. He notes these elements reflect security management practices described in ISO standards such as ISO 27001 and ISO 42001, which he argues help organizations understand how to manage security beyond implementation. He adds that security management will become increasingly important due to regulations like NIS2 and DORA, rising cybersecurity complexity, and incidents caused by overlooked details or trends. LINK FROM THE VIDEO ► What is an Information Security Management System (ISMS)? https://advisera.com/27001academy/blog/2016/05/23/information-security-management-system-isms-according-iso-27001/ [https://advisera.com/27001academy/blog/2016/05/23/information-security-management-system-isms-according-iso-27001/] * (00:00) - The Missing Half of Cybersecurity: Security Management * (00:14) - Cybersecurity implementation vs management * (02:02) - The missing piece: Security management * (02:43) - The rising importance of security management * (03:27) - Further reading

The Dangerous Illusion of Cyber Readiness | Cyber & AI Perspectives

Dejan Kosutic explains that while many companies believe they are prepared for disruptive incidents, their continuity and recovery plans alone are often insufficient. He argues that plans cannot replace missing resources such as redundant systems, properly secured backups, or replacement staff, and that unclear recovery time and data loss tolerances lead to misaligned preparations. He also notes that complex dependencies across people and systems can cause recovery steps to fail, and that real incidents create chaos where people may react irrationally. Kosutic recommends defining business continuity strategies using RTOs and RPOs, mapping dependencies across processes, systems, suppliers, and regularly exercising plans with realistic scenarios involving senior management and key suppliers, referencing frameworks like ISO 22301. LINKS FROM THE EPISODE: ► Responding to Ransomware Attack [Case Study] | Interview with Yannick Hirt | EP29 https://www.youtube.com/watch?v=V3DhNF9-wfc [https://www.youtube.com/watch?v=V3DhNF9-wfc] ► Cyber Ranges, Attack Simulations & AI: Proving Cyber Readiness | Interview with Lee Rossey | EP32 https://www.youtube.com/watch?v=zId18MlZeKM [https://www.youtube.com/watch?v=zId18MlZeKM] * (00:00) - The Dangerous Illusion of Cyber Readiness * (00:45) - Why plans alone are not enough? * (03:09) - How to build true cyber resilience * (04:21) - The real goal: Resilience

Lessons From the C-I-A Triad to Build Trustworthy AI | Cyber & AI Perspectives

Dejan Kosutic explains how cybersecurity’s CIA Triad—confidentiality, integrity, and availability—has guided risk identification, prioritization, and control selection for decades, and argues that AI governance needs a similarly clear guiding principle: trustworthiness. Citing the OECD AI Principles, the EU AI Act, and the NIST AI Risk Management Framework, he describes trustworthiness as central to broader AI adoption because AI systems are non-deterministic and can produce different outputs from the same inputs. He shows how trustworthiness can steer AI risk management by helping organizations identify risks like biased outputs, assess impact through trust and reputational damage, and choose controls such as trusted training data or human review.  LINK FROM THE EPISODE ► AI Goals and Objectives: Why is Trustworthiness Important? | AI Literacy Series https://www.youtube.com/watch?v=AnZLw9IRh4E * (00:00) - What the C-I-A Triad can teach us about AI * (00:32) - Why is the C-I-A Triad important for cybersecurity? * (02:15) - Importance of trustworthiness for AI * (03:30) - Applying cyber logic to AI * (04:56) - Addressing larger AI challenges

How Apple Uses Cybersecurity as a Competitive Advantage

Dejan Kosutic explains how cybersecurity can create a real competitive advantage and uses Apple as a key example. He notes many companies pursue ISO 27001 and similar certifications mainly for sales and market access, but questions whether certificates provide a lasting advantage since competitors can obtain them with relatively little time and money. He defines competitive advantage as having something competitors lack and find hard to replicate, illustrating this with SpaceX’s reusable rocket technology. Kosutic argues long-term advantage comes from integrating security and privacy into product design and brand, as Apple has done through features like advanced biometric authentication, built-in malware protection, and resisting government access to user data. He concludes that cybersecurity must be driven strategically, with CISO involvement in business strategy and security embedded throughout product development. LINK FROM THE EPISODE ► How to achieve sustainable competitive advantage through cybersecurity https://advisera.co/CyberSecAdvantage [https://advisera.co/CyberSecAdvantage] * (00:00) - How Apple Uses Cybersecurity as a Competitive Advantage * (00:11) - Do certificates provide a competitive advantage? * (01:01) - An example of a competitive advantage * (02:12) - How Apple uses cybersecurity? * (03:52) - What should you do?