In today’s dynamic business landscape, adaptability stands as a cornerstone of a company’s success. iluminr’s ‘Gamechangers in Resilience’ interview series honors influential leaders who demonstrate remarkable flexibility and resilience in both their professional endeavors and within their communities.
These outstanding individuals grow the resilience of their teams and localities in challenging times. iluminr acknowledges their remarkable achievements, shares their valuable experiences, and celebrates their relentless spirit of learning, even in the face of formidable obstacles.
October is Cybersecurity Awareness Month, a time when we focus on the critical importance of safeguarding our digital world. At iluminr, we are proud to support this initiative by highlighting the exceptional stories of cybersecurity leaders. These individuals have not only protected their organizations and communities but have also fostered an environment where innovation and growth thrive in the midst of cybersecurity challenges. Their inspiring journeys serve as a testament to the power of resilience in the realm of cybersecurity.
Cathy Miron is CEO of eSilo, a data protection and cybersecurity company. She is a speaker, trainer, and certified small business mentor helping businesses and municipal agencies prepare for cyberattacks and other IT mishaps, with the ultimate goal of minimizing the disruption they cause to your organization.
Before eSilo, Cathy spent 15 years at General Electric (GE) and worked extensively in their corporate IT audit and banking divisions before moving to GE headquarters as one of their chief technology officers.
Outside of work, Cathy is active in the South Florida business community and volunteers as a mentor for SCORE. She also serves on the Board of Directors for South Florida Tech Hub, and the Technology Advisory Committee for the 10th largest public school district in the US.
Q: Can you share your background and experience in the field of cyber resilience? What drew you to this field, and what key lessons have you learned along the way?
Cathy: I’ve been working in cyber resilience and adjacent areas since probably 2005, although, we didn’t use those words for it at the time. As a young technology auditor, I was tasked with identifying issues that could impact the confidentiality, availability, or processing integrity of large, mission critical business systems. Doing so required an evaluation of risk and the organization’s ability to prevent, detect and respond to all manner of threats, including cyber attacks and various disaster scenarios.
I was drawn to this field because on some level I’ve always had an “improvement mindset”. I look at things with a critical eye and have a knack for seeing what’s missing, or what could be done to make it faster, better, stronger, or more resilient. I like to help others make things better.
One thing I learned along the way, is the value of bringing in a fresh pair of eyes to a problem or situation. It’s the only way you get better.
Q: Your career spans a wide range of sectors, from Fortune 500 to non-profits. How do you adapt your approach to data protection, cybersecurity, and digital transformation to suit the specific needs and challenges of these diverse organizations?
Cathy: Collaborative prioritization.
One of the benefits of having such a diverse background is that I’ve seen many different organizations tackle these problems in different ways. This experience gives me an almost infinite set of ideas for how I can help my clients achieve their resilience goals, no matter the challenges they may face (resources, budget, time, complexity, etc.).
My job is to educate the client so they can make smart, risk-informed decisions about their priorities, and then help their teams to execute the work.
Q: At eSilo, you work closely with small and medium-sized business owners, CEOs, and CFOs to deploy security and data protection solutions. What are the most common misconceptions or gaps in understanding you encounter when educating these leaders about cybersecurity and data protection?
Cathy: This is such a great question.
We encounter misconceptions on an almost daily basis, and here are some of the most common ones:
Gap #1: Management believes that cybersecurity is the IT team’s responsibility (alone), and don’t understand their role in effective oversight and monitoring of the program, nor every employee’s role as the last line of defense.
Gap #2: Companies want to outsource their cybersecurity risk to vendors. They believe that because they use cloud tools, the security of their data is already somehow taken care of by the cloud provider. They’re not reading the fine print, and they’re unaware of the “shared responsibility model” that applies almost all cloud tools.
Gap #3: If a company outsources management of their daily IT needs to a 3rd party managed service provider (MSP), most don’t realize that the MSP is only actively managing a subset of the business applications, and they’re not cybersecurity, risk, or compliance experts.
Gap #4: Not all backups are created equal. And one set of backups is not enough. Anything that can happen to your primary systems can happen to your backups as well. This is why in addition to simply testing your backups periodically, you need a proper backup strategy to reduce the risk of a prolonged or incomplete recovery.
Q: What advice would you have for executives and board directors who are looking to gather essential language and perspectives for cybersecurity strategy and risk management to better carry out their oversight and leadership responsibilities?
Cathy: Seek out a Board Advisor for IT and Cybersecurity matters.
The advisor’s role is to:
a) assist the Board in its oversight of the cybersecurity program,
b) provide Board cybersecurity training,
c) keep the Board informed of relevant cybersecurity risks and developments. The advisor can also assist in finding an independent auditor or assessor to provide an objective 3rd party review of the firm’s IT risks and controls.
Q: How do you prioritize which areas to focus on in a rapidly evolving field like cybersecurity and data protection?
Cathy: We respond to the changing needs of our clients, and what they ask for help with the most. Right now most of our new client work is driven by:
a) the client’s need to comply with specific industry regulations such as HIPAA or FTC Safeguards,
b) the client’s desire to achieve a comprehensive certification such as SOC2 or ISO 27001, or c) in response to a recent hack, breach, or close-call.
Some areas of focus remain critical no matter what’s happening in the world. eSilo started as an offsite backup company, and we still believe that effective, efficient backups are the cornerstone of any cyber resilience strategy.
Q: How do you approach developing a culture of security within organizations, and what are the key elements of an effective security training program?
Cathy: A culture of security starts with the tone at the top.
Senior management needs to communicate that security is a company priority and invest in good training, not just check the box training, for employees on common issues, scams and pitfalls.
Good programs require training to be done continuously throughout the year instead of only once annually, and should cover common scenarios like how to report phishing, how to avoid business email compromise and wire fraud, how to manage secure access to your accounts and so on.
To ensure a closed loop, management should track and report on cybersecurity metrics quarterly. These metrics should not just measure inputs (ex: % of staff trained) but measure results (ex: % decrease in security incidents, clicked phishes, etc)
Q: Could you highlight some unique challenges you’ve encountered when implementing data protection and cybersecurity measures in highly regulated industries?
Cathy: I have seen situations where senior management in a highly regulated industry has a hard time acknowledging and accepting where their security or compliance gaps are.
This can lead to more pushback on risks or issues raised, and increased pressure on teams to fix them immediately vs. more strategically as part of a larger improvement program.
This pressure to be “perfect” can sometimes be counterproductive and in the extreme, lead to a culture where employees fear reprisal for raising concerns.
Q: What is the leadership playbook you are writing for yourself in real time?
Cathy: This is an interesting question.
I guess I am constantly building my book of plays.
Learning new moves. Trying new players in new positions.
All with the goal of finding ways to devote more time to what I enjoy most, which is collaborating with experienced business leaders to solve their scariest business problems that involve technology.
