Sign up to save your podcasts
Or
Share Smarter Cyber Strategy with Leonard McAuliffe
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Smarter Cyber Strategy with Leonard McAuliffe
This episode focuses on what real cyber strategy looks like versus the outdated “framework + gap analysis” approach. Leonard McAuliffe PWC explains that most organizations confuse activity with strategy focusing on compliance, maturity scores, and annual plans instead of aligning cybersecurity to actual business risk.
The conversation reframes cyber strategy as a business-aligned, risk-driven, continuously evolving discipline. It emphasizes understanding stakeholder priorities, mapping real threats to controls, and treating strategy as a living system that adapts to AI, geopolitics, and changing attack surfaces.
Takeaways:
1. Most “Cyber Strategies” Aren’t Strategies
- They’re annual roadmaps or compliance exercises
- Built around frameworks (NIST, ISO) instead of business risk
- Improve maturity—but don’t necessarily reduce real risk
2. Strategy Must Start With the Business
- Engage CEO, CFO, CIO, CRO—not just security teams
- Understand risk appetite and critical processes
- Align to IT, digital, and AI strategies
3. Focus on Risk → Threats → Controls (Not Maturity Scores)
- Define key cyber risks (e.g., business disruption)
- Map threat scenarios (e.g., ransomware via phishing)
- Link to controls and measure effectiveness
4. Strategy is a Living System
- Must evolve with:
- AI
- Threat intelligence
- Regulatory changes
- Business shifts
5. Prioritization = Risk + Cost Trade-Off
- You can’t do everything
- Decisions must be explicit:
- What risk are we accepting?
- What exposure remains?
6. Regulation Shouldn’t Drive Strategy
- Constantly reacting to new regs derails focus
- Instead:
- Build a strong master control framework
- Map regulations onto it
Soundbites:
- “Most cyber strategies look good on paper but don’t manage real risk.”
- “You’re improving maturity, not reducing risk.”
- “Cyber can’t operate in a bubble it has to enable the business.”
- “If you don’t fund it, you’re accepting the risk. It’s that simple.”
- “Boards don’t care about maturity levels they care about real threats.”
View all episodes
By Francis GormanThis episode focuses on what real cyber strategy looks like versus the outdated “framework + gap analysis” approach. Leonard McAuliffe PWC explains that most organizations confuse activity with strategy focusing on compliance, maturity scores, and annual plans instead of aligning cybersecurity to actual business risk.
The conversation reframes cyber strategy as a business-aligned, risk-driven, continuously evolving discipline. It emphasizes understanding stakeholder priorities, mapping real threats to controls, and treating strategy as a living system that adapts to AI, geopolitics, and changing attack surfaces.
Takeaways:
1. Most “Cyber Strategies” Aren’t Strategies
- They’re annual roadmaps or compliance exercises
- Built around frameworks (NIST, ISO) instead of business risk
- Improve maturity—but don’t necessarily reduce real risk
2. Strategy Must Start With the Business
- Engage CEO, CFO, CIO, CRO—not just security teams
- Understand risk appetite and critical processes
- Align to IT, digital, and AI strategies
3. Focus on Risk → Threats → Controls (Not Maturity Scores)
- Define key cyber risks (e.g., business disruption)
- Map threat scenarios (e.g., ransomware via phishing)
- Link to controls and measure effectiveness
4. Strategy is a Living System
- Must evolve with:
- AI
- Threat intelligence
- Regulatory changes
- Business shifts
5. Prioritization = Risk + Cost Trade-Off
- You can’t do everything
- Decisions must be explicit:
- What risk are we accepting?
- What exposure remains?
6. Regulation Shouldn’t Drive Strategy
- Constantly reacting to new regs derails focus
- Instead:
- Build a strong master control framework
- Map regulations onto it
Soundbites:
- “Most cyber strategies look good on paper but don’t manage real risk.”
- “You’re improving maturity, not reducing risk.”
- “Cyber can’t operate in a bubble it has to enable the business.”
- “If you don’t fund it, you’re accepting the risk. It’s that simple.”
- “Boards don’t care about maturity levels they care about real threats.”