Welcome!

Our company's name is based on our founder Chirag's books that provided thoughts, ideas and actionable advice that have helped organisations and leaders all over the world  find a smarter way to be cyber secure. This thought leadership has led to the creation of the 7 Rules Cyber framework.

The 7 Rules Cyber Framework can be summarised as below: 

Rule 1: Develop a Business-Aligned Mindset

Cyber Security exists to enable business. After all, without the business of an organisation, there is no need for a security function. Therefore, understanding your business is the key to developing appropriate context and prioritisation for your security efforts. Effectively understanding key business processes, products and objectives are vital to building and validating critical asset list of crown jewels for the organisation. These then help to scope security controls and implement proportionate and reasonable measures. Practical advice is to follow the money. Understand what brings in the revenue and constitute critical services for your organisation. Engaging with business stakeholders effectively will enable you to accomplish this.

The nature of the business can also help inform the relative importance of the confidentiality, integrity, and availability triad. For example, confidentiality might be a higher priority for IT and digital systems, while availability might be a greater priority for operational technology, OT, systems.

Rule 2: Recognise that Cyber Security is a Risk Management Exercise

Cyber Security is fundamentally about managing risks. Furthermore, Cyber Security is not just a technical risk, it is a business risk and the approach to any control – technical, operational or policy needs to reflect the business risk appetite and context clearly. The language of risk and finances is what resonates with senior business stakeholders. Developing an understanding of key assets through Rule 1 serves as input for effective risk analysis through appropriate threat and impact consideration. The goal is to build a defensible cyber risk program, and decisions. Sensible adoption of cyber risk quantification techniques can also play a key role in informed decision-making.

Rule 3: Measure It

Effective metrics and measurements are key to demonstrating progress and challenges to ensure adequate management. However, metrics must be tailored to the right audience. Highly operational metrics such as number of vulnerabilities do not resonate with boards and senior leadership. They need to be aligned to critical business applications with clarity of impact and maturity. For example, a good strategic metric could be a percentage of critical internet-facing applications that have critical patches applied in a timely manner. If this critical application is a key payments platform, there is a material implication on cash flow, which, when quantified, can offer useful insights to leadership. Approach to good measurements should account for both leading and lagging indicators.

Rule 4: Address the Human Factor

With majority of incidents and breaches exploiting the human factor, it is clear that cyber security is a human issue at its core. Furthermore, technology exists for and by humans. Relying on the fear to influence human behaviour and embed secure practices is not an effective strategy. We need to align our cyber message and controls to aspirational aspects such as business goals and personal safety. Leveraging effective gamification, humour, and positive competition e.g., leaderboards can be really useful to influence secure behaviours. It is useful to recognise that human instinct is to resist change because change introduces the unknown. Effective engagement and change management can address this resistance and promote adoption of security controls.

Rule 5: Understand the Design and Execution of Cyber Security

Cyber Security controls need to be applied with consideration of business and technology strategies along with relevant threats and compliance obligations. Security domains such as network security, endpoint protection, identity and access management, etc. do not exist in isolation. They need to be accounted for in the overall enterprise security architecture and control framework that informs their design and applicability. Defined security architecture principles can also guide the selection and implementation of the right tools and technologies to manage risks. Factors such as clarity of sourcing and operating models (including roles and responsibilities), along with sequencing and prioritisation of initiatives, enable ongoing efficacy of security controls.

Rule 6: Master the Art of Differentiating Skills

Differentiating skills such as emotional intelligence, presenting actionable options succinctly, effective communication and storytelling play a vital role in building trust within an organisation and enabling professional excellence. Emotional intelligence plays an effective role where you can read the room and empathise with stakeholders regarding their concerns. Just presenting technical reports to a business audience will not get sufficient buy-in. This is where contextualising information in simple terms with a mindset of active listening can really help achieve the right outcome.

Rule 7: Build an Authentic Brand

Your security function should build a brand that is grounded in being a trusted advisor to the business. Ongoing effective engagement through various organisational channels and a pragmatic mindset will solidify your team’s brand. This will also help achieve executive buy-in and support for your initiatives to improve the security posture. Purposeful networking and actions to inform, educate and enable your organisation on various aspects of security considerations will put you in good stead. Ensure you celebrate and promote wins – no matter how small. Every win inspires confidence and is a step on the ongoing journey of cyber security improvement.

Our founder Chirag D Joshi is a multi-award winning CISO with extensive experience of building and leading cyber security functions in multiple countries across various industries including financial services, energy, higher education, and government. Through his work in these large organisations, he has enabled their cyber security maturity and consequently contributed to a collective cyber resilience of the sectors. The success of these programs was a result of the unyielding focus on business priorities, a pragmatic approach to cyber threats, and, most importantly, effective stakeholder engagement. Chirag has held senior leadership positions in large, complex organisations and excels at the art of translating business and technical speak in a manner that optimises value. He has led teams, managed multi-million-dollar budgets and transformation programs. He has experience in both IT and Operational Technology (OT) environments, and leading cyber security through mergers and acquisitions. 

Chirag knows what it takes to actually build and run successful programs working with senior business executives, boards, and technology teams. His record of performance and competence speaks for itself. He is the author of the two bestselling books – “7 Rules to Become Exceptional at Cyber Security” and “7 Rules to Influence Behaviour and Win at Cyber Security Awareness" which have been purchased in several countries across the world. He is featured in the prestigious CSO30 list of top 30 cyber security executives in Australia. He was also recognised as a finalist for the Australian Cyber Security Professional of the Year Award in 2022 and 2020. 

As a well-known keynote speaker, Chirag continues to exhibit thought leadership in the industry through presenting at numerous events, conferences, and forums globally on varied topics such as bridging the gap between cyber security and business, strengthening the human factor in cyber security, building effective cyber strategies, and addressing the evolving cyber threat and risk landscape. He is always looking to find new approaches to address various challenges facing the cyber security community. More recently he has spoken on addressing pressing issues related to culture, mental health, and wellbeing that impacts cyber security professionals. He has provided practical, tangible steps that professionals can take to be more proactive in engaging the business effectively to secure their organisations while alleviating stress and burnout.

Through Chirag’s podcast series titled “The Art of Cyber Security”, he is collaborating with various industry experts globally to provide valuable insights into the essential aspects of cyber security leadership such as effective communication, storytelling, strategic career growth, entrepreneurship, journalism, law, and adapting to changing demographics. 

Chirag has worked with several leading industry bodies such as Standards Australia to enable knowledge sharing and quality outcomes. He continues to serve as a Board Director for ISACA Sydney where he is focussed on improving professional development of the membership, providing thought leadership, and encouraging new diverse voices to present and be confident in sharing their expertise more broadly. ISACA is a global association of cyber security, audit, and risk management professionals with presence in over 180 countries.

Chirag places a massive emphasis on adoption of a growth mindset and continuous learning. This has led him to acquire several industry certifications including CISA, CISM, CRISC, and CDPSE. Being very active and visible on platforms such as LinkedIn, he routinely engages with professionals across the world.

Chirag has extensive experience with a wide range of standards, frameworks, and regulations, including NIST Cyber Security Framework, APRA CPS 234, Australian Energy Sector Cyber Security Framework (AESCSF), ACSC Essential Eight, SOC 2, PCI DSS, Health Insurance Portability and Accountability Act (HIPAA) and ISO 27001/2.countability Act (HIPAA) and ISO 27001/2.