Companies' cultures need to change. You need to become concerned about every new piece of software, every new connection and every new piece of data -- whether or not you're required by law to care. If some piece of software doesn't contribute to your core business, don't allow it. If some new Internet-connected service isn't part of your mission,

There are parallels here to information security, or any central risk function, in terms of thinking who your customers are. Is it the shareholders (and Board as their representatives) to reduce the risk of losses? Is it executive management both for loss reduction as well as enabling and supporting business growth or mission success? Or is it the

the third and most exciting piece of his framework is something he thinks most cybersecurity people don't focus on: embracing compassion while providing guidance.