CISO Chris Hodson cybersecurity Interview Leading Digital Transformation

The role of the modern CISO: An interview with Chris Hodson

‘Leading Digital Transformation’ is a weekly podcast series produced in collaboration between The Digital Transformation People and Rob Llewellyn digital transformation advisor and founder of CXO Transform.

During this series, Rob interviews experienced practitioners, authors and thought leaders whose stories and experiences provide valuable insights for digital transformation success.

Chris Hodson Leading Digital Transformation Podcast

In this episode, Rob interviews Chris Hodson, an EMEA CISO, an authority on Cyber Security and author of the new book ‘Cyber Risk Management: Prioritize Threats, Identify Vulnerabilities and Apply Controls’.

“A thoroughly enjoyable and insightful book that provides a well-rounded perspective into the interconnected world of cyber-risk management. The breadth of knowledge and the wonderful similes used to breakdown complex ideas show that Chris clearly knows his stuff!” (Atif Rafiq, Chief Information Security Officer, Quantexa)

Listen here and read the full transcript below.

Rob Llewellyn [00:00:00] Hi and welcome back to another episode of Leading Digital Transformation. In this episode we delve into cybersecurity and to help us do that I’m joined by Chris Hodson from the UK. Chris is an information security, data privacy and risk management leader with a background in strategy, architecture and design. He’s got 18 years of experience under his belt in the Financial, Retail, Energy and Media sectors and back in 2016, he made the move from being an end-user into the vendor space with Zscaler. Now for the past two and a half years, Chris has been operating as Zscaler’s Chief Information Security Officer for EMEA – Europe, Middle East, and Africa, and Data Protection Officer. As a CISO, he’s a trusted advisor to executives, board members and other stakeholders helping them define well-balanced strategies for managing risk and improving business outcomes. Let’s jump into the interview with Chris.

Rob Llewellyn [00:01:02] Chris, welcome.

Chris Hodson [00:01:03] Thanks, Rob. Thanks for having me.

Rob Llewellyn [00:01:04] Chris I noticed that you published a book just a little over a month ago and I’m looking at Amazon’s page right now and the title of it is “Cyber Risk Management Prioritize Threats Identify Vulnerabilities and Apply Controls”.
Tell us why you wrote the book and a little bit about the book.

Chris Hodson [00:01:24] Of course, yeah well firstly it’s great to be here. I know that the title is somewhat of a-, rather long-winded title with a lot of words in it but that’s for a reason and that’s kind of how I’ll start my explanation of the book. So I think in Information and Cyber Risk Management we have a tendency-, I think the broader populace, not just the cybersecurity community of potentially misappropriating risk and I’ll explain what I mean by that. We sometimes talk about threats when we mean vulnerabilities, we sometimes talk about risk when we mean threats and the challenge that brings about for either the layman or the C-Suite or even some people within our own community is that we’re not in a position to qualify and accept or mitigate risk in our environment. I’ve been in our industry for 18 years, directly or indirectly now. And this seems to me to be a systemic challenge. It’s a challenge in all industry verticals to be perfectly honest. So I thought to myself, I thought right, ‘What are some of the frameworks that I’ve used cyber and information mismanagement before, which have worked well, which elements of different frameworks do I think you could take and combine to make something that’s relevant and contextualized for your environment?’ So I thought about this, and I thought why don’t I write a book where we take the constituent parts of the risk equation – and for me, without ruining the book, that’s essentially that you have ‘actors’. Those actors may be, you know, nefariously inclined, it may be accidental actions of an ‘actor’. They essentially have some form of event that they would conduct, again, we hear about them in our industry – it may be some form of application vulnerability that they exploit via let’s say SQL Injection, I won’t get too technical here, but SQL Injection, it may be a Denial of Service Attack. And as I touched on there, that exploits some form of vulnerability – we hear a lot in our industry about vulnerabilities, you know, are these vulnerabilities in technology? Are they in the operating system of the application? Perhaps they’re vulnerabilities in people, you know, people make mistakes, people are tired, people are stressed etc, etc. And once those vulnerabilities are exploited they cause ‘business impact’ and ‘business impact’ again is something that I think a lot of organizations struggle with, understanding the assets in their environment that are important to them. Do they have structure processes for understanding what they are? And who’s responsible for defining those categories of impact? So, I basically take each of those components of a risk equation and I break them down chapter by chapter and I suppose the ‘du mots’ of the book is bringing that together in a chapter on risk management frameworks.

So yeah, it’s been quite a humbling experience, Rob, to be perfectly honest. The book’s been very well received and watch this space for something else because there’s a lot of content that I put in there that just didn’t make the cut just through word count, and my publishers keeping that under tight controls. It’s been great so far.

Rob Llewellyn [00:04:33] Chris one thing I noticed you did in a blog post which talked about your book was referred to the 6 D’s of an exponential organization. Now, I’m a big fan of Peter Diamandis who of course wrote about the 6 D’s a number of years ago in his book ‘Bold‘ and those 6 D’s are Digitalization, Deception, Disruption Demonetization, Dematerialisation and Democratisation. Tell us about the 6 D’s from a Cyber Risk Management perspective.

Chris Hodson [00:05:01] Yeah. The 6 D’s of an exponential organization really Rob. So I too have read ‘Bold’ by Peter Diamandis and latterly Exponential Organizations by Salim Ismail and both books really resonated with me. You look at the transformation, the digital transformation of most organizations if-, that dare I say all organizations are going on these days. You look at the success of organizations who are adopting the D’s, the six principles that are talked about in the book and Digitized is kind of obviously one of those core tenets and I looked across all of them and I thought to myself how prevalent and how relevant are these for cybercrime? And obviously the Yang to the Ying of that being cybersecurity. And you look at digital crime, you look at the exponential growth of crime that we’re seeing being carried out via digital means. You look at the democratization of what was essentially a nation-state cyber weapons, you know-, the Shadow Broker’s breach was a great example of this. The releasing of tooling which was previously reserved for, you know, purportedly nation-states and very sophisticated actors now being put in the hands of maybe cybercriminals and ‘script kiddies’ who don’t have the sophistication and the money to spend on cyber weapons. And there are various other areas of the six D’s that really stood out to me. And you know Democratize and Dematerialized. You know, the advent of cloud computing and SaaS has meant that you’re having criminal was out there now you can essentially spin up hacking infrastructure in a matter of minutes which would have previously required them to have physical servers in their garage and spend lots of money and time. So I think the six D’s of a contemporary organization, a successful organization in this modern world, they’re so applicable to cybercrime and I think the real reason for that is you know cybercrime these days is-, it’s a business like any other. So, I’m glad you enjoyed it – that particular article is actually on my blog;  -shameless plug there. But yeah anyone who’s interested, you can check out my thoughts on the six D’s via that website.

Rob Llewellyn [00:07:14] Chris, you know, myself and a lot of people listening we all have notions about the role of the cybersecurity function in an organization. But you know in these times that we’re living in now, what’s your view of the role of the cybersecurity function, what should it consist of?’.

Chris Hodson [00:07:33] Fantastic question Rob. I’m gonna start by what it shouldn’t consist of or possibly the challenges that we’ve had historically. So, what’s happened I think over the last 10 years is we’ve seen a shift from the way that projects are delivered in the modern organization, and I’m sure you’ve spoken to people before when you talk about Waterfall vs. DevOps and agile projects but that’s had a profound impact on cybersecurity. So rewind maybe 10, 15 years ago – the way the security function worked was very kind of Waterfall and stage gate orientated. A project in an organization would be initialized, the security function would hopefully be engaged, we’d be given a week maybe two weeks to write some non functional security requirements, some build infrastructure would be commissioned and, you know, generally speaking, or maybe invariably there’d be a pen test and then a week after that we’d get some findings. It was a drawn-out process. Security took a lot of time and there was this perception potentially that we were a blocker. We weren’t-, we were a stage gate process but we added time and expense to projects. But we could do that because projects were being delivered via a framework such as Prince2. They were Waterfall based and you know people-, society accepted that you know racking and stacking infrastructure took months. As someone who’s worked end-user side for a long time, that was accepted within an organization. Now we fast forward to where we are today and we’ve already touched on kind of the six D’s of an exponential organization. Well, those organizations are expecting infrastructure and applications to be deployed in the blink of an eye. They have developers and coders who are writing new lines of code on a minute by minute basis. They’re looking to deploy virtualised infrastructure via containers in a matter of minutes and hours rather than days and weeks. So, the security functions had to pivot. You know those ways of working that we had 10, 15 years ago have, I don’t know, a pen-test taking a week or defining security requirements taking two weeks. That’s just unacceptable for modern business. So the security function today has to be one that’s working with these cross-functional business C-Suite. I suppose the most progressive and successful security functions that I deal with today, have a very flat horizontal structure. They have-. Most of them, or some of them, they’re moving towards this in most, have really embraced this concept of the BISO. Or the Business Information Security Officer. Now, that BISO would actually embed themselves within a particular business unit of an organization, say, let’s take financial services – you may have a BISO who would sit in Investment Banking in Retail Banking, in Wholesale Banking and that BISO then gets to know intimately the critical business functions of that unit. They get to know the coders and developers who are working. They get to know the senior business stakeholders and help them classify and identify critical assets. I talked about my book and I talked about the right-hand side of a risk equation being ’causes business impact’. Well, you need to understand the assets that are important to your company if you’re going to be able to accurately qualify business impact. So, the security function needs to be one that’s embedded-, it may be slightly trite of me to say so, but it’s true, embedded within these specific business units and we have to become a consultant. I think the role of the CISO and the role of the security function is misunderstood in a lot of organizations. I think people think that we’re there to stop cyber attacks, or we’re there to ensure 100 per cent availability of services. I’m going to dispel a few myths here-, where there in my opinion to reduce risk. But the definition of risk is one which has to be given by business stakeholders. In a statement, I use in many an interview is we’re there to design controls that are commensurate with the classification of information. Now, if people don’t give us a classification we can’t protect all data, all systems, all assets with the same level of security, for two reasons. It’s quite expensive to do that and also it increases [inaudible] potentially with the use of applications and infrastructure that kind of doesn’t need to be either. So, to wrap up, the modern CISO and the modern security function needs to be working cross-functionally in their organization. They need to be consultative and pragmatic. Yeah, they need to be working in an agile fashion because that’s how most modern businesses are being run today.

Rob Llewellyn [00:12:17] So the role of the CISO and the responsibilities and how that function works within an organization has changed a lot from what it was a decade ago, now. Chris with that, of course, comes a lot of new challenges a lot of new expectations. So, what does it take to be a Chief Information Security Officer in a world of digital transformation?

Chris Hodson [00:12:42] That’s a great question. The modern CISO is something that’s hotly debated in magazines on Linkedin, industry conferences and there’s many schools of thought as to what makes a good, quote-unquote “CISO”. I think there has to be kind of-, it’s a hybrid role these days. I think people talk about these two kinds of core career paths that you see. You get the CISO and maybe I fall into this camp so slightly biased maybe, but-, who’s come from a very technical background maybe they’ve worked as an engineer, they’ve worked as an architect-designer, they started to progress through to management responsibilities and you know they become the CISO via that route and the other CISO that’s commonly I suppose experienced in organizations is one that’s been in a leadership role within the business somewhere else in that company. So, I see some organizations where it’s the incumbent CISO’s first CISO role – they may have spent 10 years in Finance or in HR or operations. And the school of thought there is they intimately understand their business. So, consequently, security which sometimes can create friction, you know, we do have to sometimes say ‘no you can’t do that’ or ‘we would suggest you don’t do that’ so they have that, you know, political acumen within a company. But for me, the CISO needs to have a technical grounding. Now, I think people misappropriate what technical means. I’m not suggesting that they could, for example, deconstruct the AES crypto algorithm and understand how S-boxes work but for me, technical is a mindset – it’s having a passion for how things work. You know, if you want-, if you’re curious about how something works and possible ways to abuse that, I think that’s technical enough to be a CISO. But this person certainly has to be comfortable with taking very technical concepts and translating them for an audience who isn’t technical. I think the worst thing that the security function can do by proxy of the CISO is go to your executive board and talk to them in language that they don’t understand, you know, going to your CFO and CEO and saying to them ‘we blocked 2 million potential malware threats this month’. I’ve had CISOS who’ve done that. A board turning around and saying, ‘Is that good? Is that bad? How many potential incidents did we have last month?  You know, ‘what threats were we looking at protecting against six months ago?’ It’s certainly got to be something that resonates in business language so the CISO has to be somebody who’s interested in my opinion in technology and the inner workings of it that doesn’t have to be low-level it just has to be a holistic understanding. They have to have an understanding of the business in which they’re operating. So have good relationships with leaders of these business units and also get to grips with what your company does. Right. I have something we overlook in the security function as I mentioned earlier in this interview, you know, we design controls that are appropriate for an environment. So, do we know what our company’s strategy is? Do we know what the priorities are? And once we understand those we can start to identify these what I call ‘key risk indicators’ so things that could have a material impact on the company achieving its objectives. And that for me is what the security function and the CISO specifically is there to do-, and you know, I don’t want to get lots of comments back saying ‘I’m a CISO who isn’t technical’. I think we need to better qualify what ‘technical’ means because unfortunately, you know, the security function, like I said, we design controls to protecting assets, assets in the modern business are overwhelmingly digital. So we need to have a grounding in the digitized world in which we work.

Rob Llewellyn [00:16:25] Chris you’re touching on something which I think is really important and that’s the ability for the CISO to communicate to those C-level business executives because they know security is important. They don’t understand the nuts and bolts of it. You know when you’re going in and out of organizations, what kind of evidence do you see of CISOs actually engaging well, communicating well with these senior business executives?

Chris Hodson [00:16:50] I don’t want to say we’re pushing against an open door that would be unfair, but what we have seen over the past, I would say it’s probably three years, I would say 20-, start of 2017, I wrote in the book that you know 2017 was kind of this year of the data breach in that senior executives started to understand and appreciate that it could happen to them. I mean how many times have we heard that you know a CIO or CEO would say ‘hey why would a hacker?’ Shouldn’t really say ‘hacker’ because hackers can be for good as well as nefarious purposes but,’ why would a cybercriminal want to come after my organization? We only sell tins of beans and toilet roll’. And we’ve now got to a place I think in 2019 where people are starting to understand the value of information. You know, it can be sold, it can be used to create false identities. There are many different ways now that you can monetize this. What was-, ‘data is the new oil.’ How many times have you heard that Rob? So, I think we are in a better position now that senior executives, quote unquote, get it. Now that does vary from organization to organization but cyberattacks, and also system availability, because we shouldn’t forget about that. You know, if you think of the core tenants of information protection, it’s not just confidentiality and integrity – you’ve obviously got availability of data. And I think it’s become newsworthy. You know, Cyber Security, Information Protection, and Business Resilience are now making the front pages of newspapers and mainstream websites rather than the corner articles in the middle pages. So bored executives maybe in the Financial Times, in the Times and various other publications are seeing the impacts of WannaCry, NotPetya, BlueKeep. They’re seeing large multinational organizations being impacted by availability considerations. Now, a lot of those are accidental. You know, if you start to decompose some of these major system outages you’ll read fairly regularly that they’ve been caused by somebody typing the wrong command into a terminal, or perhaps there’ll be a system that they didn’t know existed that went offline and caused systemic damage to a line of business application and these executives they’re saying that, and they don’t want that happening to their business. And of course another driver, and I promised myself I wouldn’t talk about this in detail today, but you know contemporary privacy regulations such as GDPR we’ve seen in the last two or three weeks the potential and I’ll say ‘potential’ because there’s a long way to go yet, fines that have been issued to British Airways and to Marriott, for example, running into three-figure millions, I believe the figures are maybe a hundred and eighty-nine million pounds and ninety-nine million pounds-ish respectively for those organizations for, you know, a ‘purported’ I say at this phase, inability to protect information. So, boards are seeing that -a hundred million dollar, or a hundred million pounds I should say, is a figure that’s going to get any board executive to sit up and listen. So, I think it’s got easier for CISOs, but we’re not there yet. We’re not out of the woods. It’s important that we are still talking to executives in language that they understand and also telling them about things that they want to hear about. I ran a talk yesterday for the IISP, The Institute of Information Security Professionals and one of my speakers spoke very eloquently and succinctly about the challenge of a security leader telling their CEO about a patching problem. Now patching is vitally important to the security and the operations function, it forms a core tenet of your ability to provide cybersecurity and I.T. hygiene, but an executive on your board isn’t going to understand the importance of patching, what they care about is the importance of critical systems that are making their organization money perhaps, and patching is a protection mechanism for those systems, so, there are lenses I think and dimensions to how you articulate risk. And it’s imperative that when we talk to our senior stakeholders we’re talking in terms of things that could impact their core business objectives, Rob.

Rob Llewellyn [00:21:07] Chris you mentioned the fact that security is no longer a little corner in the newspaper. What we’ve seen as you mentioned, British Airways and Marriott and now these breaches of security they’re hitting prime-time you know that they’re taking up time on the BBC so from the public’s perspective we are seeing-, we are being made more aware of security and security breaches. But tell us, from an organization’s perspective, what is security awareness? What should it be and what shouldn’t it be?

Chris Hodson [00:21:38] It’s a great question. How many conferences do I go to where we talk about security being everyone’s responsibility and how awareness is vital? So, I know-, it’s a tough one – for me, awareness is about changing culture in an organization, right? And the example I always fall back to is Health and Safety. So, health and safety is everyone’s responsibility. I passionately believe that and it’s something that seems to have been embedded into most organizations. You know, if somebody goes into the kitchen of your office and they see a wire that is trailing across that could cause a trip hazard, or you see a wet floor that someone could slip on, I think we’ve almost been programmed now to go and report that to the relevant person in our organization. There’s a protocol for that. People understand what to do. I think in the cybersecurity realm, I don’t think we’ve reached that point yet. In most organizations and I think there’s maybe some stigma and some I suppose maybe historically fair challenges with that. I think people from a cyber perspective potentially if they see something that looks suspicious or perhaps they did something that they weren’t supposed to do but it was an honest accident, I think maybe people think that they will be in some way punished for that action that they’ve taken. So for me awareness in an organization has to be breeding a culture of openness and responsibility – knowing who to talk to in the event of something, I don’t know, suspicious landing in your inbox, or perhaps you’ve opened a file that you shouldn’t have done or perhaps – this is a common one – you know you’ve sent an e-mail to someone and the modern email systems, you know, helping the end-user will allow autocompleting of email addresses. You’ve sent it to Jenny when you meant to send something to Steve. Having a process and knowing who to speak to in those scenarios is important. I think awareness. There are some situations where security awareness needs to be tailored to particular teams. I think there’s a general overarching awareness campaign that you would have, as you would have with Health and Safety. But there are also specific programs of security awareness for different teams and I’ll give you two very quick examples: I think if you’re working let’s say in a call centre or a reception, for example, they’re particular environments where you’re susceptible to Social Engineering – by social engineering I mean somebody phoning up or maybe e-mailing in and trying to extract vital pieces of information through a pretext which isn’t correct. So, I don’t know, saying they’ve got some vitally important documents that they need to send someone can they have the email and phone number of your CEO or some kind of business email compromise which we’re seeing is certainly prevalent these days, where people well purport to be the CEO and say that they need some funds being transferred to a particular bank account. So I think specific training for those people is vitally important. And the other end of the spectrum would be awareness training for your coders. I mentioned earlier the importance of development in most digitized organizations. Well, a big cybersecurity challenge that I see is the security function historically gives developers these very large pen test reports that tells them to fix a million vulnerabilities in their code without really-, that’s the ‘what’, isn’t it? That’s what we need to do. I don’t think we’ve always been very good at the ‘why’. Sitting down and explaining why developing more secure code is of intrinsic benefit to your company. So they’re areas of awareness. Something else which I’m passionate about is making sure that awareness is an iterative activity. You know, there’s no end to security awareness. What I don’t like it to be in an organization is biannual or even annual computer-based training without any follow-up. I think PR, marketing teams, customer success teams in organizations – it’s vitally important we work with those departments on an awareness campaign, so that people – if something’s everyone’s responsibility, it needs to be naturally reinforced on a regular basis. So it’s many things and it’s also contextual. You will know the security function within and the H.R. function really should know what’s going to work best in their company. But for me most importantly it’s about I suppose a culture of kind of openness and knowing who to go to in the event of possibly something being suspicious or malicious.

Rob Llewellyn [00:26:11] Chris every industry has its clichés and one in this space is ‘it’s not if it’s when you’ll be compromised’. What’s your take on that?

Chris Hodson [00:26:18] I think there is a lot of truth in that, to be perfectly honest. I don’t know of an organization who would say they’ve never had a security incident, but there are shades of grey, maybe not even grey on this one Rob, in that there are downsides to that statement in there. I’ve had board members who’ve said to me in some consultancy engagements or potentially events they would say, ‘well if we’re going to be compromised anyway what’s the point in spending millions of dollars on security controls?’ And that may sound a little flippant but if you think about it, this comes back to the way that we engage with our board. I assert that it’s the CISO’s responsibility to talk about risk minimization, to talk about mitigation, to talk about the requirements from regulators for cybersecurity controls. Could you imagine playing out a scenario whereby you had a requirement to talk to the Information Commissioner’s Office in the event of a data breach, and your immediate response was, ‘Well we didn’t deploy any security controllers because we thought we were going to be breached anyway so what’s the point?’ I think you know, again that’s me being slightly facetious there but it’s true. So, the reason that I think it’s ‘if not when you’ll be compromised’ is a solid security principle, is that it kind of plays to a requirement to have the capability for detecting and responding to cyber-attacks. You know, it’s important that we can minimize the impact of something going wrong in an environment because it’s inevitable that an organization will incur or experience some form of business disruption. Let’s make sure that we can detect and respond to that disruption in as expedient a timeframe as possible. So I appreciate that’s a long-winded answer to your question, but there are two sides to it. Profoundly positive ones, but also some considerations when you’re going to espouse this when you’re going to say it’s, ‘If not When you’re going to be compromised’ – make sure you understand why you still need robust cybersecurity.

Rob Llewellyn [00:28:22] Chris you just mentioned that organizations are spending millions on cybersecurity but in light of what we already mentioned – the Marriotts, the British Airways scandal recently, all the awareness, all the spend. Why then does the plethora of high profile data breaches continue?

Chris Hodson [00:28:39] I can give a personal view on this. This isn’t my employer’s view or anyone else’s but my view is I don’t think we’re that good at doing the basics. You know I’ll give you an example. So I’m lucky enough in my job to travel the world speaking at and attending industry conferences, and sitting on advisory boards for them and if you walk the expo hall at any conference here, the US, mainland Europe, wherever you go you’ll hear, it almost feels stereo, you’ll hear, you know, the importance of machine learning, and blockchain and user behaviour analytics, and malware sandboxing, and the list goes on and I’m not knocking any of those capabilities – they’re vitally important as part of a layered set of cybersecurity defences, but ‘layers’ – that’s the pertinent part of my sentence there. It’s important that we design good I.T. hygiene and cybersecurity from the bottom up. And I know that may sound slightly trite as well. A good foundation – for me, good foundations-, And this is actually a takeaway that you can use potentially with board executives is asking some fairly simple to ask but very hard to answer questions. Things like, ‘how many assets do I have in my estate?’ And by assets I mean laptops, desktops, servers. ‘What data do you have? Do you know where it resides and who has access to it?  Do you know what applications you’re running? Do you know their software versions? If you had a BlueKeep, or a NotPetya, or a WannaCry, how quickly could you deploy a patch? How efficient would it be to deploy that patch? Do you have statistics around the efficacy? Do you have the percentage of machines that have had that patch deployed to them? Let’s say you have a request from a government agency, or a threat intelligence provider to look for a particular indicator of malware – too low-level today, but you know, a particular piece of malware in your environment. Could you search for that? How quickly could you search for that? Can you trust the information that’s coming back? These are questions that sound pretty simple, but they’re often really difficult to answer in an organization because of the breadth of stakeholders that need to be involved in that conversation. So, I think we’re still seeing this plethora of breaches because, you know, defence in depth or appropriate defence in depth isn’t always applied. I have quite strong views on this. You hear this, ‘everyone needs defence in depth’ but you know, organizations maybe think they have it, and don’t – you know, back to back firewalls or two AV engines isn’t a defence in depth. For me, defence in depth is having the set of capabilities that allow you to prevent, detect and respond to attacks rather than putting all your eggs in one of those baskets. And my final point, I know it’s a very long answer, I’m sorry, but my final point as well is,  you look at the likes of GDPR and we’re going to be seeing this with the Californian Consumer Privacy Act and various other regulations and legislation, there’s now a legal requirement to report breaches as well. So that’s obviously having an impact on the volume of the breaches that we’re seeing today, Rob.

Rob Llewellyn [00:31:43] Chris we could go on, at least I know you could go on and on sharing some superb nuggets of information on this, but we’ve got to wrap it up there because of time. Of course, people can go buy your book which is Cyber Risk Management published by Kogan Page and I can see it’s available on Kindle, hardback and paperback. Where else can people go to learn more about the kind of information you’ve been sharing with us today?

Chris Hodson[00:32:11] I would say the best place to go-. I recently put together a website or a blog site I found myself distributing content to various different channels and mediums like some it on LinkedIn, some of it on Peerlyst. I do lots of writing for the CompTIA, there are various organizations that I’m involved in, so I put together a site as this canonical source. So I would advise people, your listeners, to go to, that’s actually got a lot of my interviews, there’s a lot of content that I’ve written that’s specific for that site and you’ll find lots of links to both.

Announcer: [00:29:44]  We hope you enjoyed this episode of “Leading Digital Transformation” with Rob Llewellyn and The Digital Transformation People. Visit to secure the knowledge, talent and services you need for digital transformation success. To continue your journey as a certified transformation professional, visit Be sure to subscribe to the podcast and follow us on Twitter @TheDigitalTP and @RobertLlewellyn

Arrange a Conversation 


Article by channel:

Read more articles tagged: Featured