By security practitioners, for security practitioners novacoast federal | Apex Program | novacoast | about innovate
By security practitioners, for security practitioners

How The CISO Contributes to Business Success with Dr. Dennis E. Leber

Dr. Dennis E. Leber is a dynamic cybersecurity executive whose journey spans military service, academia, and leadership across healthcare and education sectors. His people-centric, strategically aligned approach to cybersecurity—championed through initiatives like Security Preparedness and Response (SPAR)—exemplifies modern leadership in the space.

Recently, we had a brief chat with him to learn more about his perspective on cybersecurity. He feels the practice has seen little evolution over the last 20 years, with teams struggling to communicate and CISOs often being trapped in limited roles.

In addition to his blog, The Cybersecurity Doctor Is In, he is a frequent guest on industry podcasts and media.

As a guest author on Innovate, he shares insights on cybersecurity, career trajectory, board engagement, and aligning security with business goals.

We’re Not Talking the Right Way

We’ve been doing cybersecurity the same way for 20 years, and it hasn’t really changed for the better. That’s due to a few factors that I’ve been talking about and injecting into my articles.

Cybersecurity isn’t positioned correctly. It’s always been under the IT department or under some other department. Even if you put a C in front of the CISO’s title, they’re still tucked under someone else.

That doesn’t make it conclusive of being a true business function and a part of the CISO’s responsibility. We’re advocating to be moved up to the big kids’ table, right? But we’re not acting like big boys and girls. We often come in, and we talk about pen testing or risk—all this technical jargon that means absolutely nothing to the organization. For 20 years leaders have said, “We’ve got risk,” or “it’s on the risk register,” or “the CVE scores a 9.0, or it’s a zero-day vulnerability, and we’ve got to fix it.” That means nothing to the rest of the C-suite or the board of directors or the CEO.

At the risk of oversimplifying: an organization knows how they make money, right? Beretta makes guns, accounting firms keep the books, and we have to put our cybersecurity narrative into those terms.

We must change this narrative to “If we don’t patch this vulnerability, it will shut down our timekeeping system, which will prevent us from billing the average of $3.3 million that we bill on a daily basis.”

I was able to teach this very thing at Beretta this while working with them as a consultant. They have a plant in Tennessee that actually got shut down due to a cyberattack, but because we’d prepared, they were ahead of it in a couple of ways:

  1. They knew to call me right away.
  2. We’d already done some business impact analysis, disaster recovery training, tabletop exercises, and business continuity training tabletop exercises.
  3. They’d done the math and realized that for every minute the plant was shut down, they were losing $3,000,000.

This allowed us to structure the narrative as “If we don’t patch that system, it could cost us $3,000,000 a minute” or “if we do this, it protects the system and it also facilitates and ensures that we’re making $3,000,000 a minute.”

That is the high-level idea that I’m trying to share.

Dr. Dennis E. Leber – Verticals in the Field

The bulk of my cybersecurity career—about 12 to 13 years of it—has been in healthcare. However, I’ve also worked in manufacturing, finance, higher education, state government, federal government, and perhaps the one thing I’ve learned across that vast experience in cybersecurity is that it’s agnostic. It doesn’t matter. Cybersecurity is cybersecurity. It’s just learning those intricacies of the industry that you’re working in at the time.

But that’s where it is again paramount to what I preach: you’ve got to be able to talk to them in the language that they understand. Not the usual cybersecurity lexicon of risk and vulnerabilities and CVE scores and all the other stuff.

The Cybersecurity Doctor Is in Newsletter

The inspiration for my Cybersecurity Doctor Is In newsletter was I’m going to retire someday, so I wanted to put as much education out there as possible, that could be passed on to a broad audience, advocating for change in the industry.

Someone has to start the conversation before action can be taken. Hopefully something clicks and catches on, gets the right platform, perhaps the world of social media influence. If you have enough viewers, you can have an impact—this is just lessons learned.

These are things that must happen to move our industry into a new era of greater effectiveness and establish it as a true business function.

Advice to Other CISOs On First Steps Communicating with the Board

In communicating with the principals of the business—board of directors—simplify it to its basic bare bones. It is communication and being proactive.

Anytime I join an organization that has a board, one of the first things I do is ask to have direct conversations with board members and not wait for a board meeting.

Establish a rapport with them and have regularly scheduled communications in between the board meetings. That’s when you start asking those questions: like, What interests you? What do you want to learn? How do I facilitate communicating our cybersecurity business to you? How do you like to see this information?

Some people learn differently. Some people respond to different forms of communication. You could even try: What’s of value? What hasn’t worked?

Look for opportunities to communicate; that’s really the first thing.

In this communication, the CISO should express a sense of ownership of the business, a sentiment that he/she is invested in business success, not just cybersecurity initiatives. And it’s not always an effort to change minds—it’s trying to adapt, to be like a translator. Probably an easier way to say it is, how do I translate this?

Do Education and Training Help?

There is some ownership on both sides—yours and the board’s.

Going forward, universities should be revamping business and law curricula to include more hours on cybersecurity in these fields. Cybersecurity will shut a business down, but most of these programs only include the minimum requisite hours on the topic, distilled to a single chapter of a textbook.

Get active if you really believe in this stuff. Take added steps where you can. Seek recurring education. That’s my goal with my articles and presentations.

About the Author

Recognized as a Global Top 100 CISO, Dr. Dennis E. Leber is a transformational cybersecurity executive, driving innovation across healthcare and government sectors, with over two decades of industry expertise. He is passionate about mentoring future professionals and advancing the field through collaboration, education, and innovation.

Previous Post

Weekly Top 10: 09.29.2025: Emergency Directive on Cisco ASA/FTD Zero-Days; Cloudflare Mitigates 22.2 Tbps DDoS; Workforce PII Stolen in Supplier Ransomware Breach, and More.

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.