top of page

Episode #


H&R Block's Joshua Brown on Addressing Underlying Policy and Cultural Issues in Cybersecurity

Show Notes

In this week's episode of the Future of Cyber Risk podcast, David speaks with Joshua Brown, VP and Global CISO at H&R Block, who explains the importance of not being alarmist when raising risk concerns and avoiding leading a conversation with "no."

Joshua also discusses why storytelling is such a huge part of his role and shares some advice for cybersecurity professionals, including a reminder that technology is the enforcement mechanism for our solutions, not the solution itself.

Topics discussed:

  • How Joshua started in philosophy and ended up at a tech desk, then building a security team.

  • Signs that it's time to discard the old way of doing things for something better.

  • How Joshua knows he's getting his ideas across during his meetings with board members and how that affects their desire to take risks.

  • How being a good storyteller can help a CISO communicate with their team and the company.

  • The importance of listening, building relationships, and understanding motivations within your team.

  • Advice for cybersecurity professionals on communication, planning, and maintaining transparency.

Key Takeaways:

  • Craft compelling cybersecurity narratives that resonate with stakeholders, illustrating the risks and solutions in a context that matters to them, not just from a technical perspective.

  • Engage with your team regularly to understand their needs. Effective leadership in cybersecurity involves continuous learning and adaptation.

  • Watch for signs that something isn’t working and see if you can try something new.

  • Listen to the questions you’re being asked: they can tell you about how well you’re being understood.

Quotes from Episode


“I think the part I enjoy most, though, is the strategy of developing and maturing a high-functioning organization, being part of a turnaround effort. It's energizing to see people change their opinion of the value of what your department brings to the business. And that is part of a concerted, intentional effort is just incredibly fulfilling to me.” (9:08-9:32)


“Technology should be the last place we go when we're trying to solve a problem. It's the enforcement mechanism for the policy and the procedures and the culture.” (44:10-44:18)

bottom of page