28
July 2015
How to present Cyber Security issues to the Board
Andy Harris
Everyone has a unique view of what a board meeting is like and what the board actually care about. Here, I’m going to explore how to communicate with the board and the board’s wishes. I’ll consider that the reader is a CISO or InfoSec executive.
Over the years I’ve attended hundreds of board meetings as exec, non-exec and advisor roles. I’m a ‘doing’ director, this means that I report on the functions I look after. I wrote that code, I created that blog, I filmed that video, I dealt with that incident. Its why I’m at the board meeting, to condense an activity into a summary with risks and costs.
If you’ve never attended a board meeting before I’ll try to give you a flavour of what happens. Each board meeting is very different and not every board member is usually present. It’s likely that every board meeting will have a theme. For example; a new product launch, end of a quarter, data breach and so on.
The Core
Every board member should know what the core of a business is (excluding start-ups, they are a special case). The core is what needs protecting and evaluating to ensure that it’s fit for market. If you are going to address a board you should have a good understanding of what they believe is core.
Every board is responsible to its shareholders. Thus, there’s a lot of attention on what will and won’t bring in business, and also what the competitive landscape looks like.
The board has to execute the legal responsibilities of the organisation. This of course assumes that they know what they are! When reporting and accounting they have financial expertise to call upon. But, with regard to privacy and cookie laws you should be the knowledgeable resource.
The priority discussion subjects
- The best interests of the shareholders?
- Is our core business healthy, is change needed? Is the reputation of our core business in good shape?
- Where is the profit/loss is coming from?
- Are we compliant? Are we liable for anything?
Now, when we’re called to account by the board can use this as a basis to build on.
Let’s say we’re looking to increase the InfoSec spend. Here’s a typical board member’s reaction:
- Why should we decrease the potential returns to our shareholders?
- Is this core to our business? Does it create a distraction? Is it cheaper to outsource?
- Can we use it to increase sales?
- Is there a law or regulation that we have to compliance?
Nothing particularly technical there. Here’s how we could address those concerns for a simple case of Anti-Malware:
- Cost: nothing you can say other than you have or intend to negotiate the best price.
- You need to take this on. To take an easy example, a virus could shut down our business for up to three days. This threatens our core capabilities and our profits. Anti-Malware tools have minimal impact on the majority of staff workstations and we have chosen a version that reports direct to IT. We’ve looked at outsourcing and here are the costs and risks ….
- Anti-Malware is a must these days. o real chance to increase sales, we could add a footer to our emails to give our customers confidence that we take security seriously.
- Not directly: Malware associates with ‘Command and Control’. This is how attackers gain control of our staff’s systems to steal personal data, which covers the Data Protection Act.
A complex case
Now let’s have a look at Privileged Access Management:
- Cost: There are savings to be had: by speeding up workflow and packaging the common IT tasks. This is about all you need to say in a presentation but have a slide that supports the figures. Reset domain password is a good example: this task takes 6 minutes 10 times a day, reduces to 2 minutes and changes to a first call response at the help desk.
- Core business: it frees up time for our staff to enable more innovations in our core business. This is where our InfoSec staff want to get engaged. After all, these days InfoSec staff are re-branding to be ‘business enablers’.
- So that’s less time on repetitive tasks, more core security and more time on enabling innovations. Known as the ‘win triple’.
- Separating people from passwords and then using identity to map into business roles. This is exactly the sort of thing that we need for Data Protection/Sarbanes Oxley/Computer Misuse/MAS compliance.
Let’s look at communication the other way around. After a data breach the board will be feeling very sore and very vulnerable. The reputation of their core business has taken damage and heads are likely to fall.
The board members themselves know the ‘rules’. Because they have zero employment protection and full responsibility, they know when they need to go. The obvious reaction is: ‘This must never happen again’. The practical reaction is more likely: ‘Make us such hard targets that the criminals go elsewhere’.
InfoSec
InfoSec will be in the limelight for a much shorter time that you’d expect. As soon as you present the measures to remediate an attack a good board will move immediately to business recovery – it’s their job. For the most part you’ll only get one bite at the cherry, so get it right!
It’s not practical to say to your InfoSec staff ‘this must never happen again’. They’ll get demotivated because they know it’s an impossible task. Worse still they’ll use it as a reason to block business projects because they are not 100% secure. A better approach would be ‘The board have taken this very seriously and are giving us the go-ahead to use the tools we need. We have to do this in concert with the urgent needs of re-building the business.’
From here is a case of building specific plans from the board imperative. It means looking at what happened and where your biggest risks are. In general, the people should be more important than the technology. All attacks start with technology but end with privileged accounts stolen or compromised.
It may help to think the same way the board do. Firewalls and anti-malware are the first lines of defence removing the bulk of low level threat. Protecting the privileged accounts is the key to protecting the core.