28
July 2015
How to present Cyber Security issues to the Board
Andy Harris
Everyone has a unique view of what a board meeting is like and what the board actually care about. Here, I’m going to explore how to communicate with the board and the board’s wishes. I’ll consider that the reader is a CISO or InfoSec executive.
Over the years I’ve attended hundreds of board meetings as exec, non-exec and advisor roles. I’m a ‘doing’ director, this means that I report on the functions I look after. I wrote that code, I created that blog, I filmed that video, I dealt with that incident. Its why I’m at the board meeting, to condense an activity into a summary with risks and costs.
If you’ve never attended a board meeting before I’ll try to give you a flavour of what happens. Each board meeting is very different and not every board member is usually present. It’s likely that every board meeting will have a theme. For example; a new product launch, end of a quarter, data breach and so on.
Every board member should know what the core of a business is (excluding start-ups, they are a special case). The core is what needs protecting and evaluating to ensure that it’s fit for market. If you are going to address a board you should have a good understanding of what they believe is core.
Every board is responsible to its shareholders. Thus, there’s a lot of attention on what will and won’t bring in business, and also what the competitive landscape looks like.
The board has to execute the legal responsibilities of the organisation. This of course assumes that they know what they are! When reporting and accounting they have financial expertise to call upon. But, with regard to privacy and cookie laws you should be the knowledgeable resource.
Now, when we’re called to account by the board can use this as a basis to build on.
Let’s say we’re looking to increase the InfoSec spend. Here’s a typical board member’s reaction:
Nothing particularly technical there. Here’s how we could address those concerns for a simple case of Anti-Malware:
Now let’s have a look at Privileged Access Management:
Let’s look at communication the other way around. After a data breach the board will be feeling very sore and very vulnerable. The reputation of their core business has taken damage and heads are likely to fall.
The board members themselves know the ‘rules’. Because they have zero employment protection and full responsibility, they know when they need to go. The obvious reaction is: ‘This must never happen again’. The practical reaction is more likely: ‘Make us such hard targets that the criminals go elsewhere’.
InfoSec will be in the limelight for a much shorter time that you’d expect. As soon as you present the measures to remediate an attack a good board will move immediately to business recovery – it’s their job. For the most part you’ll only get one bite at the cherry, so get it right!
It’s not practical to say to your InfoSec staff ‘this must never happen again’. They’ll get demotivated because they know it’s an impossible task. Worse still they’ll use it as a reason to block business projects because they are not 100% secure. A better approach would be ‘The board have taken this very seriously and are giving us the go-ahead to use the tools we need. We have to do this in concert with the urgent needs of re-building the business.’
From here is a case of building specific plans from the board imperative. It means looking at what happened and where your biggest risks are. In general, the people should be more important than the technology. All attacks start with technology but end with privileged accounts stolen or compromised.
It may help to think the same way the board do. Firewalls and anti-malware are the first lines of defence removing the bulk of low level threat. Protecting the privileged accounts is the key to protecting the core.