Cybersecurity and the Board of Directors
Over the past three weeks I’ve had occasion to attend three separate events all focusing on cybersecurity and the Board of Directors (BoD). Two events were multi-day events; the third was a webinar. The target audiences for these events varied from current board members to future CISOs
Several themes emerged from those events that are worth sharing:
1. It’s an Understanding Barrier, not a Language Barrier. Over the past decade security professionals have been encouraged to speak “the language of the business. After attending these events I have become more convinced that it’s not the presence of a common language but an erroneous assumption of understanding that is impeding communications. When a security professional says things like “malware,” “darknet,” and “distributed denial of service attack” we believe that there is at least a rudimentary understanding of the term. Not the technical aspects, mind you, but at least the basics of what the term means re: impact to the business. This is not the case. In one of the events that was geared toward board members, the security presenter spent the bulk of the time explaining the difference between a phishing attack and a DDoS attack. The executives present – all of whom sit on boards of directors – were extremely grateful to the very rudimentary explanation. Terms that my most teenagers know today are so foreign to most BoD members that it is almost impossible for them to see the linkages between these threats, the existing risks, and the proposed actions. One BoD member for a well-known restaurant chain put it this way: “I know more about cuts of meat and purchasing produce that I ever thought I would know at 40. My five year old probably understands more about cyber than I do, though.” Security professionals would be well served to find ways to provide rudimentary education to their BoD members and their executives prior to risk decisions being made
2. Everyone Has A Story – and It’s Usually Not A Pleasant One. At all three events, more than one person couldn’t help themselves and went down the rabbit hole of telling their story of the “horrible, clueless BoD member/CISO” that they had to deal with at one time or another. We all know the pieces of this tragic tale: either it’s the CISO who “interfered with business” to the point where executives cheered when s/he left, or it’s the “clueless CXO” who had a risk appetite of zero yet would not fund or support the initiatives necessary to mitigate risks – and worse, took no ownership of existing risks. Both sides were frustrated and entrenched in their positions…to start. It took the guidance and leadership of the instructor cadres at these events to move the groups towards solutioning instead of griping. In our everyday lives, we need to do the same within our organizations.
3. The Threat Is Real. It Is Also Existential. Even if we do everything correctly, the looming threat of an exposure or breach will always be there at a not insignificant level. Security professionals who persist on discussing innocuous threats with qualitative risk measurements in order to justify solutions must still grapple with the reality that their efforts will not offer the guarantees that executives would prefer to hear. The key discussion, of course, should be one of risk appetite and risk management; unfortunately, to have that discussion organizations must place some level of valuation on non-tangible assets such as data and reputation.
4. Come Together. The most striking thing about these training events was the decided lack of commingling of executives and security professionals. While there were were 1-2 exemplars of “the other side” at each event, none of these training organizations attempted to have both groups in the room together to learn from one another. We cannot learn to communicate with one another effectively if we continue to isolate ourselves from one another as we discuss the same problems.
On the positive side, I admit being pleased with the majority of the content of these training events – and the fact that this training was occurring at all. The recognition of the need to close the gaps between security and the BoD in order to address the challenge of cybersecurity is long overdue. Seeing organizations and individuals make a concerted effort at creating effective bridges gives me hope for the the future of our cyber awareness & cyber capability.
My two cents…