Home > Risk > The board and cyber security

The board and cyber security

September 20, 2019 Leave a comment Go to comments

There’s another useful article on Forbes. How to talk to the board about cybersecurity is written by an experienced CIO, John Matthews. Here are some useful excerpts with my highlights:

  • For technical professionals who increasingly find themselves plucked out of technical operations centers and dropped into boardrooms, learning to speak the language of business is critically important, not just for their jobs and teams, but for the business as a whole. If a CIO can’t effectively communicate budget requirements, or a CISO can’t articulate why the risk outweighs the efficiency that would be gained by rolling out a particular technology, it puts not only technical, but business operations and security, at risk.
  • …while security teams increasingly recognize the fact that breach prevention is a losing strategy, oftentimes the board is not quite there yet. Just as security teams are recalibrating their efforts towards detection, mitigation, and resilience, CISOs should encourage the board to look at how the organization is equipped to respond when the inevitable occurs—including how it will recover.
  • In the day-to-day of security operations (SecOps) and IT operations (IT Ops), priorities often come into conflict. One is focused on performance, which requires speed and agility. One is focused on protecting critical assets and data, which can often mean strict requirements and lengthy evaluations. But for the board, the only consideration is how these two things are supporting (or hindering) business operations.
  • CISOs and other security leaders do need to find ways to avoid being pigeon-holed as the team of “no.” If CISOs, together with CIOs, can demonstrate a clear understanding of business requirements and objectives and talk about what security measures need to be in place to achieve them, it reframes the conversation around “when” not “if.”
  • Ultimately Security is about tradeoffs: risk vs. reward, risk vs. speed. If you, as a technology leader, can demonstrate that you understand those tradeoffs and are capable of moving forward while balancing those risks, you will be seen as an asset to the success of your business, not a roadblock.

Let me talk for a moment about these excerpts.

  1. If a practitioner wants to have effective communications with leadership, he or she needs to use the language of that leadership. In most cases, that is business language. When it comes to risk management, I advise avoiding the four letter word, ‘risk’. It immediately causes a reaction by the listener that may hinder effective communication. Talking in business language about ‘what might happen’ is easier for everybody.
  2. It is nigh impossible to have 100% certain breach prevention. Do what makes business sense, but make sure you have measures and tools that will help you detect breaches and what hackers are doing promptly. The average detection time of 10 months is clearly unacceptable. Then have a discussion with business leaders about what might happen should there be (when there is) a breach. Invest in defenses consistent with the level of harm and how much it is reduced by such investment, and then ensure you have response processes that will minimize the damage and keep the business running.
  3. Discussion about cyber risk should be based on the way in which a breach might affect the business and the achievement of enterprise objectives. Please see Making Business Sense of Technology Risk, where I review existing cyber risk standards from NIST and elsewhere, and suggest a better way to assess the ‘risk’ and work with management and the board to make quality business decisions about handling it.
  4. Practitioners should focus on how they can help the organization succeed instead of helping them avoid failure. They need to be the department of ‘how’ instead of the department of ‘no’.
  5. Credibility and respect is gained (and truly earned) when practitioners can express their concerns within the context of business success. Know when it makes sense to take the risk of a breach because at some point there are better ways to spend the organization’s limited resources than on further investment in cyber. Investing money in cyber is at the cost of investing in a marketing campaign, product development, customer service, and so on.

Saying that cyber risk is ‘high’ is meaningless. Business leaders don’t know how much to invest in cyber, especially if they understand that the risk can never be eliminated and that the hackers are constantly developing new and better ways to break in.

I welcome your thoughts on the above and how practitioners can help.

  1. David Beer
    September 20, 2019 at 11:22 PM

    Spot on Norman

  2. September 22, 2019 at 6:33 PM

    Can we also go back to basics. Taking advice on how to talk to a Board from someone that has only reported to a board is a fairly one sided perspective. Not to question John’s abilities reporting to a Board, but communication usually requires at least two parties. There was little in the article about the Directors perspective on how to effectively communicate with them…

  3. September 23, 2019 at 2:58 PM

    Could not agree more. It’s not about boards learning cyber it’s about cyber people learning the language of business. Then, when they explain cyber risk and the various management options in business terms they should expect a considered response. we need to be communicating at the strategic level and not just the operational level. Directors do not (really) want a lesson on cyber-tech. They want to know which business strategies to employ which will give the board high confidence that cyber risk is being managed effectively. See cyberseven.global

  4. Andrew
    September 26, 2019 at 5:22 AM

    Supporting your second point, it would be useful to guide management through the easy wins and scaleable defences and costs that will benefit the organisation, avoiding a top down / large scale and costly approach. Basics are effective and managing the human (risk) elements within the organisation will go a fair way to plug larger gaps.

  1. September 24, 2019 at 5:10 AM

Leave a Reply to Jason Wilk Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: