Up and Down

How to present CyberSecurity issues to the Board

Andy Harris

 

Everyone has a unique view of what a board meeting is like and what the board actually care about. Here, I'm going to explore how to communicate with the board, and how one should communicate the board's wishes. I'll consider that the reader is a CISO or InfoSec executive.

Over the years I've attended hundreds of board meetings as variously exec, non-exec and advisor roles. Mostly I'm a 'doing' director, this means that I report on the functions I look after; I wrote that code, I created that blog, I filmed that video, I dealt with that incident. Its probably why I'm at the board meeting, to condense an activity or incident into a summary with threats, opportunities and costs.

If you've never attended a board meeting before I'll try to give you a flavour of what happens. In general each board meeting is very different, not every board member is generally present. It's likely that every board meeting will have a theme, for example a new product launch, end of a quarter, data breach and so on.

Kill Chain without Osirium

The core

Every board member is expected to know what the core of a business is (excluding start-ups, they are a special case). The core is what needs to be protected and evaluated to ensure that its fit for market. If you are going to address a board you should have a good understanding of what they believe is core.

Every board is responsible to its shareholders: which is why a lot of attention is paid to what will and won't bring in business and what the competitive landscape looks like.

The board has to execute the legal responsibilities of the organisation; this of course assumes that they know what they are. In terms of reporting and accounting they have financial expertise to call upon. However in terms of privacy and cookie laws you are expected to be the knowledgeable resource.

The priority discussion subjects

  • The best interests of the shareholders?
  • Is our core business healthy, is change needed? Is the reputation of our core business in good shape?
  • Where is the profit/loss is coming from?
  • Are we compliant? Are we liable for anything?

Now, when we're called to account by the board can use this as a basis to build on.

Let's say we're looking to increase the InfoSec spend. Here's a typical board member's reaction:

  • Why should we decrease the potential returns to our shareholders.
  • Is this core to our business? Does it create a distraction? Is it cheaper to outsource?
  • Can we use it to increase sales?
  • Is there a law or regulation that we have to comply with?

Nothing particularly technical there. Here's how we could address those concerns for a simple case of Anti-Malware:

  • Cost: nothing you can say other than you have or intend to negotiate the best price.
  • You need to take this on. To take an easy example, a virus could shutdown our business for up to three days - this threatens our core capabilities and our profits. Anti-Malware tools have minimal impact on the majority of staff workstations and we have chosen a version that reports direct to IT. We've looked at outsourcing and here are the costs and risks ....
  • Anti Malware is just a must these days, no real chance to increase sales, we could add a footer to our emails to give our customers confidence that we take security seriously.
  • Not directly: Malware is associated with 'Command and Control' which is how attackers might gain control of our staff's systems to steal personal data, which is covered by the Data Protection Act.

Now lets look at a more complex case: Privileged Access Management:

  • Cost: There are savings to be had: by speeding up workflow and packaging the common IT tasks. This is about all you need to say in a presentation but have a slide that supports the figures: reset domain password is a good example - 'this task takes 6 minutes 10 times a day, reduces to 2 minutes and changes to a first call response at the help desk'.
  • Core business: it frees up time for our staff to enable more innovations in our core business, this is where our InfoSec staff want to be engaged. After all, these days InfoSec staff are re-branding to be 'business enablers'.
  • So thats's less time on repetitive tasks, more core security and more time on enabling innovations - technically known as the 'win triple'.
  • Separating people from passwords and then using identity to map into business roles is exactly the sort of thing that we need for Data Protection/Sarbanes Oxley/Computer Misuse/MAS compliance.

Lets look at communication the other way around: after a data breach the board will be feeling very sore and very vulnerable, the reputation of their core business will have been damaged and heads are likely to fall.

The board members themselves know the 'rules' they have zero employment protection and full responsibility, they know when they need to go. The obvious reaction is: 'This must never happen again' although the practical reaction is more likely: 'Make us such hard targets that the criminals go elsewhere'.

InfoSec will be in the limelight for a much shorter time that you'd expect. As soon as you present the measures to remediate an attack a good board will move immediately to business recovery - its their job. For the most part you'll only get one bite at the cherry, so get it right!

Its not practical to say to your InfoSec staff 'this must never happen again'. They'll get demotivated because they know its an impossible task. Worse still they'll use it as a reason to block business projects because they are not 100% secure. A better approach would be 'The board have taken this very seriously and are giving us the go-ahead to use the tools we need, we have to do this in concert with the urgent needs of re-building the business.'

From here is a case of building specific plans from the board imperative. It means looking at what happened and where your biggest risks are. In general the people side be more important than the technology. All attacks start with technology but end with privileged accounts being stolen or otherwise compromised.

It may help to think the same way the board do, firewalls and anti-malware are the first lines of defence removing the bulk of low level threat. Protecting the privileged accounts is the key to protecting the core.