SAN FRANCISCO – For a CISO arguably it’s a toss-up over which is worse: Learning there’s been a network intrusion, or being told to make a presentation to the board.
There’s no shortage of advice on the latter, including don’t use jargon. There’s another lesson infosec pros have learned in several sessions at last week’s annual RSA Conference: Be prepared.
Take this account IT World Canada got during an interview with speaker Ronald Sugar, former chair and CEO of American defence contractor Northrop Grumman and currently on the boards of Apple Inc. and energy provider Chevron Corp., on the worst presentation he’s seen a CISO make:
“It starts out with ‘Everything’s fine, we’ve got great people, we’re all doing great stuff, and we have the distributed business system where every unit is responsible for its own part of cyber security, and they know its important, and we haven’t had a problem,’” the Toronto-born Sugar said.
“And then you ask, ‘How do you know you haven’t had a problem?’ and they really can’t tell you. And you ask, ‘How do you know how you stand compared to others?’ (and the answer is)…‘Well, we’ve never really benchmarked ourselves.’
“‘Should you benchmark yourself? What (security maturity) framework are you using? How are you establishing consistency across the company. How are you dealing with suppliers and your other business partners?’
“And when the answers come back, ‘Everything looks great’ – and the charts (he presented) look great, you’ve never seen better charts – but in this particular case it was pretty clear it was unsatisfactory,” The CISO was told to come back.
“And when he came back it was the same answers. And we realized it was not just that individual was not up to the job, it’s that the organization going all the way to the CEO have not recognized the importance of cyber security, have not empowered the individual, have not given the structural support that person needs. And so you get in that job a weaker player who will tolerate that because they’re not allowed to do anything more.”
A director can’t say people should be fired, he said, but directors have to tell management this is unacceptable, and this is what needs to be done before the board will be happy. And, he added, the CEO has to understand he or she owns the problem
“And in every case I’ve been involved in the reaction is, ‘Holy cow, we really do have a problem, and even if the board is wrong I don’t want to be on the wrong side of my board.’” And in the end progress was been made.”
“I think the worst conditions are companies that are otherwise really good that do everything well,” he concluded, “but maybe are not up to snuff on cyber.”
The CISO above violated one of the rules outlined in another session by John Pascatore of the SANS Institute: Have something meaningful to say when meeting the board.
And it doesn’t have to be good news.
One of the myths is that boards don’t want to hear bad news, Pescatore said. In fact they regularly get bad news from the chief financial officer and business managers – but they hear it in business language, in repeatable ways and numerical ways that allow directors to compare the past, the present and evaluate where the organization is going.
After interviewing a number of CISOs and directors, SANS concluded what boards want to hear is a report on the current status of the security program, the security status of the company, proposed strategic actions that would have some measurable business benefit, and then continued reporting on progress.
Boards are increasingly turning their attention to cyber security, Pescatore said, in some cases not approving business projects that don’t have security locked down. Similarly, they want to know from the CISO what strategies are enabling new business initiatives.
“We have to show that our strategies are focused on protecting the business, and we are expressing that in business terms, we’re demonstrating effectiveness against risk but also efficiency, he said.
“One big thing missing from strategy and most presentations is how are we reducing the cost of doing the old stuff in security” and using the savings to invests in ways to stop advanced threats or enable the company to be more digital or gets products quicker to market.
“We have to express what we’re doing in business benefits, not security features.”
Don’t avoid metrics, but they have to be relevant. For example, tell the board that thanks to improvements in security if new business partners can be signed on quicker, or if downtime has been reduced or there are fewer customer defections. Or create a slide illustrating the comparative state of 20 security controls and where you want the company to be in a year.
Pescatore also quoted with approval a director and former CEO of a startup who said two important things:
— “Do not scare the board. It’s OK to make them understand there is risk about an incident, as long you explain how it’s being handled,” and
— “Remember your goal – that when you leave the room the board trusts that you’re the right person for the job.”
“You should encourage your CEO and the board to believe that cyber security is a business problem,” Sugar told an audience during his presentation entitled ‘Unlocking the mystery of the boardroom.’ “It’s not just a technical problem, not just an IT problem, and the enterprise is at risk if it’s not handled appropriately.
The board has to see the CISO a the quarterback who orchestrate the process, Sugar added — but one who doesn’t control everything and everybody — and the business operating units, who have most of the resources and responsibility, have to get on board. The CISOs job in part is to help them do that.”