Andrea Danti - Fotolia
Even though cybersecurity is becoming more prominent in the boardroom, many CISOs continue to struggle with executive buy-in and comprehension -- some board members often have differing perspectives on what cybersecurity is about and its relation to privacy, data protection and regulatory risk. Others focus on risk postures or threat levels, but few have a comprehensive grasp of cybersecurity. Regardless of executive focus, these struggles create challenges for CISOs who need the board of directors to understand the resources, commitment and budget required to safeguard their systems.
Many past breaches, including the 2015 breach of the U.S. Office of Personnel Management (OPM), in which deep identity information of over 20 million government employees and over 5 million fingerprint records were stolen, are due to three "meta-level" root causes:
- failure to prioritize security;
- failure to invest in security; and
- failure to execute on security initiatives.
Prior to the 2015 attack, the OPM failed to prioritize certain critical countermeasures, such as two-factor authentication, and invest in security, spending only $7 million per year, which was near the bottom level of investment in comparison to other government organizations. Even the Department of Agriculture spent more on its information security than the OPM. Finally, the OPM failed to execute sufficiently fast enough on its security improvements prior to the breach. These three meta-level root causes of breach need to be understood by the board. But how does one accomplish that?
1. Tell a cohesive story and narrative around cybersecurity
First, CISOs should attempt to tell a cohesive story and narrative around cybersecurity. Steve Jobs once said, "The most powerful person in the world is the storyteller. The storyteller sets the vision, values and agenda of an entire generation that is to come." The job of a CISO is, in part, to teach and tell a compelling story to alleviate those concerns and further the organization's mission.
Do not immediately attempt, for instance, to give a NIST-Based Security Framework Assessment of your enterprise security posture -- that probably will not go as far with your board as telling a cohesive story, providing important background and context. A security framework assessment can indeed be valuable to review with the board but should probably be reviewed after background and context is provided. As the storyteller, you need to set the vision, values and agenda for your organization's cybersecurity program.
Lead the story with the kind of risks and attackers that might be motivated to harm your business; Although this exercise should not be focused on creating FUD -- fear, uncertainty, doubt -- it should offer a realistic view of the current threat landscape. It should also include the ways you're trying to slow attackers down, and how your systems neutralize them. If you do not have stories of how attackers have come after your organization, you can leverage stories from recent hacks such as SolarWinds or past breaches, including those at Capital One, Facebook, Equifax, OPM, Yahoo, JPMorgan Chase and Target, among others. The stories of these real hacks and breaches help set context on what has affected other organizations similar to yours.
Avoid talking about the tools and technology -- keep such topics independent of your business narrative. These topics, while interesting to discuss with other security and technology peers, will have less relevance with board members who do not live in that world. If one of the ways you were able to stop the bad guys, or at least see they were coming, was a new tool that your CEO or the board had approved in a previous meeting, that's great. Weave that as part of the story but be sure that the tool or technology is part of the story, and not the story itself. Such an addition to the story allows you to turn the CEO and the board into heroes in that story.
2. Focus on existential security risks first
Secondly, CISOs and other executives should focus on existential risks first. Organizations have many risks, some of which may be existential threats, in that if those risks materialize, it threatens the organization's existence. Cybersecurity-related threats may make up part of such risks. However, exactly which cybersecurity-related threats may or may not be existential threats will depend upon the organization.
For some businesses, intellectual property theft may be the most significant existential threat. If a nation-state funded group can steal product blueprints, semiconductor designs or obtain a copy of a company's source code that required hundreds of millions of dollars of investment in research and development and can manufacture the product, the product can be produced at a cost that can unfairly undercut the original developer. If a cybercriminal group can indefinitely knock an e-commerce site out with a distributed denial-of-service attack, such an attack could threaten the existence of the e-commerce site, and it might be easier to pay a relatively small ransom instead of having their revenue stream disrupted. Online consumer services that rely on consumer personally identifiable information for advertising could lose their users' trust if PII is stolen in bulk.
3. Lead with CARE: Are security controls consistent, adequate, reasonable and effective?
Third, as cybersecurity discussions become of concern to the board, in part due to regulatory fines increasing, one should understand how regulators think about cybersecurity. Regulators, such as U.K. Information Commissioner Elizabeth Denham, think about cybersecurity with CARE -- an acronym that stands for consistent, adequate, reasonable and effective. CARE is a criterion that can be applied to think about and evaluate security controls and whether they have the characteristics that regulators look at if your information security program comes under scrutiny. In particular, are your security controls:
- Consistent -- marked by regularity or steady continuity?
- Adequate -- sufficient for a specific need or requirement?
- Reasonable -- in accordance with reason; not extreme, excessive or underwhelming?
- Effective -- producing a decided, decisive or desired effect?
Regulators have been levying larger and larger fines against companies that have had data breaches. The Federal Trade Commission fined Facebook $5 billion in 2019. That same year, U.K. Information Commissioner Elizabeth Denham (who had a significant role in investigating Cambridge Analytica) levied GDPR fines against Marriott International for $124 million and British Airways for $230 million due to their data and privacy breaches. She said, "Our focus is whether or not there was adequate, reasonable, consistent, effective data security to protect people's data." Although there are many reasons why boards should care about security, regulation and their accompanying fines are just one.
4. Connect the dots between security initiatives and business outcomes.
Finally, be sure to connect the dots between business strategy and the security program as you summarize your presentation to the board. Results from a technology or security team are quite compelling when dots are connected from projects to the business goals that are focused on enabling or achieving. For instance, instead of stating the goal as "achieve HIPAA compliance," the goal should rather be stated as "Enable organization to be able to sell into the healthcare market by achieving HIPAA compliance."
In summary, empowered with the above four pro tips on how to elevate cybersecurity discussions, you can more likely get executive support and engagement to appropriately prioritize cybersecurity initiatives.
About the authors:
Neil Daswani is co-director of the Stanford Advanced Cyber Security program, president of Daswani Enterprises, his security consulting and training firm, and author of upcoming cybersecurity book Big Breaches: Cybersecurity Lessons for Everyone. He has served in a variety of research, development, teaching and executive management roles at Symantec, LifeLock, Twitter, Dasient, Google, Stanford University, NTT DoCoMo USA Labs, Yodlee and Telcordia Technologies (formerly Bellcore). At Symantec, he was chief information security officer (CISO) for the Consumer Business Unit, and at LifeLock he was the company-wide CISO. Daswani has served as executive-in-residence at Trinity Ventures (funders of Auth0, New Relic, Aruba, Starbucks and Bulletproof). He is an investor in and advisor to several cybersecurity startup companies and venture capital funds, including Benhamou Global Ventures, Firebolt, Gravity Ranch Ventures, Security Leadership Capital and Swift VC. Daswani is also co-author of Foundations of Security: What Every Programmer Needs to Know (Apress).
Moudy Elbayadi has more than 20 years' experience and has worked with a number of high-growth companies and across a variety of industries, including mobile and SaaS consumer services, security and financial services. Having held C-level positions for leading solution providers, Elbayadi has a uniquely 360-degree view of consumer and enterprise SaaS businesses. He has a consistent track record of defining technology and product strategies that accelerate growth. As CTO of Shutterfly, Elbayadi oversees all technology functions including product development, cybersecurity, DevOps and machine learning/AI R&D functions. In this capacity he's leading the technology platform transformation. Prior to Shutterfly, Elbayadi held the position of SVP, Product & Technology for Brain Corp, a San Diego-based AI company creating transformative core technology for the robotics industry.