The Why and How of Talking Tech with the Board:
3 Strategies to Help Them “Get” Cybersecurity

Image for post
Image for post

Nobody wants their enterprise to be the victim of the next big data breach. For chief information security officers (CISOs) and others who eat, breathe and sleep technology, the solutions seem obvious; there are, after all, not many times, waking or sleeping, that we’re not thinking cybersecurity best practices.

But there’s a hidden danger to being too technical. When we walk into a boardroom and brief our business’s top brass on topics like risk, it’s easy to think we’ve painted a clear picture of what needs to happen, when in reality we’ve gotten barely anything across. …

Image for post
Image for post

Christopher Hodson, IISP Director and EMEA CISO at Zscaler offers a dodgy headline and his musings on connected devices

I’m struggling to think of another profession where ‘things’ is a suitable description of a product, service or problem. Everything from a light bulb and a fridge to a car or a plane is now a thing. Because we haven’t been vague enough already, we throw into the IoT quagmire some real esotericism in the form of Machine Learning and Artificial Intelligence to deliver Smart solutions. I’m confused. Is IoT really an entirely new set of technologies?

Industry rhetoric suggests a ‘sophistication of attack’, whenever the latest botnet commandeers thousands of ‘things’, but I’m not so sure what is sophisticated about hunting for default creds on a collection of cameras. The same occurs when we look at Industrial Control Systems (ICS). The media suggested that the world was on the verge of an apocalyptic catastrophe through with the headline, Hackers gaining direct access to the power grid! I am not suggesting we avoid a discussion around the impact of risks on critical infrastructure, but mitigating controls should always be considered. In the power grid scenario, hackers might be successful in taking an individual station offline but a successful attack on a distributed, complex and resilient energy ecosystem is a far more unlikely proposition. …

Image for post
Image for post

In Part 1 of this series on on delivering meaningful metrics to boards, I talked about the need to discuss security risks in ways that relate to board concerns.

Many CISOs are reporting the wrong metrics to boards — for example, a malware platform supposedly finding 333 million malware alerts or 234,333 wrong password entries. Without context for the organization and its particular risk posture, these raw numbers are meaningless.

Here in Part 2, I’ll explain how to go beyond raw numbers and prioritize risks, in a way that boards can understand.

Understanding risk inputs and outputs

Here’s a standard risk equation:

Likelihood x impact =…

Enron changed the world of finance and the energy industry forever, and the early days of the Equifax hack look as though this breach could change the face of the credit industry and cybersecurity forever. That a single company could amass so much financial information on an individual and be as poorly defended as it was just emphasizes the importance of communicating security and risk effectively to your Board of Directors.

Image for post
Image for post

As an infosec director, I’m often asked about the biggest challenges faced by CISOs. Again, and again, one key issue surfaces: the need for CISOs to deliver meaningful metrics to their Board of Directors. Boards that are not comprised of security professionals are increasingly funding new cybersecurity programs and initiatives without understanding what information they want or need. They call for metrics, and the CISO is left wondering which metrics to present that will mean something to the board.

To understand which metrics CISOs should deliver, CISOs need repeatable processes and an understanding of risk management. CISOs need to meet board members where they “live” — meaning they need to be talking about the same objectives if the metrics are to make sense. …


Christopher Hodson

CISO, public speaker and author on all things cybersecurity and risk management. The views here are my own (unless stated otherwise).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store