A new book seeks to act as a translation guide between chief information security officers and the board of directors – with helpful suggestions for how both sides of the equation can see eye to eye.
The book, “The perfect scorecard: Getting an ‘A’ in cybersecurity from your board of directors,” is the brainchild of Alexsandr Yampolskiy, CEO and founder of cyber ratings company SecurityScorecard.
Yampolskiy wrote the opening forward and co-wrote the introduction with Edward Amoroso, CEO of TAG Cyber. The ensuing chapters are written by 17 guest co-authors, including leading CISOs, CEOs, board members, military leaders and others.
The 15 chapters, plus intro and conclusion, examine the various dynamics of the CISO-board member relationship – offering recommendations for how CISOs can best communicate to their higher-ups, while also helping board members understand a security professional’s perspectives on why it’s so important to assess corporate risk and practice strong cyber hygiene.
Topics include what kinds of attributes are desirable in a CISO, how to take a business-aligned approach toward security investments, how to handle a ransomware response, and the evolving role of the CISO, among others.
“The Perfect Scorecard” is now available in paperback through Amazon or digital as a PDF or Kindle ebook. SC Media spoke with Yampolskiy about what inspired the book, and the important lessons contained within its pages.
What inspired you to write this book?
It was my own personal experience at the end of the day. I was a chief security officer at Gilt Groupe, an ecommerce retailer, for a number of years. And as I mentioned in the book, just a few months into my tenure, the chairman of the board told me, “Alex, I'd like to get an update from you on how you’re doing.” And I walked in feeling confident and prepared. I prepared this long summary of people I hired, and the risks I identified.
As I walked into the room, he started flipping through the deck out of sequence, looked at me and said, “I don't think you've done a good job.” And I was confused. I'm like: “What do you mean I'm not doing a good job? Look at all the things I'm putting in place.” And [he] told me, “I don't think you're doing a good job because I don't hear enough people complaining about you. If you were making enough changes, I’d hear more people complain about you.”
It really was a good lesson to me about the hard job of being a head of security, and how to communicate to businesspeople [and] to the rest of our leadership team. Because the truth is, if we all spoke the same language, then things in cybersecurity would be much easier.
I think a key part of becoming safer and combating the exponential increase in attacks that we’re seeing is learning best practices from other people and peers about how to communicate to the board, and how to discuss topics like ransomware, insurance and resiliency. And so I assembled people in my network – the best and the brightest, which included CISOs, board members and other people – and really collated it into this piece of actionable advice of… how we can improve communication between CISOs and senior executives.
I noticed that this book contains recommendations for both CISOs and for board members on how to improve communication and understand each others’ perspectives.
That's exactly it. I wanted this to be a useful manual, where you can read any chapter, by itself, without reading the whole thing. And [I wanted] the ideas and insights to be actionable and... applicable both to senior executives who have nothing to do with security… and to CISOs and CTOs who might be struggling about how to best tackle this topic.
The book even says that he communication gap that exists between both parties isn't really the fault of the CISO or board member, “but rather stems from the differences in how each type of executive developed their skills.”
That’s exactly it… If you’re a CFO… you arrived to where you are today by thinking the language of numbers, by understanding how do you make the company more efficient. And so if you want to be successful talking to a CFO or board member with financial experience, you have to understand what is the value at risk. What is the dollar exposure? You're not going to get a very attentive audience if you start talking about expired SSL certificates. The CFO has no idea what that means. But he understands what it is to have a $10 million exposure due to being hit by ransomware.
Every single board member does not want their company to be hacked. Everybody believes in the importance of security. But when push comes to shove, it's really about speaking the same language and explaining to them the “why” behind what you're trying to do, and really finding common ground.
If you're a CFO, you want to manage risk. If you’re a CRO, you want to increase the revenue. So, explain how improving security culture could increase the revenue of a company by gaining more trust from your customers.
Tell me a little bit about your strategy of recruiting guest co-authors to write individual chapters.
The message is always best delivered by sharing expertise from many different people. If it was only me who shared with you my perspective, then… you would not get a diversity of views… so I sought out people in my network that I would go and call for advice.
When I asked myself, ‘Who would be the first person I would call about wartime mentality? How do you operate in wartime? How do you build resilient infrastructure?” I thought of [former U.S. Navy] Secretary Ray Mabus... I called him and said, “I would love to learn from your experience of being a secretary of the Navy. What can you apply to build in a cyber security organization?”
When I thought about how you build a new framework for managing cybersecurity, the first person I thought of was Jonathan Dambrot, [principal at] KPMG, who is a brilliant visionary, a brilliant leader.
We selected Anthony Dagostino, [executive vice president, Global Cyber and Technology Practice at Lockton Companies]. I’ve known him for many, many years. He's an amazing expert on cyber insurance… because he's underwriting, tens of thousands of companies every single month. His perspective of dealing with volume and dealing with problems as a practitioner made for much more effective insights than if I told you, because I'm not an insurance broker.
I know it's hard to single out any in particular lesson because they're all important, but are there any that stand out just in terms of being timely with what’s going on in the industry?
We've assembled a great set of authors, but to name a couple, I really loved the insights from Ray Mabus – because when he was a secretary of the Navy under the Obama administration, people's lives were on the line. Imagine having this level of responsibility when you are operating one of the largest organizations in the world. One interesting insight that I really loved to hear from Secretary Mabus is that a CISO’s greatest virtue is flexibility – not deciding that you've got all the answers.
When I spoke to Secretary Mabus, he mentioned that he used to sit in on the debriefings of carrier strike teams, [after they'd] been on eight-, nine-month deployments. And there was one constant in every conversation he heard: that no matter how much you prepared, no matter how much money you spent, no matter what people you put on a task, the group always faced an obstacle that they did not anticipate, did not train for. They just had to figure it out on the spot while the incident was happening. And I think a lot of the same stuff applies to today's CISOs.
Let’s circle back to that conversation you had with the board chairman at Gilt Groupe, who said you weren’t doing a good job because people weren’t complaining about the changes you were enacting. If you could go back in time, how would you apply the lessons from this book toward that conversation? How would you approach that meeting differently? Likewise, what advice would you give to the chairman to reframe his own way of thinking about how to evaluate a CISO's performance?
The one thing I would over-index more is making sure that I had actionable KPIs to illustrate how my organization was doing compared to the rest of the industry. I feel that the industry evolved quite a bit in the past 10-plus years. If I rewind the clock to almost a dozen-plus years ago, a lot of people in the industry were flying blind. They went bust on money left and right. They were not communicating the “why” behind what they were doing and they did not quantify the effort. So if I were in that room again, I would over-index in making sure I had rock-solid metrics comparing me to other companies in the industry, and to really spend a lot more time explaining the “why” behind the initiatives of what I was doing.
[Also, in the past] I would go in front of the board and tell them I believe that it's critical to put endpoint protection on the laptop of every employee in the company, and I would assume that people know that that's important. I completely neglected the fact that they don't have a security background. They're coming at it from a different perspective. And so if I were to rewind the clock, I would say, “Look guys. The reason we need to have endpoint security is because right now we have zero insight. If any one employee’s laptop is compromised and if a hacker controls it, we have zero insight into what information the hackers can get. And so it’s really mandatory to make sure that we gain this insight if we want to protect the organization.”
And then I would add, “And by the way, the number of people we have dedicated to security in [our] organization of 1,000 people is way below the industry benchmark. An average company might have two or three people; we have only one. So we're clearly under-investing.”
Now, to answer the second question that you asked, about what advice I would give to the board member to [properly] test if a CISO is any good. Actually, this is a topic… [addressed in the book by Laura Deaner], CSO of Northwestern Mutual.
If I was a board member, I would say… “How do you feel the cybersecurity program that you put in place fits into the organization's business objectives?”
If you’re a credit card company, your security program is going to be different than if you’re a hedge fund, versus a retailer. So I would ask you, “How does your program fit into the company objectives?” I would definitely ask you, “What are the metrics you're measuring? How do you know how you're doing, how you're comparing to the industry?” And then the third [question] I would ask is, “How do you collaborate with your peers? What are your peers, what are your other execs, and how is the security organization collaborating and tag-teaming with these other organizations to make the company safer?”
We always hear how important it is for security professionals to be business-aligned and to communicate how their proposed security initiatives will benefit the company in a way that corporate executives are going to understand. How does a security professional get better at acquiring a business-savvy perspective?
Curiosity.
You need to be seen not as a “no” team that tells everybody, “No, you cannot do it,” but as a “how” team. How will you come and help solve people's problems? And that goes back to curiosity. You need to really dig under the covers, talk to people and understand: How does the business make money? What are the divisions? What are the business challenges? What are your customers asking you?... Who are your customers?
That's what helps you become more impactful in building the right security program that fits your needs. As an example, if you're a hedge fund, you're in the business of managing money for your limited partners. Your secret sauce is going to be intellectual property, so you're going to over-index on insider threats. If you are healthcare pharmaceutical, you need to protect the patient data, so you need to be HIPAA compliant. So it all goes back to a really deep understanding of how the business operates – and the best way to procure that knowledge is curiosity… You have to know how to ask the right questions. And asking the right question is a lot harder than… having the answers.