Security chiefs need to tell the board the truth, albeit a more palatable version of the truth.
For Fortune 1000 CISOs and CSOs, reporting to their boards of directors is, at best, a complicated and disquieting situation. CISOs must be specific and technical, but not too specific nor technical. They must be honest and comprehensive, but they also need to know which truths are best left unsaid.
CISOs facing a corporate board briefing might well be asked questions that forces them into the sensitive area of corporate politics. Questions such as: “Did you fight for this perimeter defense that we don’t have?” must be answered truthfully, but the truth, unlike data, is not a binary “yes” or “no.”
These encounters today come at a time when board members of publicly-held companies are being held to higher standards about security, when board members can be personally sued and even exposed to legal penalties.
Compliance issues, especially new rules specifying privacy requirements, can force board members to engage technical discussions where they might not be especially comfortable.
The question that perhaps best illustrates the conflict is “If we agree with your proposal and fund this effort, will it prevent any breaches? Will it make us safe?” The only completely honest answer is the one many CISOs fear giving, as it is absolutely not what board members want to hear: “Not necessarily.”
Relative truth
“You’re never going to get to a perfectly secure environment,” says Sean Goodwin, a senior security consultant with Wolf & Company, a 107-year-old, Boston-based accounting firm.
When a board member asks the CISO, “How strong is our encryption?” the last thing that board member likely wants to know is the number of bits or other techno jargon. The board member wants to be told that the encryption will keep the company’s data safe. How strong essentially is a board member’s way of asking: Are we safe? Speak comfort to me.
Dan Burke, vice president of cyber for the San Francisco-based insurance broker Woodruff Sawyer, says that instead of answering the “will this block any attack?” question directly, the CISO should put the question and the answer into an appropriate context. “If they ask a question about encryption, they are not really wondering about encryption. They want to know: Are we doing everything we can to protect ourselves from an attack in an industryacceptable manner?”
In short, tell the board that the investment will make the company appropriately secure, given its position and the nature of the most likely attacks. Compare your company’s defenses with other comparable businesses.
Jennifer DeTrani, general counsel and EVP at Nisos, a cybersecurity consulting firm based in Old Town Alexandria, Va., says CISOs can face very troubling questions, perhaps even questions that have been posed before. “Remind the board member of what has been decided in the past. What has happened since the last board meeting may not be on the top of their mind,” DeTrani says.
“Regulators have never been hungrier to make examples of companies. You are, in a sense, a [compliance] target,” she warns.
One nightmare scenario when the CISO meets the board is if a board member asks about a project that would reveal too much insider discussions. Let’s say the board member asks the CISO, “I was just reading in the business press about a security method that one of our competitors has deployed. Why aren’t we doing that?”
In this particular case, the CISO had been arguing for six months that the company should indeed deploy that approach, but the dollars were vetoed — repeatedly — by both the CFO and the CEO. Should CISOs give into temptation and throw their bosses under the bus in front of the board? Probably not, yet the CISO must also answer truthfully. The best approach, DeTrani says, is to suck it up and give the corporate team answer, while also giving an honest opinion. Here is a typical example of such a response: “Thanks for asking. I happen to very familiar with that technology and I’m also a big fan. It can work extremely well and it’s not especially disruptive to deploy. That said, it’s not an inexpensive approach. We seriously considered it, but competing financial issues — such as the changes to our supply chain that we discussed and that acquisition in Italy — forced us to decide to not deploy at this time. We will absolutely reevaluate it next year and, depending on what the numbers look like, it’s a possibility that we will then come to a different decision. In short, it’s impressive technology but not one that we can cost-justify at this time.”
If treading into this level of board-level politics doesn’t keep the CISO up at night before a board meeting, it is difficult to imagine what might.
In the opinion of Rema Deo, managing director for 24By7Security Inc., a security and compliance consulting firm in Coral Springs, Fl, boards have little to no interest in being the best — and certainly not paying for the best — in security. They want good enough, given that company’s security position.
Most corporate boards “don’t want to be ahead. They don’t want to spend too little or too much. A little ahead is fine,” says Deo, who also holds a healthcare security certification. But the point CISOs must stress is that “no matter how much you spend, this is not completely foolproof. We can only work to reduce the risk.”
But risk means something very different to the typical large-company CISO and the typical large-company board member. It is up to the CISO to describe all of the germane risks and to offer examples that will be meaningful for board members. That can be particularly difficult when board members come with a wide range of experience, expertise, technical acumen, and from different cultures.
Thought experiment
“CISOs and other security managers need to steep themselves in the language of risk, downside, and liability familiar to executives and general counsels. ‘Breach’ is abstract. ‘Legal liability’ is specific,” says Nick Merrill, founder of the Berkeley, Calif.-based cybersecurity consulting firm Broad Daylight.
“Here’s a thought experiment I play with almost every non-security executive I talk to,” Merrill continues. “If your customer database leaked, what would happen? Legally? In business metrics? What about your HR database? What would happen if your technical systems went down for an hour? A day? A week? The key is to get executives to quantify — however roughly — the monetary harms of likely cyberattacks. Once execs can price the attacks, they know how seriously to take them relative to the other five thousand things competing for their attention.”
Still, such explanations do not always come easily to veteran CISOs. “Security specialists often miss that quantitative story of downside risk. Security folks like myself are trained in the technical and operational aspects of security,” Merrill says. “The business and liability story often gets lost in translation.”
Kevin Carlson, partner at Atlanta-based consulting firm TechCXO and a parttime CISO for hire, offers this insight: “This should include information on how it will affect compliance measures, the timeline and cost for mitigation efforts and the effect on staff and other company priorities.” Goodwin offers another example where the proper context can make a huge difference when presenting to the board: penetration testing. “A pen tester is always going to find something wrong. You really need to properly frame the results,” he says.
That might mean pointing to the decrease in the number of issues discovered or, even better, a sharp reduction in how many of the issues are considered critical. That might mean stressing the stage of development, if it is relevant.
“Saying something like ‘you have weak password requirements’ is not as powerful as showing them how password spraying works and how anyone can guess easy passwords to log into their systems remotely,” Goodwin says.
Goodwin also stresses that audit reports especially need extensive context. “All too often I see audit reports calling out things like missing patches year after year. When looking at this from the perspective of a board member, it seems like management is simply not fixing issues after being repeatedly shown what to do. The consultant is not doing their job by just calling out a list of missing patches,” Goodwin says.
“They need to be digging into the people, processes, and technologies in place to figure out why these patches are missing,” he continues. “Perhaps there is a legitimate business need for excluding some of these, or perhaps resources are not allocated appropriately for identifying testing and deploying software patches.”
Merrill says that he often hears of CISOs who present to boards, but do not effectively communicate because they leave too much to the imagination of board members, who might often not see the impact of security issues. “The CISO failed to connect the threat to the kind of harm [done] to shareholder value,” Merrill says. “To the CISO, it was obvious.”
Merrill argues that CISOs must make the human case to board members — and starting with a potential hit on stock price is a terrific way to grab the board’s attention. “Talk about the human impact to board members. What is it going to mean for their portfolios?”
Dominic Wood is the head of global security for the BT Group, the $31 billion U.K. communications giant formerly known as British Telecom. He argues that differentiation is a key argument that CISOs use too rarely.
“One way to present security compliance issues to the board is to frame it as a key differentiator that will give them a competitive advantage in an increasingly digital world,” Wood says. “Just as the use of interconnected technologies is unlikely to slow, so the importance of rigorous security protocols and systems will continue to grow, and consumers are growing increasingly aware of this.”
Board members “have the right to know and understand the risk in detail,” Wood says, but CISOs often “wrestle with the right level of details.” Although he argues that “the level of technical understanding [for board members] is far better than it’s ever been, having a purely technical conversation kind of misses the point.”
Mark Adams, a practice director for risk transformation at Optiv Security, a security systems integrator based in Overland Park, Kan., agrees that CISOs need to learn the phrasing that works for well for the board.
“CISOs need to learn the language of enterprise risk. Business leaders don’t care how many attacks you blocked today,” Adams says. “They do care how much intellectual property you prevented from walking out the door with employees or how much revenue/minute you saved by stopping a DDOS attack on your e-commerce site. The key is to talk about how you’re reducing risk and keeping the business running smoothly, not how you’re running your own operations.”
Adams points to the approach to security measurement as being a big part of the communication problem.
“At the board level, security leadership must take an inside-out approach to security measurement, where they demonstrate alignment between technology, operations and business objectives. Many security leaders take an outside-in approach, where they start with external threats and then highlight the tools they’re buying to combat them,” Adams says.
“This approach makes it impossible to prove value. Buying a tool to stop a type of threat does not prove anything and it drives the bloated infrastructure and operational problems that are perpetuating the breach epidemic,” he notes.
Marti Arvin, an executive advisor at CynergisTek, a healthcare cybersecurity consulting firm, points to cybersecurity insurance as a good example of a rarelyreferenced example of risk. Arvin says some board members think “We’ve got cybersecurity insurance, so we’re OK, right?” The proper CISO reply, says Arvin: “‘Are you sure that we’re covered? Part of the coverage criteria may be something that we’re not doing, such as a specific approach to patch management.’ Put it in business terms.”
Do you know the time? Yes.
One factor that can cause a collision course between the CISO and the board is psychological. Many board members are not comfortable with security technology. When people are uncomfortable, they tend to have a greater desire for absolutes. CISOs can often be a little nervous when presenting to the board of directors.
When highly-trained technologists get nervous, they tend to default to precision in their language, which can mean getting technical. This sets up a scenario where both participants want something the other is uncomfortable offering. In short, a highly likely communications collision.
This is an example where training plays a big role. Many senior executives — CISOs and CSOs among them — get trained by the legal department how to testify in court and how to give legal depositions. And those executives almost never get trained in speaking to the board.
The legal training stresses that they must be precise and, most critically, to answer the questions asked literally and without volunteering anything. The quintessential line that epitomizes this comes from an episode of the popular television drama The West Wing in which a lawyer asks, “Do you know what time it is?” The correct answer is not “It’s 2:17 p.m.;” the correct answer is, “yes.”
Those are fine skills for the courtroom, but it is the opposite of how CISOs need to communicate with their boards. It is not about answering precisely what is asked; it is about interpreting the question and the context and saying what the CISO thinks the board member really wants to know.
Know your audience
Who are these board members? Although it is widely known among CISOs that board members tend to not have technology backgrounds — and especially not in data and cybersecurity — a popular misperception is that the board of your company knows your company intimately. The internal board members (your CEO who might also serve as chairman of the board and perhaps your CFO or others senior executives) certainly know your company, but many of the external board members might not.
First, the typical external board member has a different primary focus, whether it is serving as an executive for a different large company or perhaps the board member is retired from such a position. It is not unusual for board members to serve on four or more different boards. And given that your board might only meet monthly or perhaps once every two months, it is not unheard that a board might not be aware of a key move that your company made in the past year, especially if the move did not require board approval.
That means that presentations must present any relevant background directly.
“Not only do [board members] not know about security, they don’t even know about what you think they know about,” which is your company’s key recent history, Merrill says.
The CISO is before the board primarily to do one thing: identify and mitigate risk in all of its many forms. Think of it as a verbal equivalent of those risk descriptions in the back of an initial public offering prospectus where the lawyers dream up anything and everything that could possibly go wrong. That is what many boards expect the CISO to do routinely when meeting with them.
CISOs can also take a lesson from lawyers who are used to arguing before the Supreme Court, whether at a top state court or the federal level. They study each justice’s history of decisions and are prepared to answer each justice with references to their specific earlier decisions. In the board room, the extensive bios and histories of each board member is easily found.
The CISO can know which company they run, as well which other boards they have served on and when. This could allow for the CISO to cite extremely germane examples that would have meaning to that board member.
“Last year, ma’am, when XYZ suffered a breach, your team there deployed an ABC strategy. What we’re proposing is just about the same thing, except that we’re proposing 123 instead of 567,” Merrill says.
“These different board members — you can find their histories. Use that to your advantage,” he adds. Here is a common question that can get CISOs into trouble: When describing a bad security problem, they could be asked, “How likely is that to happen?”
Sometimes, Merrill says, “the CISO punts on the likelihood. ‘We cannot establish the likelihood. It is fundamentally unknowable.’ And sometimes, the CISO tries to quantity. CISOs don’t really know.”
But Merrill says not every question needs to be answered directly. “Board members are used to not knowing things. [It is an error] that CISOs think that they need to answer that question. Nine times out of ten, it’s an error that they think they have to answer it and it’s incorrect to answer it.”
Yet again, it just requires context and explanation. A CISO can point to other companies that have been attacked in that way, but must stress that there is little solid data to predict definitively whether cyberthieves will choose to attack your company.
All a CISO can do is prepare operations in as secure a method as practical, given that no one has an infinite budget.