Mind the Gap: Helping Board Members and Executives See the Cybersecurity Peril

how to help board members see the cybersecurity peril

What a year 2017 turned out to be in cybersecurity: major ransomware epidemics such as WannaCry and NotPetya, the colossal Equifax hack, revelations of Uber’s cover-up, records of millions of people’s personal data being exposed again and again. It seemed like not a day went by without an attack, a leak, or a discovery of a major vulnerability. We’ve said it felt like a barrage, with InfoSec professionals desperately moving in the trenches patching what they could.

 

So it is no stretch to assert that cybersecurity is not an obscure part of an enterprise’s daily business; it is a fundamental, existential necessity. Leaks and hacks can destroy unprepared businesses. Survival is on the line.  

And yet, even in an atmosphere that blurs the lines between paranoia and justifiable fear, enterprises seem remarkably slow on the uptake. SIEM vendor Alienvault’s recent survey discovered that only 16% of IT professionals believe their superiors have taken an interest in cybersecurity this year. Only 14% have seen their budgets increased. Only a fifth have been allowed to make necessary security changes or patches that were put on hold.

At the same time, the InfoSec workforce is facing a serious staffing crisis that is contributing to an even more severe morale crisis. Only 52% of enterprises have a CISO on payroll, and 66% of fired IT professionals were terminated for security or compliance failures.  

Where is this discrepancy coming from? And more importantly, how do you bridge that gap?

The fact of the matter is that if you wish you enact change—whether that be through a new solution or an improvement in the company’s digital hygiene practices—you need to start at the top: the executives and board members who make the major decisions for your enterprise. But then you have to worry about the language barrier. Board members do not speak the InfoSec lingo and will be most concerned with the boardroom and the affairs therein.

As frustrating as it may be, you need to speak to executive in their a language they will understand. You have to get them to see past the boardroom to the threats lurking on the other side of their computers. Here’s our advice on how to do that.

Talk Numbers…Specifically, The Numbers The Board Cares About

Unless they are straightforward for the layperson, most technical InfoSec jargon will fly right over the heads of executives and board members. Even if you spent the possibly extensive time to evaluate what data your company stores or find headlines about breaches of similar data at other companies, that may not move the board to action.

Instead, find out the exact figures on the capital that could be lost in an attack. Make sure to present not just what a ransom from a ransomware attack could be but also the lost revenues due to having to take your website down and recover the potentially lost data. Show them the possible compliance and auditing fines, the potential litigation costs and fines, and the costs of bringing in outside incident experts in the event of a particular egregious attack.

Don’t forget to bring up the intangible costs of a hack, such as brand impact via the loss of customer perception, and lost acquisition value for your enterprises now and in the future.

Executives and board members are focused on profits above all. Speaking their language is the first step to getting their attention.

Make it Simple

Cybersecurity is jargon-heavy, as we all know, so explaining to your board what exactly a vulnerability is or how it poses a risk can be an exercise in frustration for both parties.

It doesn’t have to be so complex in your proposal—in fact the board may be more receptive to your message if it isn’t. Try explaining your company’s website or database as castle, with firewalls as the actual walls, SIEM as a combination of watchtower and spy network, identity management as a drawbridge. Once established, you can convey the problem in similar fashion—the walls are too thin or a certain enemy can dig under them, the drawbridge opens too readily, etc. In other words, try framing your request in a manner that can be easily imagined and easy-to-follow. Executive will be more receptive to your suggestions once they understand it as fully as possible.

However, this is not an invitation to make it childish; never condescend to your executives and board. Instead, use your metaphor as a comparison point to clarify your message and your enterprise’s needs.

Do Not Sugarcoat It

Even if you make it simple, be sure to emphasize how deadly serious these threats are and be prepared to answer questions in an honest and direct answer. Obscuring or hedging on your security will not do, especially if you believe the situation is dire; after all it may very well be your job on the line if you fail to properly secure the problem. State outright that the company is in danger. If you have incident reports or other documentation of previous attacks from the past month or so, share them with the board. Seeing the immediacy of the problem may help sell the board on your solution.

Always Have Your Solution(s) Ready

That old saying “time is money” could be the motto of almost every board member and executive, regardless of enterprise. They have other concerns and other dealings that need their attention, so as important as your request or proposal is, they’ll be less receptive to it if it drags on. Get to your point as quickly as possible, about 15 minutes or so if this is the first meeting, and always have a solution proposal (or a few options if the problem can be solved in multiple ways) to present to the board at your meeting.

Additionally, never show up to these kinds of meeting simply to highlight a problem; that will undercut your authority and will annoy board members who will feel that their time has been wasted.

If your solution is more in line with a company culture change—such as making sure employees check their emails for discrepancies or report security issues as they arise—then suggest the mechanisms by which these changes can be enacted such as through a few brief seminars or incorporating it into future training.

Never Frame Your Solution as the End-All, Be-All

This is a crucial part of any suggestion, proposal, or request you make; if the board grants you the solution or funding you need, they will judge the success or failure of it as a personal one attached to you. You will be the face of the solution and of future problems. So it is best to explain that even if the solution is deployed, there is still a security risk that can never be truly patched. Hackers can develop ways to fool the preventative or detection methods, so constant upkeep and evaluation is crucial. Remember, getting the board to agree to a one-time solution is a Pyrrhic victory. Getting them to agree to take cybersecurity more seriously as part of the corporate culture is the real prize.

Sources can be found here.

Ben Canner

Leave a Reply

Your email address will not be published.