CISOs learn 5 tough lessons about conveying security risks
He had spent about a year in the CISO role and had gone into the board meeting thinking he was doing the right thing – giving members the brutally honest truth about what was wrong with the company’s information security.
“Success for them would have been for me to come in and say, ‘Don’t worry about it. I’ve got it covered.’ But that was not the case,” he recalls. “We were really starting at a very low maturity level,” with few resources and little interest in security issues. So he gave them his diagnosis.
Lesson 1: Be honest, but diplomatic.
His second error, he now knows, is that he didn’t immediately follow up his diagnosis by saying, ‘I have a plan to make it right,’ and to quickly set the plan in motion, he says. The problem was being fixed, but not quickly enough for the board. “I knew in my gut” that the board was not happy, he says. He was replaced in September.
Lesson 2: Always have a solution ready.
These are just some of the lessons that CISOs are learning the hard way when speaking to their boards of director. After mega security breaches at publicly traded companies like Target, Sony and JP Morgan Chase, federal regulators are mounting pressure on boards of director to be aware of cybersecurity plans and in some cases be held liable if a breach occurs.
Nine out of 10 board members believe regulators, such as the Federal Trade Commission, should hold businesses liable for cyber breaches if due care has not been followed, according to joint survey released this month by NYSE Governance Services and Veracode. Pressure is building for boards and management teams to be especially wary of any corporate behavior that can affect their brand or erode shareholder value – including security breaches. Security is now the second leading risk to a company’s brand – behind ethical issues, according to Forrester Research.
[ ALSO ON CSO: 12 companies that the FTC has gone after for lax security ]
“CISOs need to learn how to communicate with board members, which requires “a new level of abstraction and business orientation above what they’ve ever had to deal with before,” says F. Christian Byrnes, managing vice president at research firm Gartner.
Today, boards typically hold the entire C-suite accountable for security breaches, marking security as a broader business issue, according to a NYSE survey, but as CISOs’ profiles and responsibilities continue to rise, they can’t help but be placed squarely in the crosshairs.
Security executives – many of whom spoke on the condition of anonymity -- offer tales from the boardroom and what they’ve learned.
Lesson 3: Never surprise a board member.
“Security professionals lack an understanding of what the board of directors mean when they talk about risk,” says Elden Nelson, vice president of Wisegate, a crowdsourced IT research company that provides peer and research assisted advice and guidance to security leaders. “Security pros think of risk in terms of what they can tolerate and what they have the appetite for. Business people also have a good understanding of risk, but they think of it differently” in terms of metrics and key performance indicators.
And another thing -- they don’t like surprises.
Nelson recently led a conference call of security professionals where a global director of information security for a large accounting services network told how he had been fired after a board meeting. He, too, thought the board wanted complete honesty. He knew how to describe the problem, and he had a solution, but “he went in and ‘sprung’ the bad news on them,” Nelson says. The director’s key takeaway from that experience “He was never going to go into a board meeting and surprise them ever again,” Nelson says.
The fired director now knows that before he officially addresses the board as a group, he needs to have confidence that they already know what the problem is, Nelson says. He’ll make sure he first talks to the people who need to hear about it privately, and then have them move it up the chain, or do it himself. He’ll also make sure he knows what the reaction to his news is going to be, and that he’s prepared with answers.
Lesson 4: Demonstrate the reality of the risks.
An information security executive at a large U.S. bank got off to a rough start with his former company’s board of directors after acknowledging that he came in “somewhat aggressively” and told them in no uncertain terms that “things were not good.” He then spent years taking “measured steps to improve the relationship and demonstrate to the board that this is a business issue and a risk management issue. It isn’t a techie issue,” he says.
One of his most effective tactics was to give board members a hands-on demonstration of the specific threats the company was facing and what he was doing about it.
“We would take a corporate issued laptop, put it in front of them, and then have one of our Red Team hackers break into it,” the security exec says. “He would turn on the camera, turn on the microphone, access documents. The response was, ‘Wow!” They can really do this We had no idea.’”
The Red Team also showed how a sophisticated attack could be brought on the network and compromise sensitive data. The security executive gave each board member a tablet with the same access, privileges and security that company employees have, and showed them the dangers of emailing sensitive documents to their Gmail accounts, for instance, or how a hacker could send a fraudulent email to their own assistant that appeared to have come from the board member’s email account.
“By experiencing a little bit of pain and not receiving special treatment because they’re the board, it keeps their minds focused on security,” the security executive says. “The next time they travel to a high-risk country like China or Russia, and we want to issue them a burner phone or laptop, it helps them to get it.”
Lesson 5: Be careful answering the question, ‘Are we safe’
It’s a simple question that can trip up a security executive: Are we safe Don’t fall for it, security experts say. “Anyone who says, ‘yes, we are safe,’ is really blowing smoke,” says Brian O’Hara, information security officer at Do It Best Corp., a global hardware co-op in Ft. Wayne, Ind.
When faced with that question by a board of directors, O’Hara likes to pivot to a more circumspect answer. “What I can say is here’s what we’re doing, here’s what our peers are doing, here’s what best practices show, and we fit somewhere in the middle,” O’Hara says. “We’re doing everything reasonable in our business and industry that we should be doing.”
As for the former manufacturing CISO, he will take some valuable lessons with him to his next job – including spending more time forging relationships with leadership, educating the board, and scoring some quick wins. “You don’t have to fix everything,” he says, “but you have to fix some things, and they need to be visible fixes.”