IT Focus Area: Security
April 7, 2015
Protect Your Organization from a Breach: Start Talking Security in the Boardroom
The last few years have been a cyber-security nightmare with corporate data breaches dominating IT security conversations. As we settle into a new year — with cyber attacks expected to worsen — frustrated boards of directors are entering the fray.
Before high-profile breaches, security was an IT-centric discussion. This is partly because executives usually speak the language of dollars, cents and business metrics, while security professionals typically speak more technically. The result: a communication breakdown.
“I’ve seen CSOs give a 45-minute presentation to the board of directors about security, and five minutes into it, attendees are pulling out their phones, they’re doing something else, and the CSO has totally lost the audience because they weren’t speaking to them in their language,” says Eric Cole, senior fellow at the SANS Institute.
After a seemingly endless loop of headlines chronicling the plight of organizations like Sony that had enormous resources dedicated to security but were breached anyway, companies’ boards are sitting up and taking notice. They’re asking:
• Can this happen to us?
• How do we know someone has already compromised us and stolen our data?
• If we are breached, what steps should we take and how long will it take us to secure our data?
In its2015 Global Megatrends in Cybersecurity study, which surveyed more than 1,000 global CIOs, CISOs and other IT leaders, the Ponemon Institute reported that 78 percent of respondents said their board of directors had not been briefed on their organization's cyber-security strategy in the past 12 months.
Companies’ boards need an accurate picture of the risks their organizations are facing, and security professionals have to find a way to give it to them in a language they understand.
In order to effectively communicate with the board about security, it’s imperative to consider the common misconceptions involved.
The Biggest Misconceptions Executives Have About IT Security
When you speak with the C-suite and board about IT security, you most likely encounter the following two common misconceptions:
Compliance Equals Security
Many executives believe that a compliant organization equals a secure organization. They may think, “If I’m aligned with the ISO framework and compliant with regulations like PCI, SOX and GLBA, I must be secure, right?” Unfortunately, it’s not that easy. Companies that have been breached are often seen as negligent, and the government steps in with more calls to regulate.
The pressure to comply with policy-based frameworks increases, and companies use those frameworks to help fund and drive improvements in security. While this is good, it teaches executives to aspire to a low bar. Just as passing a health inspection doesn’t guarantee that a restaurant will serve good food, compliance doesn’t guarantee security. It is a minimum requirement, and is not enough to protect an organization from the strategies and tactics being used by hackers today. Target, Home Depot and others were compliant with regulatory standards at the time they were breached.
Only a Sophisticated Hacker Could Breach Our IT
High-profile cyber attacks are often thought to be sophisticated, but many are caused by attackers taking advantage of basic, often unnoticed security vulnerabilities or failures in IT operations.
In Sony’s case, Pricewaterhouse Coopers (PwC) assessed the company’s security prior to its breach and reported that more than 100 devices were unmonitored by corporate security following an incomplete transition from a private security firm to an in-house team. According to PwC, any response to an intrusion would be “slow, fragmented and incomplete, if it would even happen at all.” Sony didn’t take fast enough measures to fix this problem, which made it easier to attack.
Additionally, the “bad guys”, whether they are nation states, cybercrime rings or malicious insiders, are professionalizing and building success in attacking companies. They have developed an entire ecosystem, organizing around the steps they go through to break in and steal data, and buying and selling services to one another. If the malicious actor that has targeted your organization doesn’t have the skills they need to breach your network, they can easily go out and buy them.
Educate the Board Now
You don’t want your first board-level conversation about security to happen after a breach. Boards and executives have a responsibility to protect the organization, and are therefore the most important entity to educate about IT security and champion your company’s strategy. While they are acknowledging the increasing pressure and scrutiny around security, it will be hard to get full buy-in unless they fully understand it is not just a technical issue—it’s a business issue.
Communication is Critical
“The single biggest problem in communication is the illusion that it has taken place.” – George Bernard Shaw
Making security a board-level priority is critical in the effort to safeguard data, contain breaches and minimize damage in an atmosphere of escalating cyber attacks. Executives are not going to learn technology; unless you have a board member who knows security or a security officer who can report directly to the executive team, you need to convert technology into business language and present it in a meaningful way. Communication is more than giving out information—it’s getting through to your audience. With effective communication, you can get past commonly held misconceptions and link IT security to the business value it provides, so that executives have the insight they need to make the right decisions about your company’s security.
Webinar: "Five Keys to Starting a Security Conversation in the Boardroom"
A previous version of this article appeared on FOCUS Magazine online.