In the boardroom, when it comes to addressing the topic of security, there's tension on both sides of the table.
It doesn't happen all the time, but when it does, the cause of the friction is usually security executives and board members – each with vastly different areas of expertise and interest – pushing to get what they want out of the discussion while keeping business goals intact.
Stephen Boyer, the co-founder and CTO of BitSight Technologies, a company that uses public data to rate the security performance of an organization, shared some thoughts with CSO recently, geared towards moving the discussions forward past the deadlock.
Since there are two sides to the issue, Boyer shared two sets of tips; one set for the board and the other set for the executives speaking to them.
As a board member
Frame expectations clearly
Communication goes both ways. It's essential to make sure the security team understands what information is required, how discussions should be framed, and the level of abstraction you require to make decisions. Otherwise, you risk sitting through conversations that fail to address the issues the business cares about most.
"In no way should every board member have to act as a security expert. But, in today’s world, cyber risks are a major part of managing risk in a business. Therefore board members need to make it known what they see as critical and how to begin those conversations," Boyer explained.
Are you talking about security or risk?
Performance is important, but instead of focusing on specific technologies, policies and procedures, evaluate what the business is doing to proactively mitigate cyber risks and what those risk levels are.
For example, are there risks in the supply chain that your organization could be ignoring? With each strategic decision made, are the organization's risks increasing or decreasing?
"Understanding the security performance of a company is important, but managing the risks associated with security is crucial. As in other business areas, boards need to be aware of the sources of risk and communicate clearly what is acceptable for the business. From there, it’s not up to the board to dictate what technologies and policies should be in place, but to guide their teams when it’s necessary to take action to reduce or transfer security risks," Boyer said.
Decide on the key indicators you want to monitor and be consistent
You don't need to be in the trenches to understand security posture if you choose the right data points to assess. Work with your team to choose meaningful, data-driven metrics that demonstrate both performance and effectiveness. It matters less how frequently you are attacked if your team is effectively re-mediating threats before they become an issue.
"One of the issues we can’t stress enough is that to arrive at insight and action ability, it’s important that all parties agree on a set of metrics that are objective and consistent. The goal is to paint a clear picture of security performance over time, and to gain context about where your company sits relative to peers and competitors within your industry," Boyer added.
Focus on a fixed set of key indicators, and benchmark performance over time to gain valuable insight into the issues affecting your posture and effectiveness. Moreover, correlate performance changes with key events to gain an understanding about the impact of technology investments, headcount and policy decisions.
In short, shift the conversation from a numbers game to a performance review, as you would in other areas of the business.
As a security executive
Always provide context.
Historical trend data and peer comparisons are key points for helping leaders "get it" when the spotlight is turned on security performance.
Being able to show how your organization compares to others in your industry, provides context that is often lacking from discussions about cyber security. Your board members bring expertise from their personal experience - tying performance metrics back to companies they've managed or advised can help.
Demonstrating that your company is more or less secure than others in your sector can help leaders justify strategic changes and investments that can improve your team's effectiveness.
"Context is key when it comes to security performance. If board members hear that overall security is going well, it gives them little information to bring cyber security into strategic decisions. A key way to add context to these discussions is through industry and peer benchmarking. If a security professional can tell the board, 'Here is where we are in relation to our industry and this is what I need for us to improve.' That is a strong and actionable statement," Boyer said.
Tell a story & teach a lesson.
Use this time to train your board members and fellow executives to be alert. Tell them what specific threats are targeting your company, what the attacks look like and what they can do to help avoid a breach.
If a peer has been breached and you fear you might also be a target, explain what conditions existed to allow the attack to happen and what you're doing to make the company more secure. By focusing on specific threats that your company is facing, instead of wants regarding issues you've already handled or the technical specifications of an attack, you can help prevent attacks from spreading.
"While conversations should stay high level when it comes to security, boards should be informed of major threats facing their company. In our recent analysis of the Education sector, we found that the Flashback virus was widespread on college networks," Boyer said.
"For a university security practitioner, this is crucial information to convey to the school’s board and more importantly, to answer the fundamental question: 'What does this threat mean for our business?'"
Answer the questions being asked.
Your metrics should paint a picture that people outside the security team can understand. Reduce the amount of technical jargon and stat charts on your slides and focus on measuring what matters to your audience. The end result should communicate whether you are more or less secure, and why.
"A lot of times we hear from companies that talking with security teams can be intimidating because not everyone in the room is a technological expert, or at the same level of awareness as the pros. The way to face this challenge is to avoid walking into the room with an eye-chart packed presentation, but to instead focus on only showing the metrics that answer the questions your board is asking. This ties back to knowing your audience and making sure you speak in a common language," Boyer said.