The annual Consumer Electronics Show shifted from geek heaven to a decidedly more serious tone this year as entire Boards of Directors from companies around the country descend on the Strip to learn about cybersecurity, hacking and more.\u00a0 Hopefully, in breaking from Sin City\u2019s popular tag line, what happens in Vegas will protect a myriad of companies back home.What happens in Vegas?The Wall Street Journal reported this week that corporate Board members were taking field trips to the Consumer Electronics Show (CES) in Las Vegas to learn more about cybersecurity.\u00a0 Coordinated by the National Association of Corporate Directors, members are being treated to specialized programs on technology ranging from a couple of hours to a couple of days.\u00a0 Though not the kind of party Sin City normally sees, it nonetheless suggests this is a perfect time for CISO\u2019s and other security professionals to get more familiar with their Boards.Let\u2019s be honest \u2013 most Board members for companies outside of the technology industry know exactly nothing about ransomware, quantum computing, or state-sponsored hacking.\u00a0 The closest many of them will have been to anything close to these subjects was watching the 2014 film The Imitation Game.\u00a0 But perhaps therein lies an opportunity.There\u2019s a key point early in the movie where Alan Turing (brilliantly played by actor Benedict Cumberbatch), explains in voiceover the complicated mechanisms of the German Enigma machine.\u00a0Enigma was Germany\u2019s way of encrypting communications from command centers to ships, submarines, and forward operating areas in World War II.\u00a0 The Enigma was a complex, though mechanical device, that turned ordinary text into \u201cgibberish,\u201d (as cited in the film).Cumberbatch, as Turing, narrates a short voiceover describing the difficulty in trying each of the Enigma\u2019s possible settings:\u00a0 159 million, million, million possible combinations, that changed daily.\u00a0 Or as British chess master Hugh Alexander (played by Mathew Goode) noted, \u201c1 \u2013 5 \u2013 9, with 18 zeros behind it.\u201dThe law of big numbersAn exorbitant number, one that is difficult to get one\u2019s head around, particularly for the 1940s.\u00a0 This was an analog device, as computers had not even been thought of yet.\u00a0 The problem comes from a subsequent scene, one that is indicative of how difficult it is for people to get their heads around these large numbers.In this now-infamous voiceover, Turing details how the messages were broadcast over AM radio frequencies: \u201cAny schoolboy with an AM (radio) kit could intercept it.\u00a0 The trick was that they were encrypted.\u201d On the screen, young women from the Royal Navy busily copy down the intercepted Morse Code snatched from the air and transcribe the random letters onto paper, then compile them into files.\u00a0 The problem comes when Turing explains the math. He says:\u201cIf we had 10 men, trying one combination a minute, for 24 hours a day, seven days a week \u2013 how many days do you think it would take to check all the settings? \u00a0Well, it\u2019s not days.\u00a0 It\u2019s years. 20 \u2026 million ... years.\u00a0 To stop a coming attack, we would have to check 20 million years\u2019 worth of settings in 20 minutes.\u201dThe problem is, that math doesn\u2019t work, as has been pointed out numerous times online and in math classes around the world.\u00a0 Ten men, doing one combination each per minute, would actually take 30 trillion years \u2013 a far more imposing number.Now, I understand creative license in a screenplay. It\u2019s not a documentary of every nut and bolt in the Enigma story.\u00a0 It\u2019s a two-hour movie, and accuracy must occasionally be sacrificed on the altar of brevity. \u00a0I\u2019ve no issue with that.\u00a0 There are several of these in The Imitation Game and some are kind of funny:The watch Alan Turing wears was not introduced until several years after the war.The Cole Porter song Turing dances to was not written until after the war.Turing\u2019s colleague Hugh Alexander notes he was a two-time British Chess champion. But Alexander didn\u2019t win the second championship until, you guessed it, after the war.Of men and machinesSo, what does this have to do with Vegas and cybersecurity? \u00a0Vegas is a city built on numbers, on probabilities \u2013 on people\u2019s inability to understand probabilities.\u00a0 It\u2019s an opportunity for a cyber professional to have a low risk, high return type of discussion with their management.\u00a0I\u2019d even play that short section of the film to a Board, just to show them how complex encryption really is, and how easy it is to get the math wrong.\u00a0 One could also show what it would have taken to hit the film\u2019s twenty-million-year target.\u00a0It would take 500 people, trying 500 combinations a second, 24 hours a day, seven days a week, to hit that enormous 20-million-year goal. But don\u2019t do the math for math\u2019s sake.\u00a0 Do it to start a conversation about resources.That is a lot of time and a lot of resources.\u00a0 That\u2019s the discussion to have with your Board, your C-suite, and your overall management.\u00a0 Cybersecurity is an extremely resource-dependent function.\u00a0 Boards tend to lump it into the overall IT budget as just another line item.\u00a0 It\u2019s not.\u00a0 Information technology is for running companies; cybersecurity is for protecting them.\u00a0Ransomware like Wannacry and Petya.\u00a0 Hardware flaws like Spectre and Meltdown.\u00a0 State-sponsored attacks against Sony and Yahoo.\u00a0 Criminal theft against Target and Equifax. These are not problems that standard IT budgets (and staff) are capable of stopping.\u00a0 And it won\u2019t get better any time soon.Artificial intelligence is making it easier to custom design attacks.\u00a0 These are going to require more resources, people and tools, to protect companies.\u00a0 It requires a completely different mindset \u2013 one most Board members have never had to address before.What are the risks to the company in the event of a hack?\u00a0 Is the damage restricted to the firm\u2019s own intellectual property, or is the highest risk from customer data?\u00a0 Knowing what needs to be protected will mandate how it should be protected.\u00a0 That will dictate how much the Board should allocate to protecting it.\u00a0Should a breach happen, directors (and c-suite management) will be the ones hauled into court, or Congress, to explain why better measures were not in place.\u00a0 The days of claiming ignorance are over.\u00a0 Insurance firms are putting directors on notice \u2013 standard D&O policies won\u2019t protect their negligence in the future.The more they can learn from the Vegas experience, the more protected their winnings can be!