Not long ago I was asked to attend a quarterly Board meeting of one of my healthcare clients and to present the recommendations of a Strategic Security Roadmap (SSR) exercise that my team and I had conducted for the organization. The meeting commenced sharply at 6am one weekday morning and I was allocated the last ten minutes to explain our recommendations and proposed structure for a revised Cybersecurity Management Program (CMP).
The client Director of Security and I waited patiently outside the Board Room while other board business was conducted inside. As is the case with many organizations, information security was not really taken seriously there, and the security team reported into IT way down the food chain, with no direct representation in the C Suite. The organization’s CMP had evolved over the years from anti-virus, patching and firewall management into other domains of the ISO27002 framework but was not complete or taken very seriously by those at the top. Attempts at building out a holistic security program over the years had met with funding and staff resource constraints and Directors of Security had come and gone with nothing really changing.
The Security Director was enthusiastic, young, and bright. He had memorized the magic quadrant leaders for each and every security tool he felt would round-out security across the organization. His approach to security was a shopping list of “shiny objects” each of which was a best of breed point solution. There was no strategy for integrating them and little understanding of the costs and efforts that would be involved. Proposed solutions were only loosely tied back to business objectives and drivers.
Right on time, an Executive Admin opened the double doors to the boardroom and we were ushered in; printed color copies of the Executive Brief I had prepared uppermost on a stack of papers in front of each member. Like many healthcare boards, the membership was a mix of active physicians dressed in their whites and greens ready for their day shift, the CEO and his Executive team, and a collection of what looked to be retired Generals and corporate chieftains from various industries, including one notable banker.
The CIO introduced me and I spent the next eight minutes walking the Board through the recommendations of our report, leaving two minutes on the clock for questions. The Executive Team and most of the younger physicians nodded in agreement and understanding with each recommendation I made. Some of the older members required further clarification and a deeper explanation of the risk management context, which formed the basis of the suggested revisions.
All was going well and it looked at this point that funding would be approved for an updated security program. Then one of the older physicians asked a question about a particular security application. The Director of Security who hadn’t said anything thus far, saw his opportunity to jump in and be heard. Unfortunately the language the director used was highly technical and the physician looked on with a blank stare.
It was at this point that I realized why all previous attempts to build out a robust holistic information security management program had met with failure. Security and the Board spoke totally different languages. It became clear that a formal Cybersecurity Management Program written in language that both sides could understand, and that addressed underlying business objectives rather than focused on the shiniest and newest security products and services, would be absolutely critical to this customer if it was to secure its business.
Fortunately in this case the CMP was approved, but the communications issues between security professionals and boards of directors are widespread – especially in organizations afflicted with low levels of security maturity. There is a difference in language and often a generational gap that hampers understanding on both sides. Each views cybersecurity through a completely different conceptual lens.
Security professionals all too often attempt to explain risks in language that senior executives may not fully comprehend, using alien concepts and terminology. They fail to translate and communicate cybersecurity threats in terms of business enterprise risks and potential future impacts. These communication issues are compounded by a lack of trust and a long-standing historic pattern by security professionals of using fear, uncertainty and doubt, otherwise known as ‘FUD’ in these conversations.
Instead of muscling decision makers into procuring desired security tools with FUD, security professionals should define the probable costs of inaction, compared to the costs and benefits of action. This should include objective conversations about regulatory compliance and protecting corporate brand image, as well as the potential penalties and costs that accompany breaches.
Boards need to view cybersecurity as a critical business function and a business enabler in an increasingly inter-networked world. They need to educate themselves so they can make informed decisions on security strategy and policy and spend. Security needs representation at the senior executive level and to make regular reports to the Board so that the Board can make appropriate enterprise risk management decisions.
There is a wide lack of quantitative risk assessment and reporting across the industry. Reporting should enable executives and their boards to view and weigh cyber risks, taking the form of a more familiar-looking balance sheet, rather than in a subjective report with only limited business risk context.
Above all, organizations need a formal cybersecurity management program in which security purchasing decisions can be understood from the context of addressing enterprise risks while following a previously approved cybersecurity management plan.
A newly published Cisco whitepaper lists 10 key success factors to building a successful cybersecurity management plan. These apply not only to organizations constructing their very first formal CMP, but also to those looking to update, or to maintain their existing program. When followed in order, these will position the organization well for success.
The introduction of a CMP affects virtually every individual or group in an organization, so it’s essential that the final cybersecurity management program address everyone’s needs.
Years of experience comes through these cybersecurity writings and observations by Richard Staynings.
Years ago I told my daughters to take their highschool presentation classes. Explained that it doesn’t matter how smart you are, if you can’t present your ideas clearly to your peers that they not listen to you.
Thus it is with the Board or Executives here, you must speak to their level and address their business concerns. Jeff
Very true Jeff. You can be the smartest person in the room but unless you can communicate your thoughts in a way that others can comprehend and will understand and agree with, you won’t get very far. Of course you need to get invited into the room in the first place which is half of the battle. Too often senior executives and their Boards don’t regard cybersecurity as a priority, or important enough to place on the agenda. There’s a lot of persuasion and justification that needs to take place first, and some degree of qualification that the individuals called to present aren’t going to mess it up and look like idiots, or worse make officers of the company look like idiots in front of the Board. You did your daughters a great service by having them take presentation class in high school. I’m sure it will help them immensely in life.
In your article, you said: “security professionals should define the probable costs of inaction, in comparison to the costs and benefits of action”
I think communicating the value to their organization – if they actually do even some of the recommendations you are making –to the Board, is one of the hardest things to do. I’ve found that when you can translate “if you do X, Y and Z it will greatly improve your security posture” to “if you do X, Y and Z, it will cost you $2.25M but save you $3M in OpEx, over the next 2-3 years, with increasing savings in the long term”, this results in a very different conversation.
The difficulty is finding supporting data to back up your claims. This data, of course, must be in your back pocket before making your claims because someone will always ask: “How did you arrive at these numbers?” If you have this data ready and from several reliable sources; your recommendations suddenly become more authoritative and will be taken very seriously. Now your recommendations have real business meaning.
To use a real example: I made a series of recommendations to an organization that were projected to cost $1.5M with an ongoing cost of $250k p.a. Independent research showed that a typical cost of an average cyber-breach in their industry was about $5.3M. The recommendations were projected to save them $3M per breach. Of course, no one can predict how many breaches they would suffer, but statistically an organization of their size and visibility suffered a significant breach at least once every 24-30 months. How many smaller breaches occurred cannot be accurately estimated, but they would make OpEx savings there too.
Assuming these costs to be correct and annualizing the costs results in zero saving in the first year, but on average savings of $1.5M per year in OpEx from then on (assuming no increases in costs associated with damage and recovery). If the organization suffered more than one breach every two years or so, the savings would be larger compared to those associated with inaction.
These numbers do not consider the cost, to the organization from a public breach, in terms of lost customer confidence, perhaps lost share value and damaged reputation. Such losses could certainly inflict much larger financial damage to the organization.
“Cybersecurity is a critical business function and a business enabler” – right to the point!