How to Present Cybersecurity to Your Board of Directors
This is a transcript of the How to Present Cybersecurity to Your Board of Directors webinar broadcast on June 29, 2021.This transcript was generated primarily by automated voice recognition with minor edits for readability. Although highly accurate, you may note minor differences between the audio recording and this transcript.
Panelists
- Jay Ferro – EVP, Global Chief Information Officer, ERT
- Jason “JJ” James – Chief Information Officer, Net Health
Scot McLeod (Apptega):
Hello everyone and welcome again to the broadcast. I’d like to thank you for joining us today for a very interesting discussion and Q and A on presenting your cybersecurity status to your Board of Directors. With increasing cyber threats and recent high profile attacks, many boards are increasingly concerned about cybersecurity and, whether you’re a full-time CIO or CSO, or you may serve in a virtual or fractional capacity, our panelists will provide actionable recommendations that you can start using in your next board meeting. So before we get going, for those of you who may not be familiar with the host of today’s discussion, I’d like to provide a brief intro. At Apptega, we’re helping organizations of all sizes manage and respond to increasing threats by simplifying cybersecurity and compliance. We do this by providing an award-winning platform that combines the power of enterprise-class capabilities with the ease of use of consumer apps, along with the cybersecurity and privacy frameworks, you’ll need to assess, build, manage, and report on for your cybersecurity program.
So I’d like to remind everybody again, to submit your questions at any time during the discussion and you’ll do so using that panel on the right side of your screen, if that panel is minimized, you can use the little arrow up at the top to maximize it and get your questions in. We’ll try to take as many of those as we can at the end of the discussion. For the discussion today, I’d like to introduce our guest speakers. We’re very excited to have with us Jason “JJ” James, he’s the Chief Information Officer for Net Health and also Jay Ferro. He’s an Executive Vice President, Chief Information Officer and Chief Technology Officer for ERT. So JJ, would you like to go ahead and kick us off with a brief intro of yourself and your role at Net Health?
Jason James (Net Health):
Sure. My name is Jason James, JJ, I’m CIO of Net Health. We’re headquartered in Pittsburgh. I live here in Atlanta. We’re a SAS provider in the entire continuum of healthcare. That’s everything from hospital to home. So my team is responsible for not only the infrastructure, the cloud computing, the dev-ops, as well as the security. I served both as CIO and in a sense CSO. So as I tell people, I have the best of both worlds. I have the worst of both worlds but it keeps every day exciting.
Scot McLeod:
Very nice. All right. Jay, how about yourself? Would you like to provide a brief intro and describe your role at ERT?
Jay Ferro (ERT):
Yeah. Jay Ferro, EVP, CIO, and CTO – Twice the responsibility, but no extra money. Which is one of the reasons I look the way I do. I’m only 26 years old. Look at me, I’m aging like a dog. But anyway it’s a great role. We are a global data and technology company in the clinical trial space. And it’s been a lot of fun so far. I’m relatively new, seven months in, so still drinking from the fire hose, but having a great time and working with a great team. I’m former CIO at AIG, the American Cancer Society, EarthLink, and Cookery Companies.
Scot McLeod:
Excellent. All right. Well, like I said, we are very excited to have both of you on with us today. So, before we get into the discussion, we’d like to ask our audience to participate in a couple of polling questions to give you a feel for the makeup of the attendees. And we should see the first question on the screen now. So for all the attendees, we’d like your input on this, “which best describes your role or roles in your organization?”
So at this time, so we’ll move on to our second poll question. We’d like to know what your current challenges are, that you see in reporting cybersecurity to your Board of Directors. And again please select all that apply.
So, Jay and JJ, what do you think?
Jason James:
So I think if we think about the first and second one, it’s sort of a balance of both, right? If you talk about a mixed audience, your board is going to be a mixed audience. They’re going to be those that were former operators, whether they be a CEO or CFO, the business. You’re starting to see more officers or directors or board members that have somewhat of a technical background. I know Jay sits on several boards, but generally, you don’t always get that. So you’re going to get tech and non-tech, so it’s really, how do you balance that what you need to share with what they need to know for a mixed audience, right? And to me, those two sort of go together because every board I’ve ever presented to has been a mixed audience, but there does come that time when we have to figure out how to balance it. You want to present, and nobody wants to see a 400-page slide going into the board meeting. First of all, they’re not going to read it. They’re too busy. Second of all, you need to be extremely well-prepared for questions that come up that may not be part of the board slide but are derivative of the information you’re sharing. So, if you talk about how many potential breaches in the last year of that are on there, someone might ask those dates, you need to be prepared. So anything you list, there’s an outline. You need to have supporting evidence that isn’t necessarily within this long.
Jay Ferro:
Yeah, I agree. I think talking about things in business terms, talking about things in terms of results, Scot, you made a comment at the beginning that boards are increasingly concerned about cyber. I’ll tell you what, if you find a board member that’s not concerned about cyber, I wonder what the heck they’re doing and if they ever read any news or anything like that. So, I think you would be hard-pressed to find a board that isn’t interested in cyber, but to me, all of these resonate, right? Because they’re challenges that we all have. And you do have a mixed audience. I think there is a propensity for IT people (by the way, I’m a lifelong IT guy) to carpet bomb, a board with too much detail, and not at the appropriate level. And you want to be able to show them the effectiveness of your program over time and against models that make sense, right? That resonates, whether it’s ISO, GDPR, or whatever it is, you’re moving toward a target. Yes, we always know that cyber is always evolving and threats are always growing, but you want to show them that you are making progress against a goal or a set of goals. Even if it’s continual improvement goals so that they can see progress month to month. Keep in mind that a lot of these board members that are coming in are seeing you maybe once a quarter, maybe once a month. I mean, if you have an audit committee that meets more frequently, sure. But they’re not there day to day. And so you can’t treat them like they’re there day to day. They don’t understand sometimes the lingo, the nuance that you have as a CIO, CSO, VP director, or whatever so that you do have to do a good bit of education and make sure that you’re using consistent terms from meeting to meeting. And over time though, they’ll pick that up. But I think all of these resonate, except others, and I’m sure I could think of others. I’m not sure if it’s in 17%.
Scot McLeod:
Speaking of others, I don’t think there’s one in here that I don’t think will surprise anybody. It goes to communicating the cost of remediating gals. So the whole cost side of the equations here as well, which I think is.
Jay Ferro:
Absolutely. And to me, it’s all about risk and business risk. So, translating all of the stuff that we deal with every day, JJ and his role is CSO, CIO, ninja warrior, and everything else that he does. I mean, it’s all about communicating risk. Not only the risk itself but the probability of the risk, as well as the impact. Right? So in insurance terms, back in AIG, for those of you familiar with insurance, it’s frequency and severity. Likely is it to happen, how often it will happen, and when it does, or if it does, how much is it going to cost you? And what is the impact? And making sure you’re communicating that in business terms and those implications in a language that they understand. I think when you do that, you begin to build trust and they will come around on the cost because now they understand exactly what you’re getting at.
Jason James:
Jay talks about really conveying a message that they can understand. This ultimately comes into play in storytelling, right? How do you take something as so complicated as saying, how we’re offloading our logging data into the SIM or how we’re actually making sure our VPNs are protected? If you have a mixed audience and you’re going to, how do you convey that in a way that they understand that? And so don’t get so hung up on the actual technology you’re using or the acronym you’re using. Focus on the story and how it would resonate with them. Again, Jay talked about risk. You talked about severity. But also talk about what these tools are doing versus what the specific tools are.
Scot McLeod:
Excellent gentlemen. This is fantastic. And we haven’t even gotten to the first of our four prepared discussion topics. So speaking of that, why don’t we let’s jump into these discussion topics. And hopefully, we can weave in some actual examples from some of the things we just chatted about. So first one here, how to be candid with the board members, but not overwhelm them with too much detail? Just as you’ve both been talking about. JJ, do you want to take this one first?
Jason James:
At the end of the day, you do have to be candid. You have to be frank, but you cannot be panicky. You can’t walk into a room with a board member and be like, everything’s F! We’re on fire. We’re getting shot arrows from every direction. You are, make no mistake about that. There’s no one doing any kind of protective measures that doesn’t get frustrated with the amount of potential attacks or users or how data is being handled or any of that. It gets incredibly difficult, incredibly frustrating. You have to walk in, be bold, be candid where the issues are, be frank on how you intend to address them and also counter to your board what you need from them, right? The one thing you don’t want to do is surprise the rest of your C-suite going into that board meeting, right? They’ve seen the deck. You shared your concerns, all that’s clear going into that. But you need to explain what you need and how long it’s going to take to remediate. Security is not a one-time project. It is always ongoing. It’s always evolving because the threat landscape constantly evolves. So be prepared. It’s not about just saying, “Hey, here’s what we need. We’ve done this acquisition, this was missed. Here’s what we’re going to need to remediate this. Here’s the cost.” But be prepared for those questions. A really savvy board is going to understand that this is a constant ongoing project. But, what are we doing this quarter? What are we doing next quarter? What are we doing to lower our overall risk?
Jay Ferro:
That’s right. I agree. There’s continuous care and feeding of the cyber program that they have to understand. But I think even with the continuous care and feeding, you show them your progress over time. And you show them that the ball is moving forward and that you have a continual improvement mindset. JJ said something about walking in and the sky is falling. I think for many CSOs, CEOs, senior executives, especially when it’s their first or one of their first times getting in front of a board. Like anybody, they’re just excited to be there. They’re exuberant. And they want to regale the board with the depth of their knowledge because they feel like they might not get another chance. Or, Hey, I’ve got to tell them everything I know, and they end up with diarrhea of the mouth and cause more problems than solutions. This is your chance as a leader when you’re in front of the board to communicate not only your command of the risk but your command of your emotional intelligence and your leadership capabilities. So use this as an opportunity to present risk and to Jason’s point, look, it may be bad. He and I have both been in organizations where we were brought in to respond to a cyber incident or a breach of some sort, and it’s rarely ever great news. But you have to model the behavior that you expect of your team. The last thing a board is going to want to hear, or a CIO is going to want to see at her or his CSO or CIO or director or whatever is panic. You can communicate a sense of urgency without panicking and command, “Hey, the baby is ugly, but we are going to get out of this, and here’s our plan to do it.”
This is what I’m going to need. We’ve triaged all the risks. These are the priorities. We’ve thought this through. These are the near term timelines. This is what’s going to happen. And this is what success looks like. At least a milestone of success, recognizing that it’s a never-ending battle. So use it as an opportunity not to just have diarrhea of the mouth. I will say early in my career, I learned that lesson the hard way. I learned two lessons. One, I brought up a topic, this is a lifetime ago, but I brought up a topic that my CEO wasn’t prepared for. Which could be, luckily it wasn’t, a career-limiting decision. And two, I use my somewhat limited time to essentially annihilate the former staff that was responsible and spent more time piling onto them than I did about looking forward and on how we’re going to get out. I wasn’t wrong, but it was the wrong forum to do that, and it was really just counterproductive. So instead of going in and being like, “Hey, I inherited this dumpster fire? And let me tell you how bad they were”. Acknowledge how bad it is without assigning blame and show them more importantly, how you’re going to dig yourself out of the hole.
Jason James:
Yeah. To Jay’s point. It gives you a really good audience for showing off your emotional intelligence. Panicky executives don’t get funded. And if you’re going to walk in and ask for additional funding, you’ve got to be calm. You’ve got to be collected. You’ve got to know where the journey’s going to take down. Not just you, but for them. And so be very clear in what you want. And again, to Jay’s point, we’ve all walked in and inherited a mess from former people. Whatever it is, you don’t blame them. You don’t blame the staff. You just explain how as now captain of the ship, you intend to helm it during the storm.
Scot McLeod:
Very good. We got a comment here that the management team must speak with one honest voice. I’m betting both of you firmly would agree with that.
Jay Ferro:
Such a good point. We can argue like cats and dogs or vigorously convey that in a private conference room. And you want that you want good and healthy debate and good, healthy dialogue and enrich in constructive disagreement. That’s what good diverse teams do. They bring a lot of different viewpoints. But when you walk out of my conference room, whether it be virtual or physical, there should not be any daylight between us, either as an IT or R&D team or as an executive team, you should be speaking with one voice and good leaders know how to do that.
Scot McLeod:
Excellent. All right. Well, let’s move on to the second of our discussion topics here, which is “How to present measures of effectiveness and maturity?” I really liked this one because I’ve been in board meetings where the measures of maturity are used, but many board members seem to have a difficult time connecting the dots between maturity and wanting to know, is our program really effective? Is it working? So Jay, how about we go to you first on this one?
Jay Ferro:
Yeah, what I recommend is pack in as many slides as you can, and just carpet bomb them, cover them up with detail. No, I’m kidding, you don’t want to do that. You actually want less is more. And you want to communicate your program in business terms and in terms of a measured approach to risk management. That is how you’re going to get funding – this is the situation, this is where we are, these are our aspirational targets, this is why we chose our aspirational targets. Your targets may be near term, but they are on a continual journey that never ends. And we all know that, right? But you do just because the journey never ends, doesn’t mean you can’t have a plan. There are milestones of maturity along the way. I mean, there are things that are binary in cybersecurity. Communicating that very clearly in business terms, communicating the risk in business terms, but keeping it simple, and then asking for feedback from the board is so important. What do they want to hear? What resonates with them? To Jason’s point earlier, they’re bringing a diverse set of backgrounds. Chances are in 2021, cybersecurity is not a foreign word to them. If they were a COO, CEO, CFO, VP of whatever in some organization, chances are, they have an opinion in a point of view on cyber. So I think engaging them into the discussion and getting their feedback, “Is this working for you? Is this clear? What can I do to make this more clear?” And just being very, very open to candid feedback. It’s so important. What would you want to see in this quarterly meeting? Now, again, you want to avoid whack-a-mole where every month it’s a surprise. I think setting the stage that you want to get to a repeatable set of measures of effectiveness and engaging them in that dialogue is a great way to get what they need and make them feel like they’re part of the process and that you’re a collaborative leader.
Jason James:
Yeah. No matter if your board is serving a publicly-traded company or a PE-backed company, whether it’s private, everybody’s chasing the calendar. Everybody’s got goals that they have to hit within a calendar timeframe. So, t’s important to show where you came from, where you’re going and what are the next steps. They want to be more track that over a time period. A lot of the projects we talk about, from a cybersecurity perspective, can’t be done in a few weeks. Some of them are done in a few months and most of them take as much as a year. So, you have to be able to show that there’s progress being made. You also have to be honest and candid enough. It can’t be all green. If we look at the chart here obviously not all of them are green, but you’re trying to show that there are areas of improvement and areas that aren’t exactly in the green zone yet and what you need to do to get there.
And sometimes that requires an ask of the board. It might acquire additional funding. It may require that timelines change because something has been discovered that affects your overall roadmap. And so from a maturity perspective, Jay jokingly talked about bombarding them with decks. Setting in a board meeting, if you’re a board member and you get overwhelmed with the number of slides that shows the maturity of the leader themselves, right? It’s about telling a concise, crisp story of where you are, where are you going and what you need from them. It’s not about drowning them in information. It’s not like you’re on hand over a bunch of similar logs and say, look, this was every time we were attacked from an IP originated in Russia or China, right? That’s not the story. The story is that there are outside threat actors, and this is what you’re doing to protect against them.
That’s what they want to hear. Not that it occurred every third Friday under a blue moon. Nothing like that. If it does that, something very strange about that. And he probably should monitor that a little closer, but the idea is to show where you’re going on a level of maturity. Know that there’ll be times that stuff gets behind on the schedule, on the roadmap and you need to share why not that it happened, but why it happened and how you intended.
Jay Ferro:
I think you’re right. The action needs to be clear, concise, actionable, insightful. In a language they understand from a financial business perspective and what the impact can be. I mean, you do that. I think you’re leaps and bounds ahead of before. I’ve been in some pretty bad presentations, and it’s just as a board member, you have an obligation then to coach them and say, let me give you a little bit of advice on how to more concisely and clearly convey what’s going on in the organization. The board is there to help you, right? This is not a gotcha where it’s anything I say, you’re not being deposed in a court. But the board is there to help you. And they have a responsibility to the organization, just like you do.
Scot McLeod:
Very good. All right, gentlemen, we’re going to give you a short break while we ask our audience to participate in another polling question. See it on the screen now. And it says, “relative to your board, what changes have you seen during the last year?” And again, please select all that apply.
Jay Ferro:
No, it’s interesting. Yeah. I think I said in one of our prep meetings, all of the above. I think there’s still increased scrutiny, especially during a time of COVID, and our response to that and making sure it is added a whole new level of risk to the organization as we all very well know. So I think our response and our posture we’ve gotten heightened interest. Frequent updates. I don’t know that. For us, it’s been about the same, but we were already meeting fairly frequently anyway. So that may just be a function of what we were doing versus a change. I’m in a highly regulated industry, so the term audit is a daily occurrence. Probably same for you, JJ. Where it’s, whether it’s security, questionnaires, and responses to those or audits, et cetera. We’re dealing with that every single day. So, those are just a standard operating procedure and in cyber insurance, because we’re a company that has grown is growing through acquisition, certainly taking a look at our cyber and reviewing it to cover new acquisitions, making sure limits are set appropriately it’s is certainly part of our remit to.
Jason James:
Yeah, none of this surprises me. Just a point on a couple of things, obviously, Jay and I are in highly regulated environments. They’re not going to get less regulated. They’re going to get more regulated. Not only from changing laws, but the fact is when you deal with healthcare and those kinds of records, more and more stringency will be brought about not only through federal regulation, but also from clients themselves. Right? If you look at healthcare records, they are by far the most valuable in terms of the black market. Some studies show your social security might be as low as a dime your driver’s license with picture might be 25 cents. Your healthcare record could be as high as $250. For the sheer fact is those records could be used to gain access to prescription drugs. And of course, those sold on the black market as well. If you look at it from an audit perspective, we’re all, if you’re any kind of growing company, more and more audits are being brought to bear, whether they be SOC2 or high trust. If you’re like us or others, more and more regulation, not only push from organizations, but push from your own clients will impact what you do. Any time there’s a major security incident, regardless of what industry gets hit, there’s going to be increased sacrum security. Everybody’s wondering when it’s going to happen to them and what are they doing to avoid that. So, expect it doesn’t matter if it’s oil or gas, you’re going to get asked for it. It doesn’t matter if it’s healthcare, you’re going to get asked for it. Any time it hits the news is going to hit you.
I do want to speak for a moment on cyber insurance. Last year was an incredibly expensive year for those providers. What we’re finding this year is many organizations are seeing sometimes double-digit increases in their premiums with lower coverage. And also, some providers are just getting out of the business. It’s just becoming not as profitable for them. So, those that are going to be the left writing those claims, they’re going to come back to you. There’s going to be a lot more scrutiny about your programs, how you’re measuring that usually through third-party independent audits. And what are you doing to protect the most critical data? If you’re a healthcare company and of course it’s related data. But if you’re any kind of e-commerce, it would be, not our customer data, but credit card information. All this goes into effect, right? And all this will impact you, whether it’s being driven by your board during, by your provider, or driven by your clients.
Jay Ferro:
No, I think that’s right. I mean, it’s the threats that are always changing. And the one thing I have found when communicating to the board, I rarely have to do the fear, uncertainty, and doubt, like we used to back in the day. Most boards now, and there are exceptions, are educated enough to know what the world we live in. In the past, you could point at the target and some of the big high profile cyber incidents of the past, a little bit happened to them. Today it’s so common that there’s this constant level of fear that I think most boards are aware of. That said to Jason’s point more recent breaches, the colonial pipeline breach are stark reminders of what can happen when you don’t keep your eye on the ball. Now we don’t know all the details yet, so I don’t want to be unfair to the folks over there at colonial. But I’m sure they were doing the best they can. Yeah. But look, security starts with the basics. The last thing you want to go to a board with is, we had an incident and although we were able to contain it, it was because of something incredibly minor. Like a hacked system or plain text passwords that haven’t been changed in years, credential sharing, automated credentials. All of these things were easily preventable. And the one thing I talked to so many CSOs about. When I joined a new organization and I do a lot of turnarounds and a lot of transformation work, is the first thing they always complain about is money. Don’t have enough money. I’m like, okay, it’s probably true. It’s a classic problem.
Always more demand than supply in IT. And I see IT in the loose sense. Classic problem. However, good blocking and tackling, good hygiene, doesn’t always cost money. Enforcing complex passwords costs you nothing. Zero. And I’ve been in organizations where the executives just didn’t like it, so that is why they didn’t enforce complex passwords. Now, if you can’t get over that hurdle, you might want to look for another organization to work for. You’re swimming upstream pretty heavily. But I mean, those are things that you can implement where they like it. You can communicate the risk in plain terms. Like, let me explain to you what happens when one person with elevated credentials gets compromise. It takes one, that’s it. Doesn’t matter who it is. If they have elevated credentials in one, there are a lot of things that you can do.
So, when you’re communicating to a board, I think it’s very important to communicate what you are already doing with the money that you already have. And showing them that look, we have X number of people, X amount of capacity, X amount of dollars. This is where we’re doing. We’re doing everything we can to get the most out of what we already have. However, here’s the gap between what we have and what we should have, that will drive what we want to do in our growth, in our maturity. If we have X and we need X plus one, that is where you can justify it. I want to eliminate the, well, what the hell are you doing with the money you do have. I want to walk in prepared to show them that we’re wringing every dollar of value that we can out of the monies that we do have. Now, the caveat that I learned, Scot, I told you I can regale people with stories and things that I screwed up in the past. I actually had an audit committee chair years and years ago, saying Jay, if you need anything, I’m your man. You give me a call. All right. So exuberant Jay, 20 years ago, early in his career says, oh, well, I’m in. The chair of the audit committee, a prominent board member, said to reach out to him. I have his cell phone. So I set up some time and told him that I needed more money. Let me tell you how that went over with the CEO. Because I failed to inform the CEO. Now people look at this and go, why in the hell would you have done that? I was a new leader at the time. It was a momentary lapse of judgment, a mistake that I have never, ever repeated since. But it resulted in a fairly uncomfortable situation. Where I wasn’t privy to some certain things that were going on between the CEO and the board. And it all ended very, very well. And it was taken with the spirit that it was intended that I was just trying to help the organization. But it was a foolish immature mistake. Because at the end of the day, it’s the CEO and the CSOs, CIO, et cetera, that are on the hook for this day to day. And if I’m going to communicate a need for more money, it’s got to go through the CEO.
Jason James:
Two things. If we can learn anything about today, we realize you two can screw up as big as Jay Ferro did and still grow in your career. So, don’t fret screwing up in your career. You can still do fine. He’s done okay.
You look at all these changes that are occurring and all this stuff that’s going on. And everybody’s concerned. To Jay’s earlier point, I don’t think you have to focus on the doom and gloom anymore to get people to buy in why it’s needed. If you do, you probably got the wrong board and you’re probably in the wrong company. To Jay’s point, the second thing that’s important to note that Jay mentioned is nobody wants to be in the news because you had your transmitting Clear Tax passwords or anything like that, or not changing passwords. And everybody has admin access. If your security teams can’t handle the basics, all the money in the world, won’t transform them into a better team. And so, if those basics have to be done first before you should even think about adding EDR, adding third-party monitoring of your edge networks, any of that, you’ve got to get the basics down. The last thing a board wants to hear as a breach has occurred over something so simple. And when those things occur, it’s an RGE. It’s a resume or resume-generating event for you. And so, you need to make sure as a leader in that role, and you don’t have to be CSOs, you don’t have to be CIO. If you’re any form of management and leadership, you need to push back and say, why aren’t we doing the basics? So, the last thing those board members are going to want to hear is that you didn’t do the basics. You have a responsibility to your organization to make sure those get done as well.
Jay Ferro:
And we have plenty of examples of that, right? If you look at the major break breaches that have happened, the big high profile, this is the worst one ever, et cetera, are they the result of some sort of ocean’s 11 style breach? No, they’re not. It’s an HVAC vendor. It’s an unpatched box. It’s plain text passwords. It’s elevated controls. All things that were completely in an IT organization or security organization’s ability to control. It wasn’t some massive sophisticated scam. They do exist, clearly. Solar winds and others, however, most are the result of just not taking care of the blocking and tackling.
Jason James:
Absolutely.
Scot McLeod:
Very good gentlemen. Very good. So how about we move on to the third of our four discussion topics and this one we’re going to come around to some of those personal concerns that the board members may have and in particular personal liability risk being one, but there may be others. Let’s see. I think we’ll go back to JJ to kick this one off.
Jason James:
Sure. And I want to really go back to a quote that was in 2014 and as an SEC commissioner, that stated “boards that choose to ignore or minimize the importance of cybersecurity oversight responsibility do so at their own peril.” So, if you’re a board member, you have a responsibility to the organization, keep in mind board members don’t manage, they govern. And as a governing body of the organization, they can be held responsible from a liability perspective. And so, in their sense making a mistake, they are covered by policies. But again, they don’t want to get into any kind of suit from a civil action perspective because they did not make sure that they were governing correctly. And as a modern governing board, you have to make sure your cybersecurity minimums are being met. We’re not even talking about going above and beyond or the minimum is being met.
Do you have effective change controls in place? Do you have effective antivirus, EDR in place that can block a threat? Is there any ongoing training for the staff occurring? If so, how frequently is that damage? Is there any kind of outside audits that measure this? These are all things that in the event of a breach, and again, I’m not an attorney. I’m just read several of the cases that will come back from a civil suit perspective or a class action and say, look, you didn’t do this. They have not only a vested interest in being a board member because there are compensations tied to their seat, but at the same time, they want to reduce the overall liability. And it’s important for you, in a sense, to protect them as well as you’re protecting your own role, your own company, you are also protecting those that set in govern your affairs and your company.
And so, from that perspective, you need to make sure, from a policy perspective, that if you don’t have some form of meeting on the calendar year to address the board concerns. And it would surprise me if you don’t, from a security perspective. If you don’t, you need to talk to your CFO, your CEO, or whoever schedules the board meetings and say, look, we need to address this. Where we are, where we’re going, next steps, and make sure that’s on their calendar. Hopefully for this year, but if not, whenever you need it again. But I would be surprised if they’re not asking for it, but if they’re not, you need to be making sure you get on that.
Jay Ferro:
That’s right. I’ll go back to concise reporting. And in clear, I don’t want to say one-pager, but minimal pagers where they can walk away with a feeling of where they are in an appropriate sense of what the risk is to them into the organization. I remember one time; it was my first board presentation at a company back in 2012, one of the gentlemen on the board was the COO for a major airline headquartered in Atlanta. We’ll call it that. I just narrowed it down to one. And after I was done, he approached me and said, Jay, it was probably one of the best presentations on cyber that I’ve had in my career. And he’s an older gentleman. And then you would probably blanch the fact that I called them older, but he’s older than me.
He was older. And because I had gotten it down into some bite-sized chunks that he walked away with an understanding that things weren’t good, but they were improving. He understands what benchmarks were, the goals that we were trying to achieve, the progress we had made in the risk to him, into the organization in a concise business-focused way. So, he walked away with stuff and keep in mind, they’re going back to their day jobs and what are they doing? They’re executives in their own organizations. If you were in their organizations, you would not give them 80 pages of garbage that they have to go through. They don’t need to see all that. You would give them a quick and concise way to synthesize the state of as-is. The state of today and how we’re progressing along with that journey and where they can help. That will help them really kind of crystallize in their mind, their own personal liability and what they need to do about that.
Scot McLeod:
Very good. Thank you, gentlemen. All right. Let’s move on to our fourth topic here and then into taking some of the questions that have been coming in. And this last topic is about seeing cybersecurity as more than, just an insurance policy if you will, but helping to, how can it be used to actually help grow the business? And Jay, let’s go to you first on this one.
Jay Ferro:
Two thoughts right away. I laugh because if you’re still looking at cyber as an insurance policy or just a utility, then you’re missing the point. It should be pinned to the top of everything that you do and what would into everything you do as an organization. Managing risk is an executive’s job, not an IT executive’s job. An executive’s job, in any form. So, I don’t care what role you’re in, part of your remit is to, look at risk to the organization, manage that obviously as a CSO, CIO, et cetera, you have additional responsibilities. Number two, if you don’t do your job well, business growth is not going to happen. Business growth is going to go the opposite way. And, so a good robust cyber program is clearly tied to any potential for business growth.
Otherwise, you’re going to go the opposite way, and nobody wants to see that. The third thing is a robust cyber program where you are forward-looking, you’re honest, and you’re transparent. You’re showing continual improvement, you’re recognizing and have a good handle on the risk in the world and what’s going on, but you can stand behind without too much bravado. Let me get my words right. You don’t want to be a target. I think it can actually be a sales generator, right? When you’re that confident that you can go out and say, look, we recognize are evolving targets. We also recognize that we’re not perfect. However, what you can say is cyber, you’re the protection of your data, Mr. Customer. The protection of our employee data, the protection of our organization is paramount and it’s always going to be paramount. To me, that’s a sale. That’s a sales tool. Obviously, it has to exist and it can’t just be words. But when you can go out and say that and be proactive and lead with that, to me, that is a tool for your sales team to generate business.
Jason James:
Absolutely. And let’s just focus on that last one. If you take an organization like us, being a SAS-based organization, it becomes a competitive advantage. If you’re in any kind of organization where you handle the data of others, their security questionnaires you go through, constantly. Jay gets hit with them every day. But going back and say, look, here’s our security program. Here are the investments we made. Here’s how we measure it from a third party. Whether it be high trust or SOC2 or whatever. To be able to show that we’re walking the walk and talking the talk. It can be used by your sales team especially as you enter those markets. To be used as a competitive advantage. Not only are we protecting that data, but we protect it in a way that’s above and beyond what we’re seeing from our competitors. And so, if you’re in SAS, as SAS sells, they love that. They will lead with that all day long. Everybody’s concerned about security these days. It’s not just your board. We talked about Colonial Pipeline, but there’s been Target. Today there was an issue with LinkedIn, 700 million records are out there. Guarantee it’s most of us on this call. Right? And so how you measure your security, how you enforce your security is important for those buying your services.
Scot McLeod:
Excellent. We have finished up our fourth discussion topic. So, we’d like to ask everybody to participate in one more quick polling question. Before we move on to taking some of your questions that have come in, you should see this on the screen as well. Would you like to learn more about cybersecurity software from today’s webinars sponsors? So, A, if you’d like to learn more about cybersecurity assessment solutions. B, if you’d like to learn about cybersecurity compliance and reporting solutions. C, if you’d like to learn about managing audits with a cybersecurity software solution. D, if not now, but maybe in the future. E, if you’re not interested. We’ll give you a moment to get your responses in, and then we’ll move on to the Q and A. Done everybody. Thank you very much for your input.
There. We’ll move on to the Q and A, and I want to remind everybody again, to use that panel to submit questions. We’ve got several good ones here and probably more to come. So, let’s see, gentlemen. The first question, let me pull these up really quickly. I’d like to go to basically says, “Part of an effective board discussion is understanding the risk tolerance of the organization and to frame a discussion without under or overselling. Can you describe, an example of how you’ve done that in your prior organizations?” Jay, can we go to you first on this one?
Jay Ferro:
Yeah. I mean, I think at least in highly regulated organizations, you start with a baseline gives. You know what your customers are asking for, and you know what regulatory frameworks that you’re aiming for. I tend to set the bar much higher for my organization than any board has ever said it for us. I’m a firm believer that good cybersecurity is an outcome of good IT management and good technology management, good software development, et cetera. So obviously most companies are not there. But if you’re having to generate artifacts and generate evidence, and every audit and every cyber report, or every board meeting is a three-day prep of, “Oh, crap, we have to go create and pull data now.” You’re not doing it right. You’re not where you need to be. If the byproducts of your standard operating procedure.
“I think having an open and honest conversation with your CEO, CFO, Head of Risk is to distinguish what good is. And where is our tolerance for risk? And having an open, honest dialogue about the potential impact and the likely impact of a cyber incident on the organization. The ability to quantify the reputational damage, the financial damage, et cetera, is a good start. It will evolve over time as new threats come out and making sure that you’re keeping that refreshed. Especially as you maybe enter new countries, get new frameworks thrown on you.” |
Obviously, we’re seeing them all the time. To JJ’s point, it’s only going to continue to get more challenging. So, I think it all starts with an open and honest dialogue with your internal leadership team and having an approach. One thing auditors love, or even boards love is that you’ve made a decision as to what the organization’s risk tolerance is. And you’ve said, this is what we’re aiming toward. This is the risk we’re willing to accept. This is the program that of work that we’re using, and we’re going to be measuring it over time. And we’re not bouncing around from shiny object to shiny object month to month. So, I think that’s, to me where it starts.
Jason James:
Yeah, to Jay’s point, it begins way before it gets to your board. That risk tolerance isn’t decided by the CSO, isn’t decided by the CIO, it’s decided by the collective executive organization. You need to make sure before those board meetings ever take place that you’ve had those discussions. What is an acceptable risk? Because there will be decisions that are made collectively that you have to defend, but all in all, it’s not, it’s not you deciding what that risk factor is.
Scot McLeod:
Very good. Very good, indeed. All right, gentlemen, another question here. And you both hit on this a couple of times regarding boards that maybe aren’t so focused on cyber. So maybe the answer to this will be very short. But the question is, “where do you start if your board is not requesting cyber and IT updates?”
Jason James:
Whoever schedules those meetings, and it might be the CFO, might be your head of strategy, might be your CEO and say, “Look, we need to get that out there, discuss where we are today, where we’re going?” And be proactive. Don’t wait till they come to you asking for an update. That will usually happen after a major incident, but you need to get ahead of it. Especially if you’re new in that role. It’s going to take you some time, but you need to assess where you are and where you’re going, and then relay that in a crisp and concise way and be bold enough to say, “Look, this is where the investments will need to be spent.” Now your CFO or CEO should not be surprised by that. And so that should be a discussion you have even prior to that meeting. Be bold, get out there, and make sure you are relaying that message of where you intend to take the organization from a security perspective.
Jay Ferro:
I agree. I think that’s generally where it starts is, and it may not be you get that full invite where you’re doing a 30-minute presentation to the board. It may start with you feeding the CIO, the CEO information that he or she presents, or the CFO as you build confidence. But I think continuing to educate your internal team on the threats that are out there and why this needs to be elevated to that level, showing them not going back to the fear, uncertainty, and doubt. If it’s that level of maturity, you’ve got to do that without coming across as panicky. There are plenty of articles out there about how important the board education on cyber is. So, educating your executive team and a living to fight another day. Maybe getting a little bit of victory, giving the CEO something for his or her back pocket. Like here’s where we are with our cyber program. Because at some point they’re going to get asked and you want them prepared and say, “Let me just give you some walking around info” on how you’re doing. And having a dashboard like this particular one, how we are moving against GDPR and ISO 27001. So that at any given time he, or she can say, “Yeah, we’re actually doing pretty well, got some gaps that some areas of trouble, but we’re working on it. And here’s generally where we are.” So, I think you can take the incremental steps to educate your executive team and your board. You can be the noisy bell or the cleaning bell without being annoying. I think you can just kind of just, can I get five minutes? Can I get five minutes?
Scot McLeod:
Very good. I think we’ve got time to squeeze in one more. And it’s an interesting question. I’m not certain that it’s tied to reporting to the board, but maybe you all will connect dots that I’m not seeing. It says, “What are your thoughts on using a managed service versus managing cybersecurity internally?”
Jay Ferro:
I’ll let Jason start with that one. I have some thoughts.
Jason James:
Let’s be blunt. Either way, it’s your ask. And so, whether they’re managing it or you’re managing it, you’re on the hook. So, you need to make sure as you work with a managed provider that you’ve vetted them. You know their capability; you know what they’re capable of doing. There’s nothing wrong with going to the third party managed but make no mistake. At the end of the day, they won’t be the one that gets let go when the issues occur. And I love the fact that Jay has a dog with him today. This is one of the wonderful aspects of working remotely.
Jay Ferro:
I am turning all my cyber over to Bandit. My sidekick right here.
Yeah, I agree like any managed service. First of all, I have no issue with it, right. I think there are terrific partners out there that are very, very capable and they can flex out your skills if you can’t hire and retain them yourself, or you need quicker boots on the ground. I’m a firm believer in it and I’ve used both. You’ve got to do what’s right for you. I mean, I’ve used all on staff. Almost 100% outsource and I’ve used hybrid, all with great success. It all comes with how you manage them. To Jason’s point, it is your rear end aligned. Just like any other kind of managed service outsourcing relationship. CEO ain’t coming for them, he’s coming for you. If things go sideways. So, holding them accountable to your program of work is the same as holding your own team accountable. Shared goals, clear, concise targets, work plans, the north star is the same. Yeah, no issues with it.
Scot McLeod:
So, gentlemen, I want to thank you both for the great discussion. Very engaging. I hope the audience feels the same way. And in fact, we’ve got a little exit survey for them to fill in on their way out. We’d love to get their feedback on this session. And if they found this valuable give us suggestions on other sessions, you’d like to see us host. We’re happy to do it. We’re always looking for that input. So, Jay and JJ, both thank you very much. Great discussion and hope everyone has a great rest of your day. And we’ll look forward to meeting with you online in the very near future. Take care, everyone.
*** This is a Security Bloggers Network syndicated blog from Apptega Blog authored by Cyber Insights Team. Read the original post at: https://www.apptega.com/blog/how-to-present-cybersecurity-to-your-board-of-directors