cybersecurity collaborative brief (but please do not … · cybersecurity collaborative the bad...

CYBERSECURITY COLLABORATIVE www.CyberLeadersUnite.com

T H E B A D G U Y S A R E M O R E C O N N E C T E D, A N D T H AT H A S T O C H A N G E

BRIEF (BUT PLEASE DO NOT TRAIN) YOUR BOARD IN CYBER

CYBERSECURITY COLLABORATIVE

RESULTS AGAINST THE FOUNDERS’ KEY OBJECTIVES FOR OUR WEBINARS:

• Valuable use of your time – 91%

• Learn something you can put into play immediately – 85%

IMMEDIATELY ACTIONABLE ITEMS:

• From this day forward, agree to no longer support, provide, or condone overly basic, super-simplified training for your members in cyber security. Let directors and board members experience our field in our language and let them self-assess whether they understand what is going on.

• View yourself as an executive, responding to an executive question with an executive answer.

• Communicate in a way that inspires them to learn more.

• Be ready for any length of presentation: big, medium, small, and elevator size.

The following summary is of the February 22nd, 2018 “Brief (But Please Do Not Train) Your Board in Cyber” webinar presented by Ed Amoroso, former CISO of AT&T and the Founder and CEO of TAG Cyber.

Moderated by Stuart Cohen, CEO of the Cybersecurity Collaborative.

Ed Amoroso Former CISO, AT&T and Founder & CEO, TAG Cyber

February 22nd, 2018

http://www.cisocollaborative.com



KEY TAKEAWAYS

• Understand the basics: A larger understanding of your company and how board members are made.

• Initiate change by using the lingo of cybersecurity to demonstrate your proficiency. “Dumbing down” cyberse-curity dumbs down your role as a cybersecurity expert.

• Communication is key: Understand the level of formality and the expected length of presentation; be prepared for all of the above.

• Connect with your peers and executives: Become the cyber resource whom people come to for answers.

BOARD MEMBERS AND HOW TO CONNECT WITH THEM

Board members tend to be very capable, as well as knowledgeable in business. They tend to have an understanding of business from top to bottom. To be considered for such an important post, they will have already demonstrated meaningful achievement in some field relevant to the company. They might have been a CEO or CFO of some orga-nization, or perhaps a distinguished member of the clergy or a government agency. Former CEOs make great board members because they have an eclectic mix of knowledge.

The common denominator is that you are expected to be ready to serve on day one. That is, any independent direc-tor is expected to have a working knowledge of corporate finance, basic marketing, human resource management, business operations, competitive strategy, and on and on. Woe to the board member who shows ignorance in any of these basic fields: There will be clear social consequences during coffee breaks for such lack of knowledge.

SOCIAL CONSEQUENCES IN CYBER/TECH RELATED BOARD MEETINGS

By contrast, in technology and cybersecurity, most corporate boards have no social consequences for having an utter lack of understanding in the technology-based aspects of business. Any director sitting down for a board meeting who jokingly laments needing a ten-year-old to help turn on their confounded iPad is met with zero raised eyebrows. In fact, other directors will probably chuckle and agree.

Of course, such ignorance on boards cannot be permitted – and the typical response has been to schedule remedial training in both technology and cybersecurity. The topic of cyber risk is thus a popular request from board prin-cipals who nervously watch their shamed executive peers raising their right hands on CSPAN after a serious data breach. It should come as no surprise that training would be considered both appropriate and necessary.

And yet, such training sessions are dangerous when they dumb down technical concepts into comfort-zone terms for board members. It is all too common for the tech to be made simple, so that executives can follow basic con-cepts and not feel any unease or confusion. Generally the cybersecurity professional is asked to tailor their presen-tation for a minimal level of understanding. Make it easy for them, in other words.




WHEN CISOs MAKE PRESENTATIONS TO BOARD MEMBERS TOO SIMPLE, WE ALL MISS OUT

• We rob the board members of that moment when they realize they don’t know what you’re talking about, which leads them to research and resolve the knowledge gap. This establishes a greater understanding and connection between the CISO and the board.

• There is a jargon and a lingo of cybersecurity, and just like any language, part of the joy of learning is in being confused, and self-teaching.

• Presenting the complexity of our organizations with relevant lingo is to the CISOs advantage.

• Your job is to translate cybersecurity into business terms for the board.

• If you are involved in board-related meeting planning it is to your advantage to no longer support, provide, or condone overly basic, super-simplified training for your members in cybersecurity. Instead, let’s demand that directors be briefed on issues as capable, experienced, and knowledgeable peers. This may ruffle some feath-ers, but becoming a board member comes with the implicit understanding that you have the requisite skills to govern. And just as you would never expect to be briefed on corporate finance 101 or basic marketing, you should similarly not demand to be briefed on elemental cybersecurity.

BECOME A CYBER EXPERT

Positions in cybersecurity are rapidly shifting from where they were even a few years ago. We still have a way to go as far as being treated as fellow executives. In order to fix that we have to act more like executives. But how do we do that?

• Become more social. It is as important to be able to mix in a room as it is to present a financial statement. If you are going to be an executive, you need to show more sides of yourself than the tech side.

• Develop a larger view of the business. You should be able to tell the story of your company from multiple view-points, not just security. What the key issues are, what the strategy is for those issues.

• You become the conduit for all things cyber to them. You must give an executive answer to executive questions. If you give an answer that a low level lab person can give, you will be perceived this way.

CONCLUDING THOUGHTS

It’s an art form to communicate reasonably, but also to inspire board members/executives as an executive would with the complexity of what you do, and how it is relevant within the structure of the company. Give answers that inspire board members to learn more. This is what we mean by brief rather than train board members. They are smart people, and if you inspire them, they will in turn be inspired to learn more about the cyber world as a whole. These kinds of small victories mean shifting toward cybersecurity professionals being taken more seriously as a community.




Q&A

Q: Is there a particular metric that you like that speaks to the effectiveness of the cybersecurity program within your organization? Also, does that metric help you with effectiveness and increased budget, or are there two separate discussions for effectiveness and additional budget?

A: The issue of metrics is dangerous. The instant metrics are put in front of a board it tends to take on a life of its own. If even one thing changes within the metrics you are tracking, that tends to be too focused on. The only metric that is really meaningful is whether you have avoided any consequential breach. Don’t let other metrics take on more significance than is necessary. Having a dashboard helps, but be careful not to let that become the main focus of your program. Talking human to human is the best metric of all.

Q: If I have to put a cybersecurity briefing/document together prior to a board meeting, any ideas about what that should look like, how long it should be, and what level of detail should it go into from a business vs technol-ogy aspect standpoint?

A: It depends. Is there an ongoing dialogue with the board on the topic of cyber? If so you are hopping aboard a moving train with your briefing, so you need to understand the discussion history, especially over the last couple years. A lot of boards do an annual event where the CISO gets invited. There’s usually a speaker, a guest speaker, and the CISO gives a report. In putting a brief together you really need to know the context. If it’s annual its more formal, where as if you brief every month, you pick up where you left off. Whatever level of technical your presen-tation is baselined at, see if you can push it further. A little more detailed, technical, etc. Up your game a little bit.

Q: Can you suggest appropriate cyber supplemental documentation to support the NYDFS 500 certification sign up for the board?

A: I wish I could give a blanket answer here. You have to do the homework. It’s something you need to sift through. Consider the source of where things come from, that’s really important. There’s a lot of junky stuff coming out. I’m not a big fan of waves, quadrants, things like that, I think they tend to be a little bit driven by business. I’m also not a big fan of the academic work, which has its own motives. There is no shortcut, unfortunately.

Q: What do I do in five or ten minutes to present to the board?

A: The shorter the amount of time, the more prepared you need to be. This job is variable in how long your talks are. You have to anticipate in any scenario, you may only have five minutes. Make the adjustment to your plan, prepare and anticipate for either a long, medium or short amount of time so you are ready. If you’re going to be a functioning executive, you better have your elevator answers. You can’t just make up the answer on the spot. You’re going to bump into other executives, whether in an elevator or otherwise and may only have a few seconds to give an answer. Plan for that, this is the best way to prepare yourself for these short briefings. If you don’t have a big speech, a medium speech, a small speech, and elevator size speech, you should work on that.




ABOUT OUR SPEAKER:

Ed Amoroso: Ed is the former CISO of AT&T and the founder and Chief Executive Officer of TAG Cyber. Ed is an expe-rienced Chief Executive Officer, Chief Security Officer, Chief Information Security Officer (second person to hold the CISO position in history), University Professor, Security Consultant, Keynote Speaker, Computer Science Researcher, and prolific Author (six published books). Ed holds a PhD in Computer Science from the Stevens Institute of Tech-nology, and is a graduate of Columbia Business School. Having directly served four presidential administrations in cybersecurity, he now serves as a member of the M&T Bank Board of Directors, Senior Advisor for the Applied Physics Lab at Johns Hopkins University, Adjunct CS Professor at the Stevens Institute of Technology, CS Department Instructor at New York University, and Member of the NSA Advisory Board (NSAAB).


cybersecurity collaborative brief (but please do not … · cybersecurity collaborative the bad...

Documents