All the high-profile breaches of the past few years have put more attention on cybersecurity than ever before. As a result, what was once, at best, a bullet point during board meetings is now a topic the board is eager to understand better. This increased attention is great, but many security leaders aren’t used to this level of scrutiny from the board, so they aren’t sure how to talk to boards about security.
What we’ve witnessed is CISOs and other security leaders providing boards with updates around specific technologies in use, and technical metrics. While these technical metrics are useful for determining the overall effectiveness of a security program, they do not provide the information the board is most interested in – is risk being reduced, and are we investing in the right areas?
John Elliot, Head of Information Security, Principality Building Society, gave an engaging talk during the RSA Conference on Monday about explaining cybersecurity to your board. He used the analogy of fire prevention and safety to describe the steps security teams are taking to reduce risk. As he stated, this analogy works great because everyone understands fire safety – it is ingrained in our heads at a very young age. It also touches on a real concern boards have: we invest heavily in security solutions, but you are telling me a breach is inevitable? It’s not a matter of if, but when? To that, John answered (and I’m paraphrasing), we hope there won’t be a fire, we do everything we can to prevent it, but then we also have incidence response protocols in case there is a fire. This parallels very well with how we should look at cybersecurity.
John’s presentation was fantastic, and I wish I could simply blog the entire talk track, but that wouldn’t do it justice – plus you’d be missing out on the fantastic British accent and quips. The main point I took away was that the most effective way you can talk to your board about security is to make it real; tell a story that resonates with the board. Fire safety is one good parallel, but you may find another that works for you.
The presentation struck me as coincidental as he relied heavily on the history of the Chicago Fire to make his point, and Chris Wysopal, Veracode’s co-founder and CTO, recently wrote an OpEd, which was published in ReCode, in which he stated we should not wait for the security industry’s equivalent of the Chicago Fire before we change the way we think about security.
One of the aspects of security John talked about is what we do after there is an incident. He compared our responses to what is done after a major fire. We look back at the root cause and what could have been done differently, and learn from it. As we think about what we could have done differently, we, in some cases, create regulations to prevent the same failure. He posits that this is what should be done in security. Again, this echoes what Chris was saying about the need for information sharing. As it stands, after a breach, a company may conduct a retrospective, but that information is always kept internal. Chris has called for a regulatory board like the NTSB, which will collect this data and share it so that other companies may learn from the mistakes of the past and avoid repeating them.
While the presentation was about talking to your board, listening to the stories of the London Fire of 1666 and the Great Chicago Fire strengthened the argument for creating the type of committee or government board like the one Chris has called for. Without it, we are doomed to repeat the past. I’m hoping the quote by Aldous Huxley that John displayed during his presentation won’t be true for security: “That men do not learn very much from the lessons of history is the most important of all the lessons that history has to teach.”