Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

6/24/2021
01:00 PM
Brian Contos
Brian Contos
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Boardroom Perspectives on Cybersecurity: What It Means for You

Because board members are paying close attention to security, security leaders must be able to respond to and alleviate their concerns with data.

I regularly have conversations with cybersecurity leaders and experts across a range of industries. More recently, I've spoken with board members from several market-leading companies on my podcast about their views on cybersecurity. 

Related Content:

Actionable Tips for Engaging the Board on Cybersecurity

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Is an Attacker Living Off Your Land?

These conversations, summarized below, demonstrate that board members are paying close attention to their organizations' security programs — their approach and effectiveness and the impact on risk posture. Additionally, board members' influence on the direction of a company's security program has grown.

As a result, IT leaders must report regularly that security technology, people, and processes are optimized to protect and defend the organization so that when a breach or attack does take place, it will have minimal impact on the brand and bottom line. Further below, I offer tips for how best to measure, prove, and report security performance metrics to the board and business leadership. 

Board Perspectives
"Cybersecurity is undeniably a board priority. To do their jobs, boards need to understand variables like risk posture, relevant threats, and effectiveness of security controls. They also need to know what the right responses should be while understanding that cybersecurity is constantly changing. It's critical to have timely measures for how well your cybersecurity controls are working and how well they respond to the latest threats."
Julie Cullivan, board member at multiple healthcare, technology, and cybersecurity companies and former executive at Forescout, FireEye, McAfee, and others

"While all board members don't need to be cybersecurity experts, they do need to be able to interpret risk metrics regarding cybersecurity, just like they do when understanding sales, operations, and finance. Only when there is an understanding of the risks can boards provide the most appropriate oversight and governance. The cybersecurity leaders that are most successful at their jobs and at interacting with the board are highly technical. But they are also true corporate executives. They must have or develop business skills."
Art Coviello, former RSA president & CEO, and board member at a financial services company and multiple technology companies

"Boards and the C-suite are recognizing that 'software with a service' is the future of cybersecurity. Technology-led platforms augmented by security and operations experts are delivering value via productized services. This may be utilizing software with a service through a combination of red teaming, security validation, event analytics, and threat intelligence where I need to continuously know the state of my controls from multiple real-time and forensic angles, where my gaps are, and how to fix them when validated against the most timely and relevant threat intelligence."
Jay Leek, managing partner and co-founder of ClearSky Security, board member for multiple technology and cybersecurity companies, and former Blackstone CISO

"Virtually every brand is built around some level of trust. As such, board members need to ask questions about how cybersecurity is being leveraged to protect the brand's value proposition at a point in time and measured over time. Cybersecurity for your multicloud environment must be a board-level conversation now. If you wait two more years to start having this conversation, you'll be too late to the party and you'll be less competitive."
Kara Nortman, managing partner at Upfront Ventures and board member with several technology and cybersecurity companies

"When I see boards, executives, auditors, and security teams successfully achieving good governance hygiene, part of that success is usually a result of cybersecurity leaders being educated in the fundamentals of business risk management. For some businesses, cybersecurity has become essential to the company's strategy and value proposition. In these instances, boards are very diligent in understanding the effectiveness of security controls, processes, and people at a point in time and trended over time."
Matt Bigge, partner at Crosslink Capital and board member with multiple technology and cybersecurity companies

Three Steps for Reporting to Executives
CISOs and IT leaders need to report, in quantifiable business terms, the value the organization's security program delivers based on continuous testing, optimization, and proof of effectiveness. Below I've outlined three steps CISOs should take to accomplish this and report in terms that the board and C-suite understand.

1. Let Intelligence Lead the Way
Intelligence about the organization's most relevant threats and the tactics used gives guidance into what controls are needed. When evaluating threat-intel vendors, the key areas to focus on include:

  • Will you receive a combination of types of intelligence, including machine intel, managed services, and adversary intel?
  • Does the vendor integrate threat intel feeds into your current IT environment?
  • Do you feel confident in the expertise of the team, the comprehensiveness of the data, and the ability for automation and personalization of data?

2. Validate With Proof of Effectiveness
The value of security validation is becoming more understood, yet security leaders are often unsure of how best to implement and perform validation for meaningful results. The five key components of an impactful security validation program include:

  • Prioritize what to test based on threat intel.
  • Test and measure performance of security controls.
  • Optimize controls based on performance testing.
  • Rationalize the program to fill gaps and eliminate duplication of controls.
  • Continuously monitor the environment; keep the process going so that changes in IT are accounted for in ongoing testing and measurement.

3. Report With Confidence

  • Based on the five-step validation process, you can share quantitative proof that the security program is working and protecting the company's risk posture.
  • You also have peace of mind that any performance fluctuations will be flagged and remedied automatically.
  • Reporting in business terms gives key stakeholders assurance they need to communicate a strong security posture to their constituents.

These steps can help CISOs streamline operations and concentrate resources where they will have the greatest likelihood of success, while identifying areas where more spending may be needed or costs can be cut without impacting risk. Ultimately, security leaders can assure the C-suite and the board, with quantifiable evidence, that the company's cyber hygiene is strong and its market position protected.

Brian Contos is a seasoned executive, board advisor, and serial entrepreneur with 25+ years in the cybersecurity industry. After getting his start in cybersecurity with the Defense Information Systems Agency (DISA) and later Bell Labs, he began the process of building ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41393
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows forgery of SSH host certificates in some situations.
CVE-2021-41394
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows alteration of build artifacts in some situations.
CVE-2021-41395
PUBLISHED: 2021-09-18
Teleport before 6.2.12 and 7.x before 7.1.1 allows attackers to control a database connection string, in some situations, via a crafted database name or username.
CVE-2021-3806
PUBLISHED: 2021-09-18
A path traversal vulnerability on Pardus Software Center's "extractArchive" function could allow anyone on the same network to do a man-in-the-middle and write files on the system.
CVE-2021-41392
PUBLISHED: 2021-09-17
static/main-preload.js in Boost Note through 0.22.0 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal Electron API.