Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

// // //
01:00 PM
Brian Contos
Brian Contos
Connect Directly
E-Mail vvv

Boardroom Perspectives on Cybersecurity: What It Means for You

Because board members are paying close attention to security, security leaders must be able to respond to and alleviate their concerns with data.

I regularly have conversations with cybersecurity leaders and experts across a range of industries. More recently, I've spoken with board members from several market-leading companies on my podcast about their views on cybersecurity. 

Related Content:

Actionable Tips for Engaging the Board on Cybersecurity

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Is an Attacker Living Off Your Land?

These conversations, summarized below, demonstrate that board members are paying close attention to their organizations' security programs — their approach and effectiveness and the impact on risk posture. Additionally, board members' influence on the direction of a company's security program has grown.

As a result, IT leaders must report regularly that security technology, people, and processes are optimized to protect and defend the organization so that when a breach or attack does take place, it will have minimal impact on the brand and bottom line. Further below, I offer tips for how best to measure, prove, and report security performance metrics to the board and business leadership. 

Board Perspectives
"Cybersecurity is undeniably a board priority. To do their jobs, boards need to understand variables like risk posture, relevant threats, and effectiveness of security controls. They also need to know what the right responses should be while understanding that cybersecurity is constantly changing. It's critical to have timely measures for how well your cybersecurity controls are working and how well they respond to the latest threats."
Julie Cullivan, board member at multiple healthcare, technology, and cybersecurity companies and former executive at Forescout, FireEye, McAfee, and others

"While all board members don't need to be cybersecurity experts, they do need to be able to interpret risk metrics regarding cybersecurity, just like they do when understanding sales, operations, and finance. Only when there is an understanding of the risks can boards provide the most appropriate oversight and governance. The cybersecurity leaders that are most successful at their jobs and at interacting with the board are highly technical. But they are also true corporate executives. They must have or develop business skills."
Art Coviello, former RSA president & CEO, and board member at a financial services company and multiple technology companies

"Boards and the C-suite are recognizing that 'software with a service' is the future of cybersecurity. Technology-led platforms augmented by security and operations experts are delivering value via productized services. This may be utilizing software with a service through a combination of red teaming, security validation, event analytics, and threat intelligence where I need to continuously know the state of my controls from multiple real-time and forensic angles, where my gaps are, and how to fix them when validated against the most timely and relevant threat intelligence."
Jay Leek, managing partner and co-founder of ClearSky Security, board member for multiple technology and cybersecurity companies, and former Blackstone CISO

"Virtually every brand is built around some level of trust. As such, board members need to ask questions about how cybersecurity is being leveraged to protect the brand's value proposition at a point in time and measured over time. Cybersecurity for your multicloud environment must be a board-level conversation now. If you wait two more years to start having this conversation, you'll be too late to the party and you'll be less competitive."
Kara Nortman, managing partner at Upfront Ventures and board member with several technology and cybersecurity companies

"When I see boards, executives, auditors, and security teams successfully achieving good governance hygiene, part of that success is usually a result of cybersecurity leaders being educated in the fundamentals of business risk management. For some businesses, cybersecurity has become essential to the company's strategy and value proposition. In these instances, boards are very diligent in understanding the effectiveness of security controls, processes, and people at a point in time and trended over time."
Matt Bigge, partner at Crosslink Capital and board member with multiple technology and cybersecurity companies

Three Steps for Reporting to Executives
CISOs and IT leaders need to report, in quantifiable business terms, the value the organization's security program delivers based on continuous testing, optimization, and proof of effectiveness. Below I've outlined three steps CISOs should take to accomplish this and report in terms that the board and C-suite understand.

1. Let Intelligence Lead the Way
Intelligence about the organization's most relevant threats and the tactics used gives guidance into what controls are needed. When evaluating threat-intel vendors, the key areas to focus on include:

  • Will you receive a combination of types of intelligence, including machine intel, managed services, and adversary intel?
  • Does the vendor integrate threat intel feeds into your current IT environment?
  • Do you feel confident in the expertise of the team, the comprehensiveness of the data, and the ability for automation and personalization of data?

2. Validate With Proof of Effectiveness
The value of security validation is becoming more understood, yet security leaders are often unsure of how best to implement and perform validation for meaningful results. The five key components of an impactful security validation program include:

  • Prioritize what to test based on threat intel.
  • Test and measure performance of security controls.
  • Optimize controls based on performance testing.
  • Rationalize the program to fill gaps and eliminate duplication of controls.
  • Continuously monitor the environment; keep the process going so that changes in IT are accounted for in ongoing testing and measurement.

3. Report With Confidence

  • Based on the five-step validation process, you can share quantitative proof that the security program is working and protecting the company's risk posture.
  • You also have peace of mind that any performance fluctuations will be flagged and remedied automatically.
  • Reporting in business terms gives key stakeholders assurance they need to communicate a strong security posture to their constituents.

These steps can help CISOs streamline operations and concentrate resources where they will have the greatest likelihood of success, while identifying areas where more spending may be needed or costs can be cut without impacting risk. Ultimately, security leaders can assure the C-suite and the board, with quantifiable evidence, that the company's cyber hygiene is strong and its market position protected.

Brian Contos is a seasoned executive, board advisor, and serial entrepreneur with 25+ years in the cybersecurity industry. After getting his start in cybersecurity with the Defense Information Systems Agency (DISA) and later Bell Labs, he began the process of building ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file