Strong partnerships between CISOs, CIOs, and general counsels are a critical part of preparing for and responding to cyberattacks, a panel of security experts said.
Implementing a cybersecurity program and protecting the organization from cybersecurity threats is not something a CISO can do alone, said Sara Andrews, senior vice president and CISO of PepsiCo, during a panel discussion at the Mandiant Cyber Defense Summit earlier this fall.
“CISOs could do everything possible and put together the best possible strategy, but if the partners and employees don’t buy in, then we’re left with a mess,” Andrews said.
Communication was a recurring theme throughout the discussion.
“Recent cyberattacks we are seeing have hit everything from the gas we need in our cars to the burgers we want to throw on the barbecue for July 4th,” said John Carlin, former acting deputy attorney general at the US Department of Justice and panel moderator. “Attacks like these can disrupt our way of life, so it’s important to talk about how to prepare for a breach in advance.”
The modern CISO is a business partner, Andrews said. Security strategy should be embedded into business discussions and decisions from the get-go, and not just be brought up during audits and risk committee meetings.
Security leaders need to share emerging risks and cybersecurity concerns with executive leaders, added Teresa Tonthat, vice president of IT and CISO at Texas Children's Hospital. One way to do that is to showcase the investments they've made within cybersecurity.
“We get in front of our leadership team and stakeholders to extend our voice and mission because we can’t be everywhere at one time,” Tonthat said.
Translate for Your Partners
Security leaders also need to be able to translate complicated technical details into business concepts in order to communicate effectively with board members and other executive leaders. Board members are looking at risks to the organization — so security leaders need to make sure their presentations focus on risks in order to get the board's attention.
“We get into some very complex and very intricate challenges where we're dealing with very specific processes and outcomes and lots of complicated datasets,” said David Baumgartner, EVP, CIO, and managed solutions leader at Mandiant. “So when we have conversations with the board, it’s critical to provide some context but also be clear with what we are seeking.”
Ultimately, he said, the board wants to know:
- Are we still at risk?
- Are we well prepared?
- Are we well-funded?
- How are we delivering?
- How are we operating?
“Try and be as simple as possible, put things in business terms, use benchmarks, use comparative analysis to give them perspective: How are we doing compared against others?” Baumgartner said.
Financial Limitations to Security Strategies
Designing an effective strategy and bringing these ideas to action can consume a huge chunk of time and money, but there isn't an infinite budget to draw from. Security leaders need to consider the company's overall budget when making their requests. Having strong partnerships in place with the executive team can also help with getting those requests fulfilled, Andrews said.
While security leaders should use their judgment on what requests they can compromise on, they should keep in mind that there are trade-offs in every business. Having a supporting team and strong partnerships throughout the company can make these decisions easier and more effective, she said.
“When the board asks me if I need anything, I say I can always take a little more cash, but there's not an infinite amount of money,” Andrews said. “At the end of the day, CISOs are executives, and we're held accountable with fiduciary responsibility, just like everyone else.”