SAN FRANCISCO – Infosec pros spend a lot of time putting out metaphorical fires. But a British cybersecurity consultant says fire is also a good way to tell boards why what they do is vital to the enterprise.
“Fire’s a great way to describe cybersecurity because everyone understands it,” John Elliott told one of several sessions at the annual RSA Conference here on how CISOs should deal with boards of directors.
Elliott gave an amusing talk that referred to great fires in Chicago and London as inspirations for analogies of what cybersecurity does for the uninitiated.
At another session Microsoft CISO Bert Arsenault spoke about how tough it is to appear before Microsoft’s board, where presenters are forbidden from bringing bring pictures, graphs or PowerPoint slides to supplement their efforts – or refer to any three letter acronyms.
“It forces you to write like a human.”
Elliott has great respect for boards, who are taking an increasing interest in cybersecurity thanks to the mounting reports of data breaches around the world, shareholder worries and tough regulators.
“The great thing is we’re in front of smart people who generally have a pretty damn good understanding of risk at this stage,” Elliott said, and they can look at one thing and see how it relates to something else.”
Which is how he got into thinking about fire as a way to explain what CISOs are doing with all the money being thrown at them – or not.
It happened when Elliott was asked by a board member how he could reconcile the fact that in years past he asked for millions to make sure bad guys don’t get into the company’s network and now he’s saying it’s not a matter of if but when.
“I looked around the room and saw a fire extinguisher, so I said ‘You’ve got a fire extinguisher in the building, although we’ve never had a fire, and never expect to have a fire.’” And the board member said he understood: We need to have cybersecurity in case there’s an intrusion.”
Okay, you don’t have to reduce everything to a metaphor before the board, but there are some similarities and lessons from fires, Elliott said. Fire doesn’t care what you did yesterday or will do tomorrow. It doesn’t care your controls – the smoke detector, for example — were working yesterday but not today. Nor does it care the detector will be patched next week. Like an online attacker, fires exploit the smallest vulnerability. And like an attacker it keeps going until it consumes everything.
Security has four stages, Elliott pointed out: Prevention, detection, respond, recover. A CISO can explain all of these in terms of great fires. Think of London in 1666 when London buildings that were too close to each other (in violation of some rules) and made of wood and straw encouraged a devastating fire.
The 1871 Chicago fire shouldn’t have been devastating – the city had stone buildings, a fire department was by a lake and river for water and had a pumping station. But the roof of the pumping station was made of wood, as were the sidewalks.
Fire design in buildings today is mature, aimed at limiting the spread of flames. There’s defence in depth with fire doors, alarms and smoke detectors regularly tested. Building controls work.
And like every fire, there are still lessons to be learned after every cyber incident.
However, remember what Elliott adds about cybersecurity: In fire safety terms we’re in1750. Our maturity level isn’t great.
Microsoft’s Arsenault offered a range of advice for talking to the board, starting with speaking their language: Many, particularly on the audit committee, come from a financial background. He talks in terms of technical debt versus acrured liability – for example, a platform for support that will be depreciated in several years. “The audit community loves that language,” he said.
Studies show that financial executives – and remember not only many CIOs/CSOs report to them, but that also they control budgets – like other C-levels executives highly value IT, But CFOs are less involved with it than other executives. That’s important to consider, Arsenault said CSOs prep for to speak to the board and senior management.
Board members may also be influenced by the latest trend they’ve read about in the popular press, he said – he called it “manage by magazine on the flight to the board meeting” – so he spends a lot of time ensuring they have balance (for example, not to overweigh concerns about threats from insiders).
What boards want to know about is shareholder risk, he said. Figuring out how to explain things that way is one of the hardest tasks for a CISO, Arsenault said.
But, he added, they also want to know if the organization understand IT security is a shared responsibility across not only the organization but partners as well.
You can talk to the board about the top three cyber risks the organization faces, he said. And, from time to time you might talk about the bottom three risks. “Boards really like that … Now it’s on their radar. They know we’re thinking about it. It’s on our top 10, and if it shouldn’t be, let us know.”
Be prepared for things the board wants to talk about including, do you have everything you need – “and the answer better be ‘yes,’ or ‘I do, but I here’s the things I see coming,” just to make them aware.
Other likely questions include describe the overall security plan and how it will be exercised. More enlightened boards will also want to know about staff security education, and ask about the security culture.
Arsenault also advised on talking to the board in three facets: Honor the past – it’s how we got here (referring to talking about technical debt and accrued liability); Be honest about the present (explain the current risks. Sometimes they’re scary but if you have the right processes you should be hopeful for the future); and Build for the future.
Finally, Arsenault pointed out what one board member once told a CISO ”One of the things you guys have to understand: You are the least important person to the board of directors – until we’re most important to the board.”
In other words cyber isn’t the most important until something goes wrong.
