Why the board of directors will go off on security in 2015

Imagine it's the end of 2015 and you're about to read an expose from a fly on the wall at top closed-room board meetings across the enterprise discussing the state of information security. You're excited, right?

Well, why wait? Here's your seat at the table for 2015's most heated board room discussions about information security.

The backdrop: Events to come

Certain characteristic types of painful breaches will drive heated security debates in the board room in 2015. First, there will be high-profile reinfections of organizations infected in 2014; and, there will be first-time high-profile infections of enterprises that significantly increased their information security budgets to avoid what they saw happening to other companies. "Those are two that will create ripple effects and frustration in the board room," says Eric Cole, Senior Fellow, The SANS Institute.

[ State of the CSO 2015: Breaches force new security strategy ]

Companies are spending millions of dollars to avoid infection but they're not spending it in the right areas. "If you take any of those big companies that have already been hit, they made these big announcements about spending several million dollars on security to fix the problem. When breaches hit them again next year, that's going to paralyze the organization and the board of directors," says Cole. The same applies to companies spending heavily on security now that see their first massive breach in the new year.

Another gut-wrenching type of breach that will cause boardroom dismay is the theft and display of Intellectual Property (IP) on the Internet. Companies will also publicly discover that hackers have breached them for years and they didn't know it.

[ A look back at 2014's data protection nightmare ]

"They will suddenly find out that there have been people in their systems for, let's say, a decade and they really hadn't had any secrets in all that time. When that becomes public knowledge, that will create panic in the boardroom," says Ted Demopoulos, certified instructor, The SANS Institute.

The board goes off on the state of information security

In 2015, as a result of these types of events, boards of directors and C-levels will be frustrated because they will have no idea how secure their organization is. "They will be scared but they won't know why because they won't know what questions they should be asking or whether the information they receive is sufficient," says Cole.

"Boards of director will ask, 'how do we know this isn't us already?'," says Demopoulos. How will boards know that someone hasn't already compromised them for years or that someone hasn't already plucked their IP in order to sell it or put it on display for the world to see? And when no one gives them a solid answer, that will be extremely unsettling for the boardroom.

There will be increasingly heated discussions among board members about whether they are wasting the money they are spending on security and why, says Demopoulos; they will ask whether they are spending on the right solutions for security.

The thing that will make board members most livid is when the organization uncovers a breach and no one can tell them when it started. "I think that's going to cause a lot of yelling and shouting, not that they've been breached, not that somebody's been in a critical system with some critical assets of theirs, but they won't know when it happened," says Demopoulos.

In response, board members will continue to seek metrics to measure, then minimize the risks of information security breaches rather than get into the technical details, because they are not technical people. "If you tell them what caused these continued breaches, I don't think many of them will understand the answers," says Cole.

Executives speak the language of dollars, cents, and risk while security experts speak a different language. They don't understand each other. "I've seen CSOs give a 45-minute presentation to the board of directors about security, and five minutes into it, attendees are pulling out their phones, they're doing something else, and the CSO has totally lost the audience because they weren't speaking to them in their language," says Cole.

What should happen

"Most big companies / stores purchased more security products such as next-generation firewalls and state-of-the-art IPSs. My concern is that many of them don't have the proper structure or foundation for security in place," says Cole. Rather than a quick fix with all these products, companies need to first build the proper foundation.

There are four foundational responsibilities that companies must address; these responsibilities include asset identification, configuration management, change control, and data discovery. Many organizations have no idea what someone has plugged into their networks. They don't know how people have configured these assets. They don't manage change, and they don't know where their critical data is located. "If you fail in those four areas, you can spend $50M on security products, and it's not going to help you because the underlying vulnerabilities that create risk are still there," says Cole.

Executives are not going to learn technology, which means technical people need to learn how to speak the executive language. "You need a security officer who is bilingual, who can convert the technology into the business language and present it with business metrics so the executives can make the right decisions about security moving forward," says Cole.

Companies should be looking for CSOs who can report directly to the executive team, people who can speak their language. "Today, most CSOs are buried under the CIO and are technical positions rather than business positions. Their communications never make it up to the executives," says Cole.

[ CIO Managing the CSO: Is the Fox Watching the Henhouse? ]

Companies need a CIO and CSO with equal footing. "The CIO needs to address uptime availability while the CSO communicates the proper security metrics to the executive team," says Cole.

In addition to bringing on a CSO who can talk to the executives, the board should bring on a board member who understands security. "Three years ago, no one was asking me to be on their board of directors. This year, I've been asked to sit on four boards because they want someone who understands security and can translate it for them," says Cole.

The outcome should be the ability to better contain breaches and minimize damage. "If any of the large retail organizations get breached this coming year, but they catch it in a few days and contain the damage, they will never make the headlines," says Cole.

The issue is not whether someone has breached them, but the degree of damage. "That's what executives miss. Breaches happen all the time that never make it to the news," says Cole.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsSANS Institutesecuritydata breachsoftwareCSOsecurity breachdata protection

More about CSOSANS InstituteThe SANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Geer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place