Communications to board key to cybersec success

Security has moved from a back-office, technical discipline into the boardroom. So says Cisco’s senior vice president and chief security and trust officer John Stewart.

“There’s a combination of factors happening. Every business is becoming an IT business. We’ve gotten used to using technology but often times we have to remember that without it we don’t work,” Stewart says.

This means companies need to understand the value IT delivers to the business and to understand the associated risks whether these are from fraud, external threats or errors made by well-meaning personnel.

This extends from protecting transactions through to intellectual property.

“The true nature of Internet threat is only 25 years old. It’s a risk area that doesn’t have a lot of empirical data. It doesn’t have actuarial tables for insurance companies yet. It doesn’t have true formulaic structured rules. Even the profession itself – we don’t have definitions that are unilaterally accepted about what job titles do what,” says Stewart.

That means, in Stewart’s view, we are still at a formation stage in the infosec profession. Given the threat landscape and evolving nature of the industry, Stewart says boards cannot delegate the responsibilities and risks associated with cybersecurity. Boards and senior leadership teams must understand the risks, just like any other corporate risk.

“In all my discussions with a large number of corporate boards over the last couple of years, I’ve learned that they do want to know but they need to know it in terminology that is not typically the terminology the security industry uses,” says Stewart.

Stewart recommends security reporting is road-tested with experienced board members before a formal presentation so that communication to board members is presented appropriately. For example, presenting a risk in terms of how fast the value of the company can be impacted by a rogue employee presents the risks in terms boards can more easily digest.

“You talk about effect, not causality,” says Stewart.

Read more: CIS delivers free resources for cybersec professionals

If a CISO enters the conversation saying a lack of visibility across the network and, therefore, can protect it they aren’t giving the board actionable information. However, if it’s presented as an inability to determine if financial data is leaving the company because of a lack of visibility then they can better understand the risks.

With continuing pressure on technology budgets it’s critical, in Stewart’s view, to structure budgets and measure corporate performance appropriately. If the technology function within a business controls the security budget – a typical situation – but IT is primarily measured on system performance and availability, rather than management of security risks, then budget pressures may result in cuts being made to security thus increasing the company’s exposure to cybersecurity risks.

As well as his role at Cisco, Stewart is working with the Australian Government on the Cybersafety Centre.

The group has been working for the last few months through a series of working groups. The next step, says Stewart, is face-to-face meeting with information to be presented to government during the first half of 2015.

“One of the things I’m really encouraged by is every nation has to look at their cybersecurity strategy about every three years – I don’t think it last much longer than that. The US has some work to do. New Zealand is doing this right now. The Ukraine is doing it. The Czech Republic is doing it,” he says.

One of the challenges is finding ways to connect the cybersecurity discussion to an economic conversation he added, again focussing on presenting cybersecurity risks in a language that is accessible and actionable by key stakeholders.

Anthony Caruana attended RSA Conference as a guest of Symantec.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecurityintellectual property#RSACciscoKEY BoardcybersecIT BusinessCSO AustraliaRSA ConferenceJohn Stewartcybersafety

More about CiscoRSASymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts