How to explain cyber security to your board

If you're like most, you face a conflicting challenge around security: while there is increased focus on digitalisation of the business, at the same time the threats to the business have not been fully addressed – or even planned for.

The board has no doubt read reports about breaches at Target in the USA, and of technology companies such as Sony and RSA having sensitive information leaked. Board members may not be completely IT literate, but even the most technical non-savvy among them is aware of Edward Snowden and WikiLeaks.

Your goal in presenting to the board is to help them understand where the organisation's security posture is currently, and what additional investment is required to mitigate risks. Clearly, how you articulate such technical elements will be a massive personal challenge.

The home

Given the need to be understood by all board members, you will want to dumb down the content of your presentation. Yet this is a major risk, and it can be potentially career limiting to gloss over too much detail.

A good analogy to use in your presentation is the idea of a home.

Traffic, both on foot and in vehicles, travels past your home all the time. The majority of this traffic has no interest in your home, and travels by without any threat.

Some external parties, however, may view your house as a target. And, much different than in your own home, every organisation also faces an additional, inadvertent threat from the people that live within your home.

Home Security

Inside the home, there are various doors and openings to the outside world. These entry points have locks and alarms, and in a similar fashion we can consider how we secure our enterprise.

In cyber security terms, each of these rooms becomes a ‘Zone’ and there is a perimeter with monitoring of movement and access to the space.

Read more: CIS delivers free resources for cybersec professionals

Many homes also have extra-valuable items that are stored in a safe for additional protection. For most enterprises, the analogy is the credit card data and personal information of customers. These items are often password protected and/or encrypted, and access to the items is restricted so that the kids don’t play with the crown jewels.

Walk the board through their home

The structure of the average home offers many parallels that you can use to walk the board through the idea of the home. For example, how sturdy is the front gate? Is it high and does it appear to be imposing?

From the cyber security standpoint, the firewall provides similar protection for your network. How robust is your current firewall, and is it fit for purpose?

We all know that even the strongest gate has little value if a side gate is left open or another wall has a small gap to allow the dogs to go in and out. For enterprises we check this by regularly having penetration testing from the outside in. We also need clear family policies as to who has keys to access the home, where they are kept, whether they can be given to friends or cleaners, and so on.

Depending on our own security consciousness, we may have engaged a security company that checks on our property and responds to alerts.

Threats to the Home

There are many threats to the home and these grow and morph everyday. Hence this is a constant journey, and that’s where I guess the home analogy has some limitations.

Online businesses face threats such as Distributed Denial of Service (DDoS) attacks, which are like having thousands of criminals trying to climb your fence at the same time – and in so doing, overrun the defences that are in place and the ability of your guard dog to protect his turf.

The key is that you want the board to be concerned but not in panic mode. Therefore, it is critical that you are able to show what you have and what’s missing that requires investment.

Making my home into a fortress

'A man's home is his castle', the saying goes, and this is traditionally the approach that we have taken in enterprises: to improve security, we have just added more and more layers of defence. First, we would add an updated Intrusion Prevention System (IPS) (an alarm) and then an Intrusion Detection System (IDS), which is that nanny-cam teddy bear that monitors movement in the house.

Unfortunately, the fortress mentality has limitations and cannot guarantee that your home will be 100% secured. The complexity of the different systems makes the whole process of managing security a non trivial task.

These measures can all be undone – not only by malicious outsiders, but if one of the dwellers in the home neglects to follow basic guidelines such as changing a server password from the default or by not applying the latest security patch. Thus the board needs to understand that when there is an investment, it will need to be in people, process and technology – not just technology alone.

Furthermore, you can’t and shouldn’t ask for everything to be fixed immediately. A risk based approach needs to be adopted and measures applied that address the greatest risks to the home.

The Honey Pot

Some of the newer cybersecurity approaches revolve around distracting the bad guys away from your home. This concept of honeypotting is to draw attention and, through deception, let them into a fake firewall and perhaps even to access a contrived customer file.

The overall benefit is that you can learn how they attack your home and the mechanisms that are used to exploit vulnerabilities – and then improve your security accordingly to protect the real

Read more: Google asks devs to disable iOS 9 privacy feature 'to protect advertising'

NABO and Neighbourhood Watch

It’s interesting that new incarnations of the Neighbourhood Watch are coming into being with startups like NABO. These are community based networks where people share information and become a local crime stopper group.

Conversely, in enterprises we don’t often want to openly discuss such matters because we fear disclosing our own vulnerabilities. However, it is important not to operate in isolation but to share with a small community in your industry.

A great example is the British banks, which have setup real-time intelligence sharing with more than 10 agencies and bodies. In doing so, they have created an early warning cyber alert system . Many Australian organisations are starting to do the same through better collaboration with the government-backed Computer Emergency Response Team (CERT) and similar organisations.

Boards leads by example

Good security isn't only about convincing the board to invest: the board also needs to work within their own ecosystems, working with other Boards to bring their colleagues up to speed. This is not about making our own fortress so impenetrable that the bad guys go elsewhere, but rather about improving security in every organisations. If Australian organisations can introduce a high standard of cybersecurity, we are less of a target as nation.

Let’s remember: if cyber criminals can find and access your credit card information from the website of a local liquor store, this is just as damaging for you – as an individual business and as a person – as if the information had been stolen from a large enterprise.

Just as in your home, constant vigilance and care are necessary to ensure security is not only introduced, but maintained for the long run. Once the criminals are in your home, they can be hard to get out completely – but you need to make sure they are really gone and no backdoors are left.

If you cannot ensure this yourself, consider bringing in outside help so that you and the board can both sleep easier at night knowing everything has been done to protect your interests.

Join the CSO newsletter!

Error: Please check your email address.

Tags digitalisationEdward Snowdenwikileaksinformation leakedbreachesHow tosonyCSO Australiarsacyber securityboard members

More about Computer Emergency Response TeamIntrusionIPSRSASony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Gee

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place