CISOs learn 5 tough lessons about conveying security risks

Honesty can still be the best policy, but there are some precautionary measures to take.

A CISO at a large manufacturing company walked out of a board meeting last year fully expecting to be fired after giving a presentation on security.

He had spent about a year in the CISO role and had gone into the board meeting thinking he was doing the right thing – giving members the brutally honest truth about what was wrong with the company’s information security.

“Success for them would have been for me to come in and say, ‘Don’t worry about it. I’ve got it covered.’ But that was not the case,” he recalls. “We were really starting at a very low maturity level,” with few resources and little interest in security issues. So he gave them his diagnosis.

Lesson 1: Be honest, but diplomatic.

His second error, he now knows, is that he didn’t immediately follow up his diagnosis by saying, ‘I have a plan to make it right,’ and to quickly set the plan in motion, he says. The problem was being fixed, but not quickly enough for the board. “I knew in my gut” that the board was not happy, he says. He was replaced in September.

Lesson 2: Always have a solution ready.

These are just some of the lessons that CISOs are learning the hard way when speaking to their boards of director. After mega security breaches at publicly traded companies like Target, Sony and JP Morgan Chase, federal regulators are mounting pressure on boards of director to be aware of cybersecurity plans and in some cases be held liable if a breach occurs.

Nine out of 10 board members believe regulators, such as the Federal Trade Commission, should hold businesses liable for cyber breaches if due care has not been followed, according to joint survey released this month by NYSE Governance Services and Veracode. Pressure is building for boards and management teams to be especially wary of any corporate behavior that can affect their brand or erode shareholder value – including security breaches. Security is now the second leading risk to a company’s brand – behind ethical issues, according to Forrester Research.

[ ALSO ON CSO: 12 companies that the FTC has gone after for lax security ]

“CISOs need to learn how to communicate with board members, which requires “a new level of abstraction and business orientation above what they’ve ever had to deal with before,” says F. Christian Byrnes, managing vice president at research firm Gartner.

Today, boards typically hold the entire C-suite accountable for security breaches, marking security as a broader business issue, according to a NYSE survey, but as CISOs’ profiles and responsibilities continue to rise, they can’t help but be placed squarely in the crosshairs.

Security executives – many of whom spoke on the condition of anonymity -- offer tales from the boardroom and what they’ve learned.

Lesson 3: Never surprise a board member.

“Security professionals lack an understanding of what the board of directors mean when they talk about risk,” says Elden Nelson, vice president of Wisegate, a crowdsourced IT research company that provides peer and research assisted advice and guidance to security leaders. “Security pros think of risk in terms of what they can tolerate and what they have the appetite for. Business people also have a good understanding of risk, but they think of it differently” in terms of metrics and key performance indicators.

And another thing -- they don’t like surprises.

Nelson recently led a conference call of security professionals where a global director of information security for a large accounting services network told how he had been fired after a board meeting. He, too, thought the board wanted complete honesty. He knew how to describe the problem, and he had a solution, but “he went in and ‘sprung’ the bad news on them,” Nelson says. The director’s key takeaway from that experience? “He was never going to go into a board meeting and surprise them ever again,” Nelson says.

The fired director now knows that before he officially addresses the board as a group, he needs to have confidence that they already know what the problem is, Nelson says. He’ll make sure he first talks to the people who need to hear about it privately, and then have them move it up the chain, or do it himself. He’ll also make sure he knows what the reaction to his news is going to be, and that he’s prepared with answers.

Lesson 4: Demonstrate the reality of the risks.

An information security executive at a large U.S. bank got off to a rough start with his former company’s board of directors after acknowledging that he came in “somewhat aggressively” and told them in no uncertain terms that “things were not good.” He then spent years taking “measured steps to improve the relationship and demonstrate to the board that this is a business issue and a risk management issue. It isn’t a techie issue,” he says.

One of his most effective tactics was to give board members a hands-on demonstration of the specific threats the company was facing and what he was doing about it.

“We would take a corporate issued laptop, put it in front of them, and then have one of our Red Team hackers break into it,” the security exec says. “He would turn on the camera, turn on the microphone, access documents. The response was, ‘Wow!” They can really do this? We had no idea.’”

The Red Team also showed how a sophisticated attack could be brought on the network and compromise sensitive data. The security executive gave each board member a tablet with the same access, privileges and security that company employees have, and showed them the dangers of emailing sensitive documents to their Gmail accounts, for instance, or how a hacker could send a fraudulent email to their own assistant that appeared to have come from the board member’s email account.

“By experiencing a little bit of pain and not receiving special treatment because they’re the board, it keeps their minds focused on security,” the security executive says. “The next time they travel to a high-risk country like China or Russia, and we want to issue them a burner phone or laptop, it helps them to get it.”

Lesson 5: Be careful answering the question, ‘Are we safe?’

It’s a simple question that can trip up a security executive: Are we safe? Don’t fall for it, security experts say. “Anyone who says, ‘yes, we are safe,’ is really blowing smoke,” says Brian O’Hara, information security officer at Do It Best Corp., a global hardware co-op in Ft. Wayne, Ind.

When faced with that question by a board of directors, O’Hara likes to pivot to a more circumspect answer. “What I can say is here’s what we’re doing, here’s what our peers are doing, here’s what best practices show, and we fit somewhere in the middle,” O’Hara says. “We’re doing everything reasonable in our business and industry that we should be doing.”

As for the former manufacturing CISO, he will take some valuable lessons with him to his next job – including spending more time forging relationships with leadership, educating the board, and scoring some quick wins. “You don’t have to fix everything,” he says, “but you have to fix some things, and they need to be visible fixes.”

Join the CSO newsletter!

Error: Please check your email address.

More about CSOFederal Trade CommissionForrester ResearchFTCGartnerJP MorganMorganNYSESony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stacy Collett

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts