How to explain cyber security to your board
- 02 June, 2015 09:03
If you're like most, you face a conflicting challenge around security: while there is increased focus on digitalisation of the business, at the same time the threats to the business have not been fully addressed – or even planned for.
The board has no doubt read reports about breaches at Target in the USA, and of technology companies such as Sony and RSA having sensitive information leaked. Board members may not be completely IT literate, but even the most technical non-savvy among them is aware of Edward Snowden and WikiLeaks.
Your goal in presenting to the board is to help them understand where the organisation's security posture is currently, and what additional investment is required to mitigate risks. Clearly, how you articulate such technical elements will be a massive personal challenge.
Given the need to be understood by all board members, you will want to dumb down the content of your presentation. Yet this is a major risk, and it can be potentially career limiting to gloss over too much detail.
A good analogy to use in your presentation is the idea of a home.
Traffic, both on foot and in vehicles, travels past your home all the time. The majority of this traffic has no interest in your home, and travels by without any threat.
Some external parties, however, may view your house as a target. And, much different than in your own home, every organisation also faces an additional, inadvertent threat from the people that live within your home.
Inside the home, there are various doors and openings to the outside world. These entry points have locks and alarms, and in a similar fashion we can consider how we secure our enterprise.
In cyber security terms, each of these rooms becomes a ‘Zone’ and there is a perimeter with monitoring of movement and access to the space.
Many homes also have extra-valuable items that are stored in a safe for additional protection. For most enterprises, the analogy is the credit card data and personal information of customers. These items are often password protected and/or encrypted, and access to the items is restricted so that the kids don’t play with the crown jewels.
Walk the board through their home
The structure of the average home offers many parallels that you can use to walk the board through the idea of the home. For example, how sturdy is the front gate? Is it high and does it appear to be imposing?
From the cyber security standpoint, the firewall provides similar protection for your network. How robust is your current firewall, and is it fit for purpose?
We all know that even the strongest gate has little value if a side gate is left open or another wall has a small gap to allow the dogs to go in and out. For enterprises we check this by regularly having penetration testing from the outside in. We also need clear family policies as to who has keys to access the home, where they are kept, whether they can be given to friends or cleaners, and so on.
Depending on our own security consciousness, we may have engaged a security company that checks on our property and responds to alerts.
Threats to the Home
There are many threats to the home and these grow and morph everyday. Hence this is a constant journey, and that’s where I guess the home analogy has some limitations.
Online businesses face threats such as Distributed Denial of Service (DDoS) attacks, which are like having thousands of criminals trying to climb your fence at the same time – and in so doing, overrun the defences that are in place and the ability of your guard dog to protect his turf.
The key is that you want the board to be concerned but not in panic mode. Therefore, it is critical that you are able to show what you have and what’s missing that requires investment.
Making my home into a fortress
'A man's home is his castle', the saying goes, and this is traditionally the approach that we have taken in enterprises: to improve security, we have just added more and more layers of defence. First, we would add an updated Intrusion Prevention System (IPS) (an alarm) and then an Intrusion Detection System (IDS), which is that nanny-cam teddy bear that monitors movement in the house.
Unfortunately, the fortress mentality has limitations and cannot guarantee that your home will be 100% secured. The complexity of the different systems makes the whole process of managing security a non trivial task.
These measures can all be undone – not only by malicious outsiders, but if one of the dwellers in the home neglects to follow basic guidelines such as changing a server password from the default or by not applying the latest security patch. Thus the board needs to understand that when there is an investment, it will need to be in people, process and technology – not just technology alone.
Furthermore, you can’t and shouldn’t ask for everything to be fixed immediately. A risk based approach needs to be adopted and measures applied that address the greatest risks to the home.
The Honey Pot
Some of the newer cybersecurity approaches revolve around distracting the bad guys away from your home. This concept of honeypotting is to draw attention and, through deception, let them into a fake firewall and perhaps even to access a contrived customer file.
The overall benefit is that you can learn how they attack your home and the mechanisms that are used to exploit vulnerabilities – and then improve your security accordingly to protect the real
NABO and Neighbourhood Watch
It’s interesting that new incarnations of the Neighbourhood Watch are coming into being with startups like NABO. These are community based networks where people share information and become a local crime stopper group.
Conversely, in enterprises we don’t often want to openly discuss such matters because we fear disclosing our own vulnerabilities. However, it is important not to operate in isolation but to share with a small community in your industry.
A great example is the British banks, which have setup real-time intelligence sharing with more than 10 agencies and bodies. In doing so, they have created an early warning cyber alert system . Many Australian organisations are starting to do the same through better collaboration with the government-backed Computer Emergency Response Team (CERT) and similar organisations.
Boards leads by example
Good security isn't only about convincing the board to invest: the board also needs to work within their own ecosystems, working with other Boards to bring their colleagues up to speed. This is not about making our own fortress so impenetrable that the bad guys go elsewhere, but rather about improving security in every organisations. If Australian organisations can introduce a high standard of cybersecurity, we are less of a target as nation.
Let’s remember: if cyber criminals can find and access your credit card information from the website of a local liquor store, this is just as damaging for you – as an individual business and as a person – as if the information had been stolen from a large enterprise.
Just as in your home, constant vigilance and care are necessary to ensure security is not only introduced, but maintained for the long run. Once the criminals are in your home, they can be hard to get out completely – but you need to make sure they are really gone and no backdoors are left.
If you cannot ensure this yourself, consider bringing in outside help so that you and the board can both sleep easier at night knowing everything has been done to protect your interests.