Archives For Board of Directors

boardroomWhat Question is Most Often Asked of the CISO, By The Board Of Directors?

And What Questions Should They Be Asking?

The big question being asked, according to Kim Nash, columnist for the WSJ, is; “Whether their company is vulnerable to breaches similar to those at Target Corp., Anthem Inc. and the U.S. Office of Personnel Management (OPM)?” There’s two things to consider here – First, who can answer this question? Second, is it the right question?

According to Kim, it’s not the right question – but let’s go to my first concern which is, “Who can answer this question?”

Will We Be Hit Like Target, Home Depot, or OPM?

Most executives can’t answer this question honestly. And their security team doesn’t really have a clue either. If they did, we wouldn’t be reading these stories every day.  And, if you look at the stories being published, it’s the big guys – yet we know statistically, 60% of the breaches are hitting the SMB market.  Most of these breaches never make the news.  So the board can ask, but they’re not likely to get the real answer.

If you didn’t see my comments on OPM, you might want to take a look (Read about Donna Seymour and OPM’s failure to protect our nation’s critical personnel data.) The board is missing the mark here because they misunderstand risk.  In my book, The House & The Cloud (2nd Edition), i’ve given a lot more attention to the impact vs. likelihood graph than I did in the 2007 version – it’s a model I use to communicate risk to business leaders.

If you know security, the concept is pretty simple. The missing link in most assessments is a measure of likelihood.  And that’s what the board is really asking – although they are asking it incorrectly.  What they really need to know is, where’s our data, and what are the top 3 to 5 threats we are facing right now. Given these threats, what are the odds we’ll be hit over the next 12 months?  (More detail on how to figure this out, starting on page 194 in The House & The Cloud.) As I said in my latest speaker promo video, risk needs to be presented in simple business language – in terms everyone who uses and depends on data can understand.

One thing everyone must comes to grips with is, every company is vulnerable just like Target, JP Morgan, Home Depot, and most recently Ashley Madison.Check Point Training Ad

The question isn’t “Can they get in like they did at Target?” Rather, they should be asking, “Can we detect a breach in time to stop the damage?” Remember, like a house or bank physical robbery, hacking does take some time, and it does make noise – but you won’t hear it with your ears. You’ll need detection technology in place and the people with the skills and understanding to turn that data into intelligence.

So what’s the right question? Can we detect and respond before it’s too late?

Are You Getting To The Board?

Have you ever been invited to meet with or present to a board of directors? It’s a powerful moment in the sales cycle if you have something meaningful to say.  Yesterday I was working with a rep on some strategy, as part of the SVLC Security Mastery Sales Program. We were discussing strategies to get a CEO or Board level meeting.

Most are still working at the IT Director Level. Remember, the IT Director is low on the liability list for security. They might lose their job – but getting a new one, if they know security, won’t be hard. In fact, they may take a pay raise.  On the other hand, people like Donna Seymour of OPM are in trouble. (Again, read my post and consider Donna’s situation – is it her fault, or is there something bigger going on here?)

Now is the time to move up – company leaders need more security insight right now and the WSJ is backing you on this. The CISO cannot possibly figure all of this out in a vacuum. And aside from some of the largest accounts out there, their people won’t have the experience to do it either. Managed services (with a security focus), backed by skilled security experts is needed to collect and analyze the data, repackaging it into something business leaders can use – intelligence.

What About SMB Companies?

Don’t let the Board of Directors thing keep you from your SMB accounts. The SMB is under fire right now – and the owner of that business is similar to the Board. They need to know the same things, they just have less resources to figure it out.

© David Stelzl, 2015

Advertisements

9990016123_29d261209d_zHere’s Why Executive Level Prospects Should Attend Your Next Lunch & Learn

And What You Should Be Presenting On

Next week I’ll be speaking in Louisville, KY, at yet another lunch & learn – The question is, do people still attend these? Why should they?  Well, this morning’s WSJ article, Boards Struggle With Cybersecurity, Especially in Health Care, answers the question.  “Board members, [and any C-Level executive] need more education,” writes columnist Kim Nash.

Every company is facing these threats on a daily basis, yet only about 11% of the business leaders claim to really understand data risk.  This data comes from a survey across 1034 directors.  And while healthcare data is some of the most sought after by cybercriminals, the healthcare leadership rank as one of the least educated groups in this study!  On the high ranking side (high-tech companies), only about 31% have a thorough understanding.  In other words, most industry leaders are completely unprepared to make wise decisions when it comes to mitigating risk.

Healthcare Leaders Need More Security Awareness Education

Last year I experienced this misunderstanding as a speaker at a Healthcare conference in Denver. Every security related session I attended focused on compliance. HIPAA is important, but it has little to do with risk.  I started my session by asking the audience to set compliance aside for an hour while we talk security. They seemed surprised by the idea. After my session, several commented that they had no idea what was going on.  Kim Nash quotes Charles W.B. Wardell, III, president and CEO of executive recruiter Witt/Kieffer, stating, “In health care, the need for security knowledge is urgent, …Many [health-care] organizations are conducting risk assessments regarding their information security programs and preparedness and are alarmed at what they’re finding.”  Having personally worked with many security providers who perform these assessments, I can confidently agree – most of them are turning up urgent issues.

Study results presented in this article showed that just about every industry, other than IT, scored 20% or less on having a high degree of knowledge.  More industries reported “Some Knowledge”, but many reported “Little Knowledge”.

When Is Your Next Lunch & Learn? Fall is a Great Time. Now Is The Time To Plan It.

Should you be setting up more security-focused lunch & learns? The answer is, Yes!

However, these groups don’t need product knowledge. They don’t need to hear sales managers, channel managers, or even you local SE talking about products, services, or esoteric technology jargon. What they do need is straight talk on trends, likely threats, big  mistakes being made, and why so many companies are losing the battle. They need intelligence they can use to make wise decisions regarding access to data, policy, hiring decisions, outsourcing decisions, and budget justification.

These are the kinds of things we’ll be addressing next week, and they’re the same things your clients and prospects need to hear. If you get push back on attending, you might want to point them to Kim’s article… (Access it on the WSJ website).

© 2015, David Stelzl

PS. Check out my new Security Website – it’s a work in progress, but here it is.

www.stelzlsecurity.com