- What is ITS?
- Can a CISO/CIO help a Board member suffering from ITS? How?
- Make a Board member’s job easy in order to lessen ITS symptoms
- Why is ITS a great opportunity for the CIO? 8 Tips for Educating a Board
- The CIO and Radical Responsibility
- Board and CIO/CISO Resources
- A Tool for Ensuring Transparency
I do believe that boards are suffering from ITS – Ivory Tower Syndrome.
What is the definition of ITS?
ITS is the profound personal discomfort that comes from having to tackle an area of business that makes one feel uncomfortable. Symptoms that emerge would be discomfort, anxiety, anger, mistrust, etc. for having to leave the comfortable confines of normal business functions to have to work with IT Security.
Practical example – A Board member needs to come out of their ivory tower and learn something they don’t have a clue about (IT Security) and the CIO/CISO has to learn something that they don’t have a clue about (a Board member’s responsibilities).
The last thing a board member or committee wants to be handed is the responsibility of IT Security. Generally, board members are not the youngest people in the world and they are being asked to review and be responsible for IT Security oversight which is largely a battle being fought by a younger generation of organized crime and defended against by a young generation of poorly trained and funded (not always) foot soldiers who are losing the battle (truth).
Don’t misunderstand me, Boards do not have a choice in this matter.
In the 1500s the Royal family (Senior Executives – King + Queen) in Europe didn’t have a choice about caring if their castle was secure. They couldn’t abdicate responsibility for checking the efficacy of defenses to someone else. Nor was there a governing body that said that walls must be x feet thick and you must do a retinal scan authentication of peasants coming through the front gate. They had to care about defense and they did.
Radical Responsibility to own the communication to the top.
A CIO must stop worrying about presentation techniques and how to pander to Boards’ and CEOs’ lack of understanding on topics related to IT Security. They are smart people and they didn’t get to the high level without being able to grasp complexity. Here is a mind-set that I want you to consider:
- Use current events to seize the opportunity to finally get the attention of the top.
- Be an educator and a teacher (See 8 tips below)
- Discuss risk. Talk about the risk of their decisions. Board members are adults. Treat them as such. Tell them how it is.
- Be assertive with communication. You are a protector.
- Even generals have body guards. If you need to leverage experts as a show of force to give a feeling that you have a team at your disposal (consultants, VARS, vendors, staff, auditors) then do so. For years Marketing and Finance have used this approach, so now it may be your turn. However, don’t give a Board the impression you know it all. You don’t, can’t and will never.
- You will need to take all of these opinions you are listening to (Internal Audit, External Audit, Government Compliance, VARs, Vendors, etc) and consolidate their messages into your story. One story. One mission. One battle plan.
- Stop wondering if you are going to lose your job if you are breached because of course this will happen. Negotiate up front that if a breach happens you will exit voluntarily, (but negotiate your financial package up front).
- Tell them that you have to assume a breach. This is the only truthful message. To see this philosophy in action, listen to an interview with Microsoft Azure’s top security guy.
- DR and BCP for IT Security – Endless dollars have been spent on DR and BCP planning so use those dollars to make sure the business can run while there is a breach and that there are not a bunch of Senior Executives scrambling and wasting resources while a breach is happening.
- Talk about a road map. Discuss your vision. Be transparent.
Great Board Communication Tools and Resources
A Ponemon Report from June 2015 is very informative as it examines the true disconnect between Board perceptions and the reality of IT Security. The report states “Board members may be overly confident about the effectiveness of their cybersecurity governance practices.” Fifty-nine percent of board member respondents rate their cybersecurity governance practices as very effective. However, only 18 percent of IT security professionals believe this is the case.
In a recent article from CSO Online, Matt Alderman, Vice President of Strategy at Tenable Network Security commented, “Instead of focusing on vulnerabilities, or tools deployed, CISOs should focus on easy-to-understand metrics that show how effective the company is at managing security” and “It’s security that keeps executives up at night, not IT infrastructure”.
I like the buzz word but the comment is a bit gimmicky. You must communicate the security of infrastructure and applications with dexterity and skill.
“Many boards don’t know what to look for in a CISO, and how to tell whether a CISO has been doing a good job or not” comments Eric Cole, fellow at the SANS Institute.
Come on, let’s get real. A board doesn’t know what to look for? You are right, but let’s not say that you don’t know what to look for. Would they say that about a CFO or a Controller? It is the same thing. How are you planning on being transparent with us? What are the ways you are going to be transparent with us? What tools are you going to use to guarantee transparency?
“My job is to facilitate the awareness of risk and be in a position of educating my leadership about what risk they are willing to accept,” said Paul Calatayud, CISO of Surescripts in the CSO Online article.
I agree with this, but how are you planning on showing these risks? With a research report? Or with a visually impactful presentation that proves you understand ALL RISKS related to business exposure related to IT.
Now this is a healthy approach that all Boards need to be educated on. Samuel Sutton, computer scientist at the FBI, Houston Cyber Squad notes, “Assume you will be attacked and focus on the prevention response plan. The reality is that there are two networks out there, those that are hacked and those that [you] don’t know are hacked”.
Here are some other articles I’ve come across:
Cybersecurity Assessment Tool (CAT) from FFIEC
Cybersecurity is a Hot Topic at Board Meetings
Board are on High Alert Over Security Threats – “By providing corporate directors with meaningful intelligence on a regular basis, savvy CIOs and CISOs not only educate their boards about the issues they should focus on as they oversee security-related initiatives; they also garner high-level support for building robust security systems and adopting processes and policies necessary to protect corporate data.”
Also in the article above:
When a Breach Happens what are the steps to take?
Radical Transparency = Radical Trust
The CIO Security Scoreboard translates the details of IT Security Management into a high level scoreboard that manages risk, efficacy of existing IT Security Assets and compares this to an investment road map.
It is a perfect tool that is used by CIOs and CSOs to build radical trust and transparency.
- For a demo click here
- To watch a brief video of how the CIO Security Scoreboard can help your business, click here
Bill Murphy is a world renowned IT Security Expert dedicated to your success as an IT Business Leader. Follow Bill on LinkedIn and Twitter. Sign up/Subscribe for weekly podcast, CIO Mastermind and CISO Mastermind updates delivered to your inbox easily and effortlessly.