The Cyber Boardroom: Why, How, and What (v0.4 - First MVP)

Based on Simon Sinek's "Start With Why" concept, here is my attempt at creating the "Why, How, and What" for The Cyber Boardroom .

Why - We need better cybersecurity decisions. At the moment, we known that the relationship and interactions between business stakeholders and cybersecurity professionals is not working as it should. The key problem is a problem of scale. We need to enable these stakeholders to understand, learn about, and engage with cybersecurity, and empower them to make decisions that are fact-based, risk-based, and aligned with business objectives.

How - We need a Translation and Collaboration Platform: We need to translate the knowledge, information, requests, and actions that CISOs and cybersecurity professionals have into something consumable by stakeholders. The problem is that even when this happens well, it doesn't scale. Currently, cybersecurity professionals lack an effective collaboration platform that allows the mass creation of customised and personalised cybersecurity content. More importantly, we need a platform that facilitates engagement with that content and the learning of both sides—how to present and how to consume that cybersecurity knowledge.

What - We need The Cyber Boardroom: which is the platform I am creating to help bridge the gap between stakeholders and cybersecurity professionals. I'm also open sourcing most of that code via the OWASP Security Bot project.

The WHY is the fact that we need to make better cybersecurity decisions.

Here I present two main paths into cybersecurity: one for the Board Members, whom I call the stakeholders, and one for the CISOs, whom I call the professionals.

Board members need to learn and engage in cybersecurity. This is very important since board members have a large number of legal, strategic, moral, and fiduciary responsibilities regarding cybersecurity. In 2024 this is getting more and more important. In fact, we are starting to be at a point where it can be argued that a board will not able to do their jobs effectively if they don't have an effective way to consume, interact with, and make decisions about cybersecurity.

On the other side, CISOs and cybersecurity professionals need a way to translate, personalise, scale, and respond to their business stakeholders, while relaying the information, knowledge, and decisions they want to convey.

When I was looking at who the stakeholders are, I actually mapped a wider group than just board members. For example, I think this is very applicable to any business executives impacted by cybersecurity decisions, investors who need to ensure that the companies they invest in are doing the right thing from a cybersecurity standpoint, and even regulators who are on the receiving end of a lot of cybersecurity knowledge and information that they need to process effectively.

On the professionals' side, in addition to the CISOs, and the other cybersecurity executives/managers, we should include the massive list of cybersecurity products and services who will benefit tremendously from a much better way to translate their value proposition to business value. Additionally, regulators also need to translate what they do into business value, which will drive adoption and a much more proactive engagement regarding regulation.

HOW we achieve this is by creating a translation and collaboration platform.

The translation element is very important here because what GenAI and other LLMs (Large Language Models) do very well is translation.

They excel at creating a representation of the prompt given, often called a latent space, which captures all the relationships in a spectacular multi-dimensional graph. This is one reason why they are so effective at translating from one language to another and from one persona to another. In this case, we are translating cybersecurity knowledge from the technical realm into the business realm.

Let's expand on the two paths: the Board Members (the stakeholders) path and the CISOs (the professionals) path.

Board Members need:

• Personalised, business-context information
• Up-to-date content in their language/culture
• Actionable insights, decision requests, briefings, knowledge, facts, and risks about cybersecurity
• A safe space to learn, in an environment that is private, where they can learn about cybersecurity, understand what's being presented, and grasp the implications of their decisions

My experience is that most board members are incredibly intelligent and experienced, which is why they are in those positions. However, they often lack deep cybersecurity or technological knowledge. Therefore, we need to translate cybersecurity and technology concepts into frames of reference that board members can understand, enabling them to make informed decisions.

CISOs need:

• A scalable platform to translate their complex cybersecurity domains, into the business and strategic domains that the boards operate in
• A platform that creates a cybersecurity 'translation and actionable layer' in a way that can be dynamically engaged by stakeholders, who can ask questions and seek clarifications, providing a much clearer picture of the actual situation.

These communications and interactions have traditionally been a challenge for most CISOs and boards. Business-minded CISOs might lack deep technical knowledge, while highly technical CISOs may struggle to communicate the value and needs of their teams effectively.

The WHAT is The Cyber Boardroom, which is the platform I'm creating to help bridge the gap between stakeholders and professionals.

During the current initial development phase, I mainly focused on the ideas described below, since I wanted to make sure that The Cyber Boardroom had solid foundations and would scale.

Let's expand on some of the key concepts that power The Cyber Boardroom:

• Powered by GenAI: This is the key technological backbone of the entire solution. Without GenAI, it wouldn't be possible to create the mass personalisation and translation of cybersecurity content.
• Multiple LLMs: One of the early insights that I had, was that the action was mainly happening at the prompt layer. The idea (aka Wardley Mapping) is to use the LLMs as a commodity, leveraging multiple models, sequentially or in parallel, and determining the best one for the task at hand. The Cyber Boardroom already supports the main LLM's platforms/models. The challenge now is to figure out which ones are the best for specific workflows, at optimal quality, speed and cost.
• Private and Secure Mode: Due to the type of content and threads that will exist in the more advanced use cases, there is a massive need by both stakeholders and professionals to have privacy-by-design and secure environments to engage with their content safely. Many startups spend significant resources in trying to create multi-tenant environments to host their clients' data and workflows with the required privacy and security capabilities. Instead of doing this, my focus was in the creation of a single-tenant solution that can be executed on varying scales, from small compute units to large deployments. The current platform can already run inside a Lambda function, Kubernetes pod, dedicated VM, cloud VM, or even on a laptop. You can start a full instance of The Cyber Boardroom Community Edition with a Python pip install command or a Docker Hub image pull. The heavy lifting is handled by LLM hosting providers, and with tools like Ollama, we can now run models on desktops or laptops, enabling offline functionality. This approach creates a secure environment for engaging with sensitive content, with minimal costs.
• Multilingual by Design: Modern LLMs already support natively multiple languages, enabling the creation of fully multilingual environments, with chat workflows and eventually the entire UI, being available in multiple languages.
• Multicultural by Design: With these LLMs we can also customise content and workflows to fit the user's cultural context, including if they prefer formal, humorous, or sarcastic tones. This customisation can also take into consideration how different cultures react to the same information, content and engagements.
• Mass Customisable and Personalised: The objective is to create highly targeted personalisation and customised experiences at the user level. This capability will also allow users to engage with certain personas or act like a specific persona.
• Workflow-Driven UX: We are experimenting with using LLMs as a business layer to create workflows and UI screens that are not purely chat-driven. This will significantly improve the user experience.
• Content Provenance: A big area of focus is on providing a high level of provenance on the information presented to the user. In fact my ideal LLM model would be one that brings no (as in zero) content, with all content provided in the prompt, and the model 'only' focusing on the analysis and the translations. One interesting area of research is on ways to create provenance graphs and visualisations that clearly show the sources and facts behind particular outputs.
• Peer-Reviewed Content: Building on the idea of provenance, the idea is to develop a graph of peer-reviewed and user-curated content, specially as more users share their opinions and confirm facts.
• Deterministic GenAI Workflows: One pattern to reduce hallucinations and achieve deterministic behaviours, is to chain multiple LLMs together or in parallel, leveraging their ability to understand and double-check the accuracy and effectiveness of the provided information.
• Simulate Business Stakeholders: This feature allows the creation of different personas for board members, enabling the users to: ask questions, chat or present scenarios to those personas, and see what would be a typical response for that persona (you can try in today on the Multiple Board Personas MVP ).
• Simulate Cyber Professionals: The reverse is also quite interesting, were it should be quite useful to allow board members to preview potential answers from cybersecurity professionals in response to their comments, questions, concerns and decisions.

Thanks for reading, and I would love some feedback and suggestions :)