The Dilemma of Information Security Data in the Boardroom

Detective Billy Rosewood: “By the time the average American is 50, he’s got 5 pounds of undigested red meat in his bowels.”

Sgt. Taggart: “Why are you telling me this? What makes you think I have any interest in that at all?”

·????? Beverly Hills Cop, motion picture, 1984

Not all data is for everyone.

For CISO’s, we strive to deliver actionable data that meets the goal of the audience (whoever they may be) for their specific area of responsibility. I think it is important not to gloss over that last sentence; it is what drives this entire article, so it is worth reading a second time.

Unfortunately, I believe we often are not delivering data to achieve the goal mentioned above.

Who is the Audience and What is their Role?

The first step in providing data is simple, but often forgotten: know your audience and their goals. The metrics and data I am about to critique may be perfectly fine for your corporate management team or other audiences. The focus of this article however is delivering data to the board of directors or board committee (from here on out, board and committee are used interchangeably as “the board”) and that is where I believe the data we sometimes present is not as useful as it could be.

Consider the goals of meeting with the board. Their objectives are to evaluate management’s strategies, question, challenge the strategies when appropriate, and provide oversight to management’s actions – all with an eye to protecting shareholder value and adhering to compliance regulations. So, what is it you are trying to achieve with the data you present to the board?

Is it to convey that cybersecurity is a critical business topic and the impact of a cyber breach can be significantly costly? The board already knows this.

Perhaps it is to express exactly how much a cyber breach would impact the company in financial terms? Layered alongside data about current security controls, the CISO can then show the return on investment for additional security controls and how it dramatically reduces the risk of a future attack. Even if those numbers were accurate, which they are not and we’ll get into that soon, what is the very next step the board director can take with this information? What action is the CISO hoping for?

Is it to gain funding for your cybersecurity program? I’ve worked with ten different boards over my career at seven different companies and never went to the board to request funding. Not once. That is a management function best directed (by the CISO) to your Chief Executive Officer, (CEO) Chief Financial Officer, (CFO) Chief Information Officer, (CIO) and other executives.

CISO’s have thankfully moved away from (or should have by now) presenting technical metrics that show the number of vulnerabilities (for example) across the company’s technology landscape. Armed with this information, what is the very next step the board member can perform: work to patch those vulnerable systems? Of course not, that obviously isn’t their role. So, what is the value in presenting such technical data to a director on the board? You probably guessed it: there is very little value. It’s useless for them in their role.

Maybe the goal is to show how the company’s security posture measures up against other companies in the same industry? There are at least three problems with this: 1.) the data is subjective in nature and may be the result of interview-based assessments. 2.) The board member learns that the company is a five out of five on the CMMI model in the vulnerability management domain, (for example) or ninety-seven percent effective in a report from a consultant. What does the director do with this information? ?3.) Suppose a breach happens due to a critical vulnerability that wasn’t patched in a timely manner? You previously told the board this domain was optimal and scored at the highest level of maturity. They’ll ask why then was the company breached as a result of this highly scored domain? This is especially problematic when the CISO conveys to the board a very mature security domain posture, but the CISO reports to the management team that investments are needed in that domain to enhance it further. These communications are internally and externally inconsistent; I believe all CISO’s have read about the personal liability issues with communicating in this way. Lastly, every company is different: having varying levels of risk, security budget, and corporate strategies. Comparing to another company’s security posture may not be effective.

Before you show any data, reflect on the board’s responsibilities and how the data you present helps them to fulfill those duties.

Assumptions with Data

For each data point, there is often a long list of assumptions behind the data. For example, an industry or cybersecurity company’s report may say that 85% of companies have an exposure in <insert a security domain here>. Dive into the assumptions and you may find that the results are only from the cybersecurity company’s customer base, not the industry. Also of interest is this data may be from customers who have recently experienced a breach and requested services from the cybersecurity company and may not represent a more mature security organization. Or perhaps the data reflects information garnered from a survey? How many participated in the survey, 100 or 100,000 respondents? Who took the survey; someone with a complete understanding of the questions being asked? Was it just a U.S.-based survey, or did it include international responses?

Particularly interesting are financial data models associated with cybersecurity. I’ve seen ROI calculations that show prior to security controls being implemented, the financial risk for the company is, as an example, $97.3 million. Spending $28.2 million in risk reducing controls will lower the after-control implementation risk amount to $69.1 million. Another metric that could be used is the very specific reduction in risk costs as a result of increasing the deployment of a company’s endpoint detection sensors to a precise percentage of employee computers, as well as corporate servers. There are so many assumptions behind all these numbers I can’ t even begin to question them. And your board members will definitely question the assumptions behind the data.

Keeping with the topic of security financial data, the specific costs impacting a company as a result of a data breach are loaded with assumptions as well. First, are the numbers inclusive of operational response costs, brand value impact, and corporate valuation impacts – or just operational costs? Brand and valuation impacts are enough to frazzle even the most experienced finance executive, so let’s stick with just the financial data directed at the operational costs of recovery. In the total dollar (or other currency) amount, a seasoned business executive will want to understand what goes into that number. It can’t be a response of “that is the industry average cost of a cyber breach”. Are you prepared to explain the notification costs, if any; 3rd party response services; technology costs; labor costs for internal employees working the response; outside counsel costs; ransomware costs for an attack where you haven’t learned what the ransom amount is yet; lost labor and production costs associated with the core business as a result of realigned labor efforts to the response; and so many more expenditures? If there is lateral movement to other systems and business services, were those costs included in the number?

Let’s imagine that the specific cost of the data breach for a company is super accurate – it won’t be but let’s assume for a minute it is, what is the purpose of providing that data point to the board? We covered that boards already understand that cyber breaches negatively impact the business. If it is to inject some fear, uncertainty, and doubt to obtain more security budget, we already outlined that we don’t go to the board for funding. Some may say it provides a good variable in the data model that allows for a comparative decision whether to incur costs associated with enhancing the security controls of the company, or just accepting the financial impact of a breach. Lost in this argument is the fact that the financial data presented is for just a single cyber breach – what if there are two to three breaches for a company in the same year? The question remains: how does the board use such financial data related to security to meet their goals?

The Likelihood Dilemma

Have you ever had to move an outdoor wedding, or a planned picnic by the lake, indoors because of a sudden Spring rain shower – especially after your local news meteorologist forecasted no rain that day? The meteorologist leverages radar and significant amounts of scientific data, barometric readings, and historical trends to predict the weather. But in the end, it rained on you.

In my hometown, there is a vacant business surrounded by a few thriving small businesses in a busy shopping center. The vacant business used to be owned by a fortune teller who provided services to look into the future of their customers. I always wondered why a fortune teller couldn’t predict that their business would end in closure and pivot to another option.

When you look at a company’s earnings or other materials, you’ll find a safe harbor assertion that covers forward looking statements. They outline that predictions are not guarantees because there are inherent difficulties in predicting future results.

Sales professionals submit sales forecasts that predict the number of deals they strive to close in a quarter, or perhaps the number of leads they will develop – all prior to those events taking place. It may be the case that those targets are not met in a given quarter.

Forecasting inventory can often be very effective, but there are external elements that can negatively influence that effectiveness. Consumer purchasing trends, transportation issues, or perhaps a global pandemic – external factors such as these are difficult to predict. I thought about this quite a lot as I went from store to store looking for bathroom tissue and hand sanitizer in 2020.

These examples, and many more, demonstrate the inherent difficulty in using predictive data to ascertain real outcomes. But as CISO’s, we sure like to use them anyway. There is value in many predictive data points, however, (like safe harbor) I argue that leveraging them to make real security decisions may present issues. For information security, one of the common factors in data modeling lies with “likelihood”. For example, understanding the financial impact of an event, multiplied by the likelihood percentage of that event, will provide the total risk in financial terms. While it may be reasonable to come up with the financial impact amount, specifically for things like the total number of products manufactured by a plant in one day as an example, the likelihood metric has always caused me angst.

The likelihood metric details the probability of an event taking place and it is fraught with complication. As an industry, do we really thing we can account for all of the disparate threat actors in our universe to come up with a percentage of how likely an adversary is to exploit a risk in our specific company at some point in the future? Yes, there are good data points on formalized attack groups from specific countries that target specific industries. But can we precisely identify all of the eCrime, APT, hacktivists, insider threat, and lone hackers operating today to put a precise percentage to it? Additionally, how can we know the intentions of a lone hacker, or his/her expertise in breaking into our specific corporate environment? I agree that we can assess our security controls and determine that the probability of an attack increases if the controls are weak, but to put a precise percentage to that, which includes external variables such as intent and hacking expertise for every person who seeks to cause harm and disruption to the company, is outside of our capability. As I questioned earlier, what is the very next step a board member can take armed with the knowledge of a specific (and likely incorrect) percentage of likelihood for a risk?

The Variability of Cyber Fluency

Just like every board is different, each member of the board has a different level of cyber fluency. I have worked with some committee chairpersons who knew information security and knew it well. They asked fantastic questions that really drew out wonderful conversations on the company’s security posture. Other board members over my career, those who dedicated their professional careers to other business disciplines, did not have a deep understanding of security. As CISO’s, we need to tailor our board briefings to the cyber knowledge of the directors so they can perform their oversight duties. There is a scene in the movie Armageddon when a team of scientists, led by the actor Billy Bob Thorton, are explaining to the U.S. President that an asteroid is on a collision course with Earth. “How big is this thing,” the President asks. A scientist says, “Sir, our best estimate is it is 97.6 billion…” and Billy Bob Thorton interrupts the scientist to say, “It’s the size of Texas, Mr. President”. He provided the information in a way that the significance of the event could be understood.

The Clock is Running

Underpinning all of the issues outlined above is one consideration that drives everything we do in our visit to the boardroom: the very limited amount of time we have to brief the board. Let’s assume an average cybersecurity update to the board is fifteen minutes per quarter, (your time allotment may be slightly more or less) do we really want to use that time explaining all of the assumptions behind the data we present? Particularly when that data doesn’t directly aid the director in performing their role as a board member. Do we want to burn up minutes having a debate on the differences between predictability and probability? There simply isn’t enough time to explain it all. Each quarter, board members receive a board book that can be up to a few hundred pages. They need to know the bottom line – get in, explain the status of the program, convey concerns, answer questions, receive their oversight, and get out.

Is There a Better Way?

As mentioned, every board is unique and it is up to the CISO, with some input from the board and management, on what is the most effective way to convey the status of the information security program for the company. What has worked for me over my career, may not be the right path for you and your board. But here are some content tips I found to be successful for the boards I’ve worked with over the years.

·????? Structure the presentation so that each update builds off of the last. Each briefing is one chapter in a larger book.

·????? Highlight extraordinary security events that critically affected business operations or had significant regulatory impacts (to put another way: a material event). The board will have already been notified of the incident, but you can provide the commentary on what has already been done to reduce the risk of future occurrences, or the strategy to do so.

·????? A narrative and focused conversation on the company’s layered security controls, (i.e., the diversity of cybersecurity vendors and technologies used) contributions to business resiliency, and the application of due care to the security posture of the company.

·????? Progress on the implementation or enhancement of security controls, how barriers were addressed, what’s left to accomplish in a prioritized manner. Use metrics that tell the story of the evolution of the security program: effectiveness of controls and how they relate to top industry threats. Examples could include: time to detect, time to respond, top threats, and other fact-based, non-predictive analysis.

·????? Be prepared to answer questions about an industry breach, particularly from an industry peer. What was the nature of that breach and how does our company protect itself from something similar happening?

·????? Current and emerging security news, i.e., regulatory initiatives, SEC disclosure regulations, etc.

·????? Special topic: in addition to the regular content, consider a special topic for each briefing that makes up 25% of your time in the board presentation. Topics such as, how the company secures its specific financial systems, the company’s third-party risk management program, securing artificial intelligence, or maybe the company’s use of multi-factor authentication, etc., could add value. I suggest doing these toward the end of the briefing.

·????? A summary of the effectiveness of the annual tabletop exercise: what worked well, where do challenges remain in our incident response program, what we’ve done about those challenges, or the strategy to address them in the future.

·????? How information security supports key corporate strategic initiatives, large shifts in strategy, mergers/acquisitions/divestitures, etc. to continuously monitor risk.

·????? Leave time to answer questions. Be prepared to honestly and effectively answer this question from the board: Are you aware of any material gaps in the cybersecurity program and do you have all of the needed resources to address those gaps?

·????? Leave time to receive the board’s guidance and oversight.

You’ve probably noticed a few trends from my suggestions. First and foremost, it is a conversation, with a focus on a narrative style - the content is designed to invite a discussion. You may have noticed much of it (not all) is in the past tense and this is by design. I don’t go to the board to discuss issues preventing us from accomplishing a goal, I go to the management team for those. I go to the board to discuss what we actually have already accomplished when faced with those issues. Past tense. If for some reason there are residual considerations to make, I discuss the strategy we have to address them and the progress in meeting that strategy. The role of the board is to evaluate our strategies, challenge them, and provide oversight, not to work on or solve the issues.

My goal in writing this article is to share (what I believe may be) a contrarian approach to leveraging data in the boardroom so that it drives meaningful conversations. I am not a data expert by any stretch of the imagination. But I have sat shoulder to shoulder with the highest levels of corporate governance for twenty-four years to discuss information security. With your feedback, together our contributions to increase our effectiveness will be far greater. How much greater? At least 83.4%... never mind, it’ll be as big as Texas.

Lee

?