Teiss.co.uk met up with cybersecurity expert and author Raef Meeuwisse at ISACA’s Euro CACS to discuss how the real barrier to patching cybersecurity risks is, in how it is communicated to the Board.
Teiss.co.uk: You used a very interesting picture of a gob-smacked child in your presentation to describe ‘Board’ reaction to cybersecurity, what was that all about?
Raef: My presentation at ISACA’s Euro CACS was targeted at professional cyber security auditors. It was how to identify gaps and close them. However, being able to identify and take action isn’t the hardest part. The hardest part is going to the Board and getting them to understand it. So my presentation really resonated with the attendees.
We call it ‘The Medusa Effect’- If you take an overwhelming body of information and fact and bring it to the front of an executive body, it is like you have brought Medusa into the room. They [the Board] will look everywhere but at the problem and look for the earliest opportunity to either exit the room or marginalise the problem and pretend it never happened.
You could tell that it really resonated around the room. It is all about presenting the problem in a manageable way, understanding that people have comfort zones and understand issues differently.
If you want to affect a change then you have to present cyber security as a business problem. Present it in business language.
Teiss.co.uk: What is it being presented as currently?
Raef: Currently it is being presented as an IT problem. One of the attendees here said to me that the problem with the Board is that they still think that technology means Twitter and Facebook. Or that it is a peripheral issue that can only help their company in a certain way.
As we saw with the British Airways issue, when technology goes down, your whole business goes down. So technology isn’t something peripheral any more- it is absolutely vital. However, organisations still tend to think of technology as something that needs to be put in the corner and they forget how critical it all is until they are hit by an outage and their whole network goes down. Those risks are very real and organisations need to remember that even if they haven’t been affected in the past, things will not continue the same way. They need to take counter-measures against breaches that are bound to happen.
Teiss.co.uk: It takes breaches for the Board to take notice?
Raef: I was recently having a very interesting discussion around ransomware and someone fielded the idea that what if we start putting clauses within contracts with our suppliers to say that if they are found to be paying ransomware, they will have their contracts terminated? This is because a lot of organisations are advised to never pay out a ransomware and instead solve the problem. I have heard of instances where companies are getting Bitcoin accounts together so they can pay off the breaches that are bound to happen. It raises questions around governance.
Teiss.co.uk: But from what I have heard, isn’t it usual practice to pay off a ransomware attack and then fix the gaps?
Raef: In terms of ransomware payments, every security department tends to believe its own approach is correct irrespective of how good or bad it really is. So if you speak to a number of different organisations, there will be a variation of opinion. However, a majority of them, from a good governance point of view, will say you shouldn’t pay ransomware. This is because, by paying ransomware you are sending out a signal to cyber criminals and they will just go back and tell others: ‘Hey, that company there pays ransomware.’
Teiss.co.uk: What if you shut the door later on?
Raef: Because you have the gap in the first place, in all likelihood, it isn’t your only gap. Every single mega breach has been a result of atleast three different major or critical security control gaps in the first place. There wasn’t just one critical gap in the Sony, Target and NHS hacking/ransomware cases, there were a multitude of gaps present.
If an organisation says they were hit, there was a gap and they paid and the gap was closed, in all likelihood, the gap they closed was not the only one and the underlying problem and opportunity will often still persist.
Teiss.co.uk: Apart from when there are breaches, what’s the usual time taken by the Board to start investing in cybersecurity as a whole?
Raef: This is a very hot topic for most of our members. Unfortunately, it is still rare for an organisation to have an up to date information inventory. That is to know concisely where and in what form their information assets are in. If they don’t have that, they are not able to have the right security structure in place. I asked the attendees to put their hands up if their organisations had an upto date data inventory in place with the right data governance and client confidentiality and privacy labels in place, not one single hand went up. The reason is not because members don’t know what to do, they know exactly what to do. This is because the labelling is incorrect. This is because the processes and effort required to accurately maintain an information asset register are often misjudged as being too great.
However, the importance of information security is still changing. Although many organizations still do not yet have a CISO in place at or reporting to the main board, it will become more usual. In fact even a keynote speaker from the US Department Homeland Security in 2014 said at an ISACA conference, in the coming years, it is going to be normal for a CISO to be on the Board with the CFO and the CEO.
From a governance perspective when a CISO is atleast reporting into that C-level, security tends to be very good. Changes needed don’t happen unless CISOs report to the right C-level executives. Culture is also definitely a large part of the challenge. Security is often still treated as the elephant in the room and there isn’t much understanding around it. Over next years, we expect that the security aspect will become as important as the financials.
Data is the new currency. So the CISO position makes sense to be at a board level position. CIO is about optimising information, it is the S, the security side that makes it all the more relevant to organisations.
Teiss.co.uk: Isn’t it down to the fact that security can tend to be more difficult to understand than it needs to be? There is too much jargon around it?
Raef: I agree totally. Security problems need to be presented in plain English, as business risks. Identifying and siloing information relating to breaches isn’t really important. It is important for you to be able to communicate it. I always emphasise that there are 3 versions of communication: what you think you said, what you actually said and what they heard you say. The most important is what they heard. The words ‘business and operational risks’ will get you heard more than ‘IT risk’.
Teiss.co.uk: Words and acronyms around cybersecurity, they don’t really help, do they?
Raef: I think the real problem is that most organization are still thinking in silos, without understanding the wider impact. They think of each department budget as an isolated target they can make decisions without considering the wider implications.
For example, with the recent BA outage, there was a lot of comment on social media on how they moved technology from in-house to an external service that does not appear to have had the right level of resilience set-up.
However, this is a good example of silo-based thinking. They probably thought they would save a huge amount of money doing that. Any near-term operational technology savings will have been dwarfed by the cost and impact of the slow technical recovery.
If I present a cyber risk to a Board in a business way, that I need investment to prevent a critical risk to our brand, one that could cause operation level disruption, there wouldn’t be much questioning. However, if I presented the same risk to the Board as just a technical or technology risk, they would say: ‘It doesn’t make sense’. Therein lies the problem. You need to present cybersecurity in the language and in a manner that stake holders will understand.