teissTalk Host Geoff White was joined by Paul Lewis, Senior Director of Cloud Security, Elsevier; Simon Mair, Head of Information Security and Data Privacy, Brewin Dolphin; and Brooks Wallace, VP Sales EMEA, Deep Instinct.
Views on news
The Facebook outage has been a lesson in business continuity and concentrated risk. It turned a benign configuration challenge into a blackout, where security controls prevented recovery. Although news of FB using angle grinders to access their server cages hasn’t been confirmed, it’s symbolic of the challenges self-sufficient processes combined with a single point of failure can present.
Facebook employees were denied entry because their entry passes linked into the same information security systems as the rest of the infrastructure. The outage can be seen as a low probability but extremely high impact (black swan) event. (See also the Carrington event)
Communicating cyber risk to the Board
Three-quarters of those in the chat room said they have conversations about cyber risks with their boards. The average time allocated for CISOs to explain threats is thirty minutes. CISO’s need to face up to the fact that the risk they are to alert the board to is only one of many. There are also plenty of other, operational types of risks. The most typical question CISO are asked by the Board is “Are we secure?” But it’s hard to give a straightforward answer to this as “it depends”.
The Board is aware that if a ransomware attack does happen, they can’t shift all the responsibility to CISOs and technology. There is also a trend among businesses to pre-purchase cryptocurrency in preparation of a ransomware attack. However, it seems that increasing frequency of attacks hasn’t impacted risk tolerance in general, but definitely led to higher awareness of this risk area. Another type of threat that boards have recently gained better understanding of is supply chain and third party.
Listen to how others talk about risk at board meetings and align your communications with them. Translate the technical language into layman’s terms (“Test on your mum the effectiveness of what you are about to share with the board!”) Make it simple: what’s the problem? What are the possible solutions? How much will the problem cost to fix? Products similar to Deep Instinct’s ransomware warranty up to $3 million per company for a single breach – once the board’s buy-in is secured – can simplify the conversation considerably.
Translate cyber-security risk into operational (e.g., clients can’t pay their mortgages or withdraw money from ATMs). Once you have the board’s ear, don’t waste your time on pretty charts or infographics. Simple, easy-to-understand communication may give you better leverage. Train you board, as cyber-security expertise is not always there.
Although explaining how many millions of pounds victims of ransomware and other attacks could have saved had they had good security controls in place can be compelling, don’t scare the board into cyber-security spending but explain them what good practice and cyber hygiene are. Keep an eye out for disgruntled employees, as they may become agents of inside threat.