With increased media attention on security operations, are boards maintaining the right focus when it comes to cybersecurity?

1.7k views5 Comments

CISO in Software, 51 - 200 employees
At least in the industries I've been in, when you talk to the boards, they are very interested in meeting compliance and passing audits. When I was at a pharmaceutical company for 15 years, I got audited for some compliance measure at least once a quarter. They'd ask me a whole list of questions: “Show me your SOP for this, show me your SOP for that. Demonstrate your password policy.” I could just sit there and say, “Check, check, check,” all day long. I'd pass the audit and the CEO would be happy. But in reality, just being compliant doesn't make you secure.

I know CISOs hate talking about tools, but some tools are essential to have. Some are nice to have, but there's this fine balance between frameworks and tools because you have to protect what you have. You really do need to weigh out your risk. Say, "Here's our risk tolerance. How much money do we want to actually spend to protect us against a potential risk?" That's another problem: How do I, as a CISO, say to the board, "There's all this bad stuff out there that could potentially impact us. Can you give me some money so I can protect us against all these things?"
2 1 Reply
VP - Head of Information Technology in Software, 1,001 - 5,000 employees

I think that's going back a couple thousand years to when risk management was invented. It's the same approach: What's my risk, and can I apply a dollar figure to it and approach it that way? As opposed to: what's my landscape of risk and what would the threat model be to compromise my environment? They also don’t realize that it's not an insurance policy. There are ways that you can cover yourself from multiple threats with the same thing. Ransomware is a threat, but it's one of many. There are many threats you can overcome with a couple of key strategies to mitigate those threats. I think it's a backwards mindset.

VP - Head of Information Technology in Software, 1,001 - 5,000 employees
I think boards are probably behind where they need to be in terms of thinking about technological risk in a different way as opposed to the 2,000-year-old risk management concept.
1 Reply
Board Member, Former CIO in Software, 10,001+ employees

Boards are behind—their focus is on the wrong things.

Board Member, Former CIO in Software, 10,001+ employees
Generally, cybersecurity has gone to the audit committee because they’re about risk management. Frankly, I don't think that's a bad place for it to go, but they’re focused on compliance. The mindset of the audit committee is to show that our financials are accurate by proving that our controls are functioning, and having an auditor go through and validate that the controls are there. That's okay, but it doesn't guarantee that there isn't fraud going on, it just means that your controls have been tested. When you get beyond things that they understand, then they start looking for certifications of proxy: “Okay, do we have a SAC2? Do we have a 17799 certification?”

What I have seen with my companies, is that when they do red teaming, that’s when you learn that there are things that would pass that checklist test. We have antimalware, we rotate our passwords, and we do have MFA. We have all that stuff, but in the implementation of it, something was missed. You only need to miss one little thing—one grandfather service account, or misconfigured firewall—for all those security measures to become completely irrelevant. You can have the best technology purchased and implemented, and that failure will cause you to be compromised.

Content you might like

Patch management: to reduce attack surface and avoid system misconfigurations39%

Malware and ransomware prevention: to protect endpoints from social engineering attacks58%

Malware and fileless malware detection and response: to protect against malicious software49%

Threat Hunting: to detect unknown threats that are acting or dormant in your environment and have bypassed the security controls33%

Not planning to change endpoint security strategy10%



CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
40.9k views131 Upvotes319 Comments