What are some effective strategies when it comes to readying your board for security? What gets the biggest response?

516 views1 Upvote5 Comments

Founder/Chairman/CTO in Telecommunication, 201 - 500 employees
I've seen things work in the bug bounty space; it helps to put a dollar value on a failure state that's actually created peacefully. You can build narratives around that. Having your code hacked by someone halfway across the planet hits an engineer differently from when the red team does it. So there are different point solutions that I've seen be really effective, but I do think that the broader issue is creating a language that interfaces between the security team, the board, and the rest of the business.
Global CIO & CISO in Manufacturing, 201 - 500 employees
When it comes to educating senior leadership, I’ve learned that a key factor is the tone that we use—the curtailing and editing that we do. You have one presentation that’s like, “The teams all suck, they don't know what they're doing." Then you massage that into, "We have operational efficiency issues, etc.," which then gets translated to the board as, "We're handling that. We've got a program in place,” or, “We just hired a senior security person that'll solve those problems.” But that misses the original message, which was that things are actually a hot mess.

When asked for a board presentation in the past, I’ve purposely sent senior leadership the real hot mess that shows we have 250 endpoints that are gaping holes, for example. I always try to have that reality check and then message up: this is why we have these 250 endpoint issues here, this is why we need to upgrade them, or this is why we need to add these layers. That communication is vital to being human in discussion—not hyperbole, and not summarized to the nth degree.
2 1 Reply
Founder/Chairman/CTO in Telecommunication, 201 - 500 employees

Cyber security's basically a human problem that just goes faster because of technology.

Sr. Director of Enterprise Security in Software, 5,001 - 10,000 employees
Especially with security, so many of the decisions that we make seem like obvious no-brainer decisions. But if you walk into a meeting assuming that everyone knows why we have to have multi-factor authentication (MFA), thinking it’s an obvious thing, that's how you end up getting push back. And that is something I've continued to learn. What seems simple and obvious to me might not be obvious to an engineering department that has 12 other competing priorities—the last thing they want to worry about is something that they think impedes their ability to log in, or get code out, or whatever the situation may be.
4 1 Reply
Global CIO & CISO in Manufacturing, 201 - 500 employees

Being able to be the business translator is important. In your head, you think everybody's going to know what MFA is.

Content you might like

crowd strike38%

sentinel one56%

carbon black5%




CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
46.4k views133 Upvotes324 Comments

Yes - Maine did the right thing. There are too many security risks with free versions of these tools. Not enough copyright or privacy protections of data.30%

No, but.... - You must have good security and privacy policies in place for ChatGPT (and other GenAI apps). My organization has policies and meaningful ways to enforce those policies and procedures for staff.53%

No - Bans simply don't work. Even without policies, this action hurts innovation and sends the wrong message to staff and the world about our organization.12%

I'm not sure. This action by Maine makes me think. Let me get back to you in a few weeks (or months).3%


9.1k views9 Upvotes1 Comment