What are some effective strategies when it comes to readying your board for security? What gets the biggest response?

Strategy & ArchitectureSecurity & GRCEmployee Engagement
516 views1 Upvote5 Comments
Founder/Chairman/CTO in Telecommunication, 201 - 500 employees
I've seen things work in the bug bounty space; it helps to put a dollar value on a failure state that's actually created peacefully. You can build narratives around that. Having your code hacked by someone halfway across the planet hits an engineer differently from when the red team does it. So there are different point solutions that I've seen be really effective, but I do think that the broader issue is creating a language that interfaces between the security team, the board, and the rest of the business.
1
Global CIO & CISO in Manufacturing, 201 - 500 employees
When it comes to educating senior leadership, I’ve learned that a key factor is the tone that we use—the curtailing and editing that we do. You have one presentation that’s like, “The teams all suck, they don't know what they're doing." Then you massage that into, "We have operational efficiency issues, etc.," which then gets translated to the board as, "We're handling that. We've got a program in place,” or, “We just hired a senior security person that'll solve those problems.” But that misses the original message, which was that things are actually a hot mess.

When asked for a board presentation in the past, I’ve purposely sent senior leadership the real hot mess that shows we have 250 endpoints that are gaping holes, for example. I always try to have that reality check and then message up: this is why we have these 250 endpoint issues here, this is why we need to upgrade them, or this is why we need to add these layers. That communication is vital to being human in discussion—not hyperbole, and not summarized to the nth degree.
2 1 Reply
Founder/Chairman/CTO in Telecommunication, 201 - 500 employees

Cyber security's basically a human problem that just goes faster because of technology.

1
Sr. Director of Enterprise Security in Software, 5,001 - 10,000 employees
Especially with security, so many of the decisions that we make seem like obvious no-brainer decisions. But if you walk into a meeting assuming that everyone knows why we have to have multi-factor authentication (MFA), thinking it’s an obvious thing, that's how you end up getting push back. And that is something I've continued to learn. What seems simple and obvious to me might not be obvious to an engineering department that has 12 other competing priorities—the last thing they want to worry about is something that they think impedes their ability to log in, or get code out, or whatever the situation may be.
4 1 Reply
Global CIO & CISO in Manufacturing, 201 - 500 employees

Being able to be the business translator is important. In your head, you think everybody's going to know what MFA is.

Content you might like

Which EDR has less false positives?

Security & GRCIT Strategy & RoadmapSecurity Strategy & Roadmap

crowd strike38%

sentinel one56%

carbon black5%

cynet0%


39 PARTICIPANTS
277 views

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
142 19 Replies
Read More Comments
46.4k views133 Upvotes324 Comments

Are short term bans of the use of GenAI applications and tools (such as ChatGPT) a good idea for end users in most organizations? For context see this article on the State of Maine Government's directive before you vote: https://www.govtech.com/artificial-intelligence/chatgpt-generative-ai-gets-6-month-ban-in-maine-government

Applications & PlatformsEnd-User Services & CollaborationPeople & Leadership+4 more

Yes - Maine did the right thing. There are too many security risks with free versions of these tools. Not enough copyright or privacy protections of data.30%

No, but.... - You must have good security and privacy policies in place for ChatGPT (and other GenAI apps). My organization has policies and meaningful ways to enforce those policies and procedures for staff.53%

No - Bans simply don't work. Even without policies, this action hurts innovation and sends the wrong message to staff and the world about our organization.12%

I'm not sure. This action by Maine makes me think. Let me get back to you in a few weeks (or months).3%


348 PARTICIPANTS
9.1k views9 Upvotes1 Comment

What tools or techniques do you use to manage your suppliers?

Vendor/Product RecommendationVendor ManagementPeople & Leadership+1 more
Read More Comments
3k views2 Upvotes5 Comments

What sort of rewards do employees get for successfully reporting suspicious emails or other kinds of phishing?

Awareness & TrainingEmployee EngagementSecurity Strategy & Roadmap
465 views1 Comment