Briefing Your Board on Cybersecurity part 2/3: Full Board Meetings
Cybersecurity is arguably the most concerning topic across corporate board rooms these days, with Directors clamoring for data not just on risk, but on general education around this new and complex subject. This collection of tips mirrors a talk I gave at the FS-ISAC annual summit in April 2018 and I hope follow CISOs, security practitioners, corporate governance professionals and corporate Directors may find it helpful.
Episode 1 introduced core Corporate Governance concepts for Security Professionals while Episodes 2 and 3 will dive into specific strategies for addressing full Board meetings versus Board Committees, respectively.
Full Board Briefings
As noted in Episode 1, full Board cybersecurity briefings are usually set around an annual cadence and have more emphasis on subject matter education than specifically reviewing controls and making directional security decisions. That said, some of the most security-impactful decisions made by the Board will happen outside of the committee where you report more formally. Full briefings are an important opportunity to arm Directors with information they can remember during strategic decision making around areas such as M&A, human resourcing/outsourcing, organic growth initiatives, and public relations. When it comes to what you are hoping to get out of the Board, culture trumps budget every time! While the cartoon-strip version of Board meetings are all about getting an expensive technology project approved, in reality a more difficult but valuable ask is to change corporate behavior. Instead of asking for the next $15m data lake, try asking for approval to impair annual bonuses for employees who repeatedly fail phishing tests, or asking for the emotional distance of outsourced employees to be identified with a material increase in the risk of insider threat.
TIP: Culture trumps budget!
So what is the best format to deliver subject matter education while accomplishing these objectives? Remember the notes about independence from Episode 1. Third-party speakers are highly valued here. When it comes to the threat-centric briefings you will receive from vendors or law enforcement, though, I say mission accomplished. News headlines alone are getting the job done when it comes to taking security seriously. We are ready to move on and focus on solutions and practice. Consider pivoting from the classic model of inviting technology vendors or law enforcement personnel who focus on the threat ecosystem to instead using your peer CISOs to talk about defense.
TIP: Use peer CISOs as third-party Board speakers!
CISOs can focus on defensive strategy, security awareness tips, approaches that work/don't work, and lessons from the battlefield. Hearing that a peer organization suffers the same pains or is eyeing the same initiatives can provide validation or open your eyes collectively to a fresh approach.
Armed with your CISO guest speaker, some beneficial steering topics can include asking their opinion on corporate governance engagement, materials, and formats. A real eye-opener is to ask what questions your guest would ask if they joined the Board of a company in your sector as a cybersecurity expert. I also like to ask CISOs about the elements of a security program to pressure test your own structure and possibly get a window into where things are headed. Finally, I advise tailoring a few questions to unique challenges your speaker's company may face, be they related to a difference in scale, industry, jurisdiction, or structure. Hearing of the cybersecurity challenges in a specific country may be just what you need to make sure the right questions are asked before your company heads in the same direction. And remember to announce Chatham House Rule to respect the confidentiality of your speaker, and advise your Directors to withold questions or comments that may involve your own confidential data until your speaker has departed and you can speak internally.
Once your guest speaker departs, I recommend hosting a more confidential session where you can dive into topics such as
- Strategy: Inform the Board of your overarching strategy for identifying and prioritizing threats and assessing the efficacy of your resulting controls.
- Internal Governance: Directors will be keen to hear how cybersecurity is governed within the organization and to see how non-cyber management (think business unit heads, CFO, General Counsel et al) is made aware of cybersecurity risk and given opportunity to govern. Thinking through this may prompt you to set up more formal steering and approval committees with key representatives before you have to describe it to the Board.
- Third-party Assurance: This is a good opportunity to deliver results of a program assessment by an independent firm. You can weave in regulatory examination results, external (or internal) audit results, or even red team thematic findings here. If you have the luxury of commissioning a study for this specific purpose, a spider chart comparing your organization against your industry resonates well. Bonus points for using a well known, widely-accepted maturity framework such as the NIST CSF.
- Controls: It can be helpful to point out some unique or impactful security controls. One way to do this is to walk through a recent near miss, highlighting layers of controls that prevented impact. Don't feel obligated to list out every control exhaustively.
- Industry Collaboration: If external information sharing groups is new ground for your firm, this is an opportunity to set the stage and explain the value of these connections. Likewise, you will find a major regulatory trend in recommending if not mandating participation in these groups, so a more mature organization may actually find Directors looking to ensure you are in the loop.
- Threat Objectives: Finally, the most important bit. I'm going to dive into "TOs" more in the next episode, but this construct is effective with many audiences including the full Board as well.
Threat Objectives have emerged from the soup of cybersecurity terms such as threat actors, threat vectors, TTPs, and even risks to strike the balance among coverage, uniqueness, and clarity. You can call them something else, identify different objectives, or certainly make them look prettier, but I recommend you consider the approach. Unlike the non-parallel constructs we keep listing out during every systemic risk assessment - insider threat v. ransomware v. extortion v. APT v. DDoS v. payment risk - threat objectives define a small number (10) of parallel actor-agnostic buckets where you can organize news stories, risks, controls, and vulnerabilities by "what are the bad guys trying to do". Each objective can be risk rated (remember Risk = Likelihood x Impact from Episode 1) for inherent risk (based on your business profile and the threat environment) and residual risk (based on your vulnerabilities, controls, and testing results). It's a single visual that can steer a conversation at many levels and effectively organize information ranging from threat intelligence to cultural risks. Perhaps most importantly for the full Board environment, Threat Objectives allow you to assert and pressure-test what you do NOT prioritize in addition to what you do. It's easy to state your top concern and what you are doing about it - you likely have that elevator pitch cued up and deliver it every time someone asks you what keeps you up at night. It's when you get asked about a headline that you aren't too worried about that you are more likely to stumble. Being dismissive or defensive is a quick path to career failure - especially when it comes to Board or regulatory inquiries. Perhaps you think the TalkTalk breach isn't important because you don't handle PII, don't have public-facing web interfaces, or because you encrypt all data at the record data with per-customer keys derived from the length of their individual eyelashes. Either way, the correct answer is never "that isn't important". The correct answer is always thoughtful deliberation and risk assessment. But with finite time, who can paper-up a report on every news story? The Threat Objectives model gives you a good way to nest developments into existing categories where you can work with predefined controls and risk assessment activity. But enough narrative, let's see them in action:
TIP: Threat Objectives! Use 'em.
I'll go through this visual in more depth in Episode 3 on Board Committees, but it works great with a full Board as well (and many other audiences for that matter) with a slightly different narrative. The values presented above are genericized and don't represent any actual firm or sector, but for the sake of discussion this visual would be communicating that PII - or theft of personally-identifiable information - had the top "inherent risk" of any of the Threat Objectives. Switching to the dark blue icons, Sabotage is listed as this firm's top residual risk.
So how are inherent and residual risk calculated? That's where the value of this shines to guide a conversation. The inherent impact is a great topic for the full Board, because it reflects the business profile. This is where a security professional states that they assess the impact of a PII theft incident would be dramatic at the firm, which gives the Board a chance to challenge that. In this example, a more spirited conversation might stem from the relatively low inherent impact of "Data Manipulation." This is where the Board's knowledge can be integrated into your program prioritization. Perhaps they are aware of downstream reliance on data you publish that would drive business away overnight if an incident eroded confidence, or contractual obligations around data integrity that could drive massive liability. Inherent likelihood, on the other hand, is a chance for you to deliver threat intelligence to the Board. Many of you will have experienced regulatory or industry encouragement to "deliver threat intelligence to the Board" and as a result perhaps you've awkwardly droned on about "Eternal Blue" or "Blazing Chimera" in front of a Board. The Threat Objective construct lets you cite recent high-profile news cases in addition to private intelligence, focusing on incidents that drive the inherent likelihood up the chart. "The Nyetya worm you likely read about in the news confirms continued targeting in our "commodity malware" TO and thus we've kept the highest likelihood rating for CM."
Shifting over to residual scores, the conversation is guided to controls and vulnerabilities. We will dig into those and how the Threat Objective approach guides a conversation on red team validation of controls, outstanding high-level vulnerabilities, and automated playback testing in Episode 3, but with the full Board you can immediately focus on vulnerabilities that stem from cultural issues when addressing residual risk. Perhaps you consider the residual likelihood of extortion to be high because you have not implemented top-level domain blocking and quarantining encrypted attachments, both because of pushback "from the business". This is your chance to directly connect those decisions to the potential fallout.
Before wrapping up discussion of Threat Objectives, I'd like to disclose my motivation in evangelizing the approach. In addition to potentially alleviating some frustration when I see a "top threat" list that would make a confounding Venn diagram of subsets, supersets, and overlap, my main goal is to build enough momentum around this short list of 10 objectives so they can be used as tags by intelligence vendors. Once you have the Threat Objective ratings in hand, how great would it be if your commercial and open source feeds allowed you to tag "PII theft" intelligence or have anything related to "sabotage" immediately rise to the top?
Board Communication Risks
A final topic I'd like to address while discussing full Board comms are the security challenges in literally communicating with Board Directors. If you haven't already, consider employing a secure container/app solution to address this issue for traditional "board book" delivery. IT can point Directors to download an easy-to-install application from their mobile device app store, permission a unique UserID/password, and from that point on the app is used to view sensitive material. The apps allow IT administrators to remotely delete the content and terminate access on demand (assuming they are notified of Director turnover!!), and many of them will automatically wipe data if the devices have not checked in recently. There are several solutions in this space and they are highly-effective for securing one-way periodic communication - most often the quarterly "board book" review before and during sessions. All your communication security problems are solved, so long as Directors and senior management never have ad-hoc e-mail discussions or expect to redline a document with their local copy of Microsoft Word.
BUT DO THEY?
While it may be an exception rather than a rule, there will be some less structured dialog among Board members and company staff. It could relate to logistics, or it could relate to a status update on that lunch meeting with the acquisition target, that quick heads-up to avoid surprises before tomorrow morning's press release, or a request to redline a regulatory response. While this type of dialog may be the exception rather than the rule, it can't be ignored. If your answer is to issue Directors corporate email accounts, consider these challenges: Are Directors bound by your acceptable use, technology, and security awareness policies? If your DLP controls prohibit staff from downloading files to non-company equipment (good policy!) how are Board members going to redline those documents? Can Directors really lug around another laptop for every Board they serve? (no). As an alternative, should you encourage Directors to use e-mail accounts provided by a primary corporate employer? Many Directors don't have a primary corporate employer, and those that do would be inserting your confidential Board discussions into to that firm's retention and e-discovery corpus - bad idea.
TIP: Don't put your head in the sand about Director communication
In the end, you may conclude that Directors are independent entities. "Persons," if you will. And suddenly, "personal e-mail" may appear to be perfectly appropriate, surprisingly enough. It is entirely possible, if not likely, that you correspond with Director gmail, aol, hotmail, and yahoo accounts. And that brings us to Director security training.
Director Security Training
MFA. That's it. By the time you get to Director training, your attention window is narrowing and you should limit your material to about 30 seconds. Yes, you can talk for hours about secure practices and WiFi habits and password construction and how to spot phishing, but if you can only teach one thing (and you can) it should be multi-factor authentication. Given that Directors often use personal e-mail accounts, the most valuable thing you can do is to teach your Directors how to enable MFA on their gmail, yahoo, apple, and other accounts. Cite John Podesta. The modus operandi is still that simple - phish a link to a fake login form; capture username + password; log into the email account and profit. This tactic can be a small component in almost any attack, but when the objective is reading non-public material information (NPMI in the Threat Objectives above!) a simple phish and single-factor auth is a home run every time. Make screenshots of step by step directions to configure MFA on your Director e-mail services, and talk with your Board secretaries about considering making this a contractual requirement for Directors in the future.