CYBER SECURITY IN BOARDS & EXECUTIVES

IMPROVING

LITERACY

BOARDS & EXECUTIVES

HOW CAN SECURITY PROFESSIONALS HELP

BECOME MORE CYBER LITERATE?

“Rather than thinking of cyber as something discussed in case of a breach, we need to locate

the cyber security issues within the business decisions boards make—mergers acquisitions, product launches etc. Cyber should intrinsic to

business decisions just as legal and financial issues are.”

LARRY CLINTON PRESIDENT, CEO, INTERNET SECURITY ALLIANCE @ISALLIANCE

“If you can tie it back to that breach they already know about, give them a little bit of

the inside scoop, and say ‘yes, we know how that happened, and that incident points out just how important this one

security control is.’”

DAVID MELTZER CHIEF RESEARCH OFFICER, TRIPWIRE @DAVIDJMELTZER

“Getting senior level representation from the information security function into the

board and executive level of an organisation itself is a more effective way

for them to understand cyber security much as they understand the other functions of

the business.”

THOM LANGFORD DIRECTOR, GLOBAL SECURITY, SAPIENT @THOMLANGFORD

“Seek out peer comparison, maturity assessments and real world examples to answer this question in as pragmatic a manner as possible; tie your answers to

established business metrics and show how your function not only protects their

investment but builds value, too.”

ANDREW ROSE CISO, UK AIR TRAFFIC @ANDYROSECISO

“A shake up is overdue. Shrug off the trivial or tick box image of awareness. I suggest a new

role: Security Communications Manager. Tasked with improving stakeholder

interactions from shop floor to boardroom. Using proven marketing and psychology tools

to get it right.”

SARAH CLARKE SECURITY GOVERNANCE, RISK & COMPLIANCE SPECIALIST @S_CLARKE22

IMPACT

HOW CAN BOARDS & EXECUTIVES BEST ASSESS THE

SECURITY INCIDENT? OF A

“The impact of a serious incident depends not just on how a company handles it, but

on how the media, customers and investors react to it, as well.”

ADRIAN SANABRIA SECURITY ANALYST, 451 RESEARCH @SAWABA

“Start with focus groups or surveys with your customers. Your customers will tell you their pain points and that can help the Board and Executives best assess

where to start first.”

THERESA PAYTON CEO, FORTALICE @FORTALICELLC

“Breaches come in all sorts of shapes and sizes, but individual breaches usually aren't

catastrophic based on immediate cash losses. Where breaches are catastrophic, it

is because of reputation damage.”

ALEX HUTTON VP INFORMATION SECURITY, FINANCIAL INSTITUTION @ALEXHUTTON

“Ask the Corporate CIRT Director for the annual security incident impact statement.

The statement details the security incidents, their costs and impact to the

organization.”

BEN ROTHKE MANGER, IT SECURITY, WYNDHAM WORLDWIDE @BENROTHKE

“The effective assessment of a security incident begins long before any such event ever occurs. Empowered to make an initial assessment, the team will be able to work

through a pre-prepared incident response plan that the board and executives will have been

key in shaping.”

LEE MUNSON CONTRIBUTING WRITER, NAKED SECURITY @SECURITY_FAQS

FRAMEWORKS WHAT ARE MOST EFFECTIVE

SECURITY? IN ASSESSSING WHETHER AN ORGANIZATION IS ACTING PRUDENTLY OVER

“Over the years I’ve found that you cannot depend upon using just one framework, but a variety of frameworks that will help to fill the gaps that each has. I like to use the following

in combination: ISO/IEC 27001 & ISO/IEC 27002; OECD Privacy Principles; COBIT5.”

REBECCA HEROLD CEO, PRIVACY PROFESSOR @PRIVACYPROF

“In the same way that organizations build their own frameworks of controls to protect other assets, the information

asset deserves a level of effort beyond a cookie cutter approach.”

JAMES ARLEN DIRECTOR, RISK AND ADVISORY SERVICES, LEVIATHAN SECURITY GROUP @MYRCURIAL

“A framework is only as valuable as honest adoption, and is the principal

requirement here for senior leadership. Given this truth, the most effective in

assessing security is ISO 27001:2013. “

JAMES J. DELUCCIA SECURITY & COMPLIANCE PRACTITIONER, EY @JDELUCCIA

“An effective framework should pool the knowledge of a large community to

identify specific, highest priority actions based on real data about threats. It must allow for multiple implementation paths

and ‘tailoring.’”

TONY SAGER CTO, COUNCIL ON CYBERSECURITY @COUNCILONCYBER

“Any approach that makes the Board of Directors take it seriously, spend an

adequate amount of time debating, and weighing options and risk.”

CLAUS C. HOUMANN HEAD OF IT, BANK OHMAN @CLAUSHOUMANN

FUTURE THREAT

HOW SHOULD HEADS OF SECURITY PREPARE

LANDSCAPE? FOR THE

“As an executive, you should know that managing cyber threats is no different from

managing other business risks. Second, while you can skip the technical

details, you absolutely can’t skip understanding how different threats

would affect your business.”

TIM ERLIN DIRECTOR, PRODUCT MANAGEMENT, TRIPWIRE @TERLIN

“The big change will be the technical savvy user who will look to use various devices, apps, and

services. . . As such, CSOs will need to better communicate and engage with users to make them aware of the risks and provide secure

alternatives.”

BRIAN HONAN CEO, BH CONSULTING @BRIANHONAN

“IT and security managers need to shift from the belief that the threat is ‘out there’, and

understand that no matter where the threat originates, the net result will be suspicious

activity inside the network.

TONY BRADLEY EDITOR-IN-CHIEF, TECHSPECTIVE @TONYBRADLEYBSG

“Securing legacy equipment and tomorrow’s leading edge will push your limits. Regulation

can’t keep up. Your data will be your most important asset. You will need to innovate your business approach and risk profile to

embrace this or you will be consumed by this new technology-centric world.”

PATRICK MILLER MANAGING PARTNER, ARCHER ENERGY SOLUTIONS @PATRICKCMILLER

“It’s quite clear that threat actors are always looking for the shortest path to the most reward. Security professionals need to be innovative thought leaders who share a

common vernacular with Boards and Executives to advise them on these risks.”

NIKK GILBERT MANAGING DIRECTOR, PRIVACY & RISK PARTNERS @ARCHANGELNIKK

“The threat landscapes are stratified and each one requires different perspective and response. We have to evaluate our specific

risk from each layer and act (and spend) wisely.”

MARTIN FISHER CISO, NORTHSIDE HOSPITAL @ARMORGUY

“The future threat landscape is now dictating the need for a new breed of Security

Professional. . .this new breed requires enhanced development of honed skill which understands and appreciates the technical

nut's-and-bolts of new age threat, such as APT.”

JOHN WALKER CTO, CYTELLIGENCE @SBLTD

HTTP://TRIPWIRE.ME/CYBERLIT

IMAGES COURTESY OF SHUTTERSTOCK.COM

READ MORE AT: