Data Breaches: 8 Tips For Board-Level Discussions - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
Data Breaches: 8 Tips For Board-Level Discussions
Newest First  |  Oldest First  |  Threaded View
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
11/18/2014 | 11:05:13 PM
Re: Data Breaches
Hi Chris, thanks for the reference to Dark Reading's article. It's an interesting contrarian position, given the "lamestream" explanantion is that companies are trying to prevent breaches as best possible ...but breaches are impossible to stop. So Carr suggests that breaches can be prevented? The arms race against hackers can be won?
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Author
11/18/2014 | 8:54:19 AM
Re: Data Breaches
Our sister site DarkReading.com has a great interview with Heartland CEO Robert Carr on data breaches, and Carr blames boards & CEOs for not making the investment they need to stop breaches. Carr knows his stuff -- he was CEO during Heartland's infamous breach, one of the earlier mega-breaches. 

We liked what Carr had to say, so we're having him speak at the InformationWeek Conference April 27 & 28 in Las Vegas. Here's a link to that article: 

http://www.darkreading.com/attacks-breaches/heartland-ceo-on-why-retailers-keep-getting-breached/d/d-id/1316388
Broadway0474
100%
0%
Broadway0474,
User Rank: Ninja
11/15/2014 | 9:23:39 PM
Re: Data Breaches
I especially like the "plan for the worst" tip --- although I wonder how well that honesty will go over in all boardrooms. I think the conventional wisdom among people familiar with cyber risk is that, like terrorism, you can't and won't be able to stop all attacks all of the time. A business leader may not want to hear that no matter how much they spend, the organization is always going to be at risk for a cataclysmic hack --- just like no one likes to hear that another big terrorist attack on US soil is bound to happen no matter how hard our security services try to prevent it.
zerox203
100%
0%
zerox203,
User Rank: Ninja
11/12/2014 | 3:58:11 PM
Re: Data Breaches
There are some great tips here, and they all come together to paint a clear picture of the mentality you should go into these meetings with. The reality is that you're not in complete control of the situation, you're not the only one to blame if something goes wrong, and there are extraneous factors you can't possibly cover in the scope of that meeting - but you can't make it sound like you're more worried about that than you are about fixing the problem at hand. To management, you are the focal point of all things security -  everything they know about that realm they know through you. Don't assume they know things you take for granted, don't downplay aspects they think are important, but don't be afraid to tell the truth.

There is the common trap of the 'meetings for meetings' sake' that Chris brings up, and this permeates security as much as it does every other aspect of business. People are fond of asking the same question phrased multiple ways until you give an answer that agrees with them. People like to use buzzwords they don't really know the meaning of to sound informed, and expect you to play along. Certain schools of management tell them to play hardball simply to get the best results out of you/for the company, regardless of your position. None of these mean you can't spin that meeting to your advantage, get a plan in place that everyone likes, and perhaps most importantly, as the author says, breed some long-lasting trust.
anon8104627341
100%
0%
anon8104627341,
User Rank: Apprentice
11/12/2014 | 11:29:47 AM
Interesting thoughts on this subject
Good advice kelly, the board typically managed risk of a fiduciary nature now  IT security and privacy concerns are now an expansion of the traditional role of the board and present complex challeges. I work with McGladrey and there's a whitepaper on our website that was about this very topic that may interest readers of this article. bit.ly/mcgldryinfosec2
ChrisMurphy
100%
0%
ChrisMurphy,
User Rank: Author
11/11/2014 | 1:17:33 PM
Re: Data breaches and the board
I wonder if we're still living in the "only the dumb people get hacked" fantasy land, though. Boards are having the discussion, but are they really just looking for reassurance that this won't happen to us? Data loss is almost a fact of doing business now, like litigation or retail theft.
Laurianne
100%
0%
Laurianne,
User Rank: Author
11/11/2014 | 11:22:30 AM
Data breaches and the board
I recently listened to a few CIOs speak to this topic, the security update to the board. The question is not not whether you will be breached but how long until you discover the breach, they said. That reality gives you an opening to get more support from the board than might have been possible in the past. Thanks for sharing these tips, Kelly.
KellyF803
100%
0%
KellyF803,
User Rank: Apprentice
11/11/2014 | 9:46:52 AM
Re: Have you talked with your board about risk of a breach?
Great question, David.  I have a good deal of personal experience here, having presented to more than my fair share of corporate boards.  And almost always, there was a trigger event.  Something awful had happened and I was brought in as the independent third party to help make sense of it. So in many ways, I was in a priviledged position.  I was not directly connected to the event. It also gave me a chance to watch many CIOs/CISOs make BOD presentations.  I know some champion presenters. And unfortunately, I have also had the uncomfortable experience of watching others struggle and miss the opportunity. 
David F. Carr
100%
0%
David F. Carr,
User Rank: Author
11/10/2014 | 2:14:18 PM
Have you talked with your board about risk of a breach?
How have these conversations played out in your own organization? How much concern have you encountered emanating from your board?

Interested in Kelly's response about how this has impacted her personally, as well as insight from others.


State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
News
How to Fail: Digital Transformation Mistakes
Jessica Davis, Senior Editor, Enterprise Apps,  11/6/2019
Commentary
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll