Data Breaches: 8 Tips For Board-Level Discussions - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // CIO Insights & Innovation
Commentary
11/10/2014
11:35 AM
100%
0%

Data Breaches: 8 Tips For Board-Level Discussions

Recent high-profile breaches put you in the board's spotlight on security. Here's how to shine.

With all the recent news of massive data spills and security breaches, corporate boards are asking tough questions of their executive management and, in turn, their information security teams. What did those companies do wrong? How does our company compare? Are we next?

Welcome to the hot seat. You have their attention. Now your job is to leverage this opportunity to garner their respect, deepen their trust, and increase their investment in a strategic information security program. It's going to be a difficult conversation. But the white-hot spotlight gives you a chance to shine.

So in this spirit, here are 8 ways to prepare for the conversation of a career:

Just say no to FUD. When trying to position information security on the executive agenda, many IT-security marketers use fear, uncertainty, and doubt to drive emotional decision-making and, they hope, purchasing. This approach is a remarkably unreliable. Any social scientist will tell you that fear provokes three common human reactions: fight, flight, or freeze. When fear is our baseline emotional state, we are not particularly receptive and, worse, we are often incapable of parsing nuanced information. Simply put, we go into caveman mode. Thanks to events beyond your control, you already have their attention. So skip the FUD. Your job is to conduct a nuanced, information-rich discussion.

Know the stories. With such sensational media coverage, even my mother thinks she knows what caused the Target and Home Depot data breaches. But there is a story behind the headlines. There are trusted people within your network (e.g., analysts, security insiders) who are likely better informed about the chain of events. You want facts, not headlines. Take the time to do some research and be prepared to offer insights not found in the mainstream media.

[Is your IT team among the best? Get the recognition you deserve as part of the InformationWeek Elite 100. Apply today.]

Own your data. If your program is routinely audited by a credible third-party information security firm, you already know where the bodies are buried. Own it. No security program is perfect. Highlight your areas of concern. Be prepared to discuss why you're making certain tradeoffs. Be prepared for full disclosure. Show up with data in hand.

Avoid the blame game at all costs. No security program has infinite resources -- not even the NSA's. And if there were one, I guarantee the program would still be vulnerable. Security is about making tough resource choices all the time. If you have zero budget, you have zero budget. That's a fact. The fault is not the board's or the CEO's lack of vision. If you are the CIO or CISO, the failure lies with you, because up until now, you have been unable to sell them on the program's necessity. Accept all responsibility and move on. Any finger pointing, perceived or otherwise, will only serve to discredit you and your message.

Name the mountain. What would help you sleep better at night? Having routine security code audits of all mission-critical applications? Increasing your audits to quarterly? Having a highly trained incident response team that works closely with an expert crisis communications team on the ready? Choose a large, inspiring strategy, a mountain that your team wishes to climb together. Now let that mountain be your Big Ask of the board.

Highlight your team. You are not an army of one. If you are going to accomplish this mission, the board needs to know that you have capable team members. Showcase them. Highlight their key accomplishments. If you have holes in your team, highlight the hires you wish to make and how their skills are needed, specifically, to climb the mountain.

Prepare for the worst. Inspiration that is not grounded in reality will land half-baked. The reality is stark. Your best efforts will never, no matter what, eliminate the risk of a catastrophic breach. At best, you can prepare your board for that reality and have plans in place to act quickly and intelligently. Plain speaking here will gain you credibility and ground your vision.

Be proactive. In my experience, nothing is harder to fund than proactive behavior. After a breach, budgets loosen. But it is a mistake to ask only for funds required to put out the current fire. This is your moment to ask for the proactive funds needed to build an exceptional, forward-looking program. Is there a proactive project your team would love to do? Ask now. Your chances will never be better.

Information security is a notoriously thankless job. If all goes well, no one notices. It's only at moments like these where a CIO or CISO may even be asked for a board presentation. This is your time to shine. So channel your inner Jean-Luc Picard and make it so.

Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.

E. Kelly Fitzsimmons is a well-known serial entrepreneur who has founded, led, and sold several technology startups. Currently, she is the co-founder and director of HarQen, named one of Gartner's 2013 Cool Vendors in Unified Communications and Network Systems and Services, ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
David F. Carr
100%
0%
David F. Carr,
User Rank: Author
11/10/2014 | 2:14:18 PM
Have you talked with your board about risk of a breach?
How have these conversations played out in your own organization? How much concern have you encountered emanating from your board?

Interested in Kelly's response about how this has impacted her personally, as well as insight from others.
KellyF803
100%
0%
KellyF803,
User Rank: Apprentice
11/11/2014 | 9:46:52 AM
Re: Have you talked with your board about risk of a breach?
Great question, David.  I have a good deal of personal experience here, having presented to more than my fair share of corporate boards.  And almost always, there was a trigger event.  Something awful had happened and I was brought in as the independent third party to help make sense of it. So in many ways, I was in a priviledged position.  I was not directly connected to the event. It also gave me a chance to watch many CIOs/CISOs make BOD presentations.  I know some champion presenters. And unfortunately, I have also had the uncomfortable experience of watching others struggle and miss the opportunity. 
Laurianne
100%
0%
Laurianne,
User Rank: Author
11/11/2014 | 11:22:30 AM
Data breaches and the board
I recently listened to a few CIOs speak to this topic, the security update to the board. The question is not not whether you will be breached but how long until you discover the breach, they said. That reality gives you an opening to get more support from the board than might have been possible in the past. Thanks for sharing these tips, Kelly.
ChrisMurphy
100%
0%
ChrisMurphy,
User Rank: Author
11/11/2014 | 1:17:33 PM
Re: Data breaches and the board
I wonder if we're still living in the "only the dumb people get hacked" fantasy land, though. Boards are having the discussion, but are they really just looking for reassurance that this won't happen to us? Data loss is almost a fact of doing business now, like litigation or retail theft.
anon8104627341
100%
0%
anon8104627341,
User Rank: Apprentice
11/12/2014 | 11:29:47 AM
Interesting thoughts on this subject
Good advice kelly, the board typically managed risk of a fiduciary nature now  IT security and privacy concerns are now an expansion of the traditional role of the board and present complex challeges. I work with McGladrey and there's a whitepaper on our website that was about this very topic that may interest readers of this article. bit.ly/mcgldryinfosec2
zerox203
100%
0%
zerox203,
User Rank: Ninja
11/12/2014 | 3:58:11 PM
Re: Data Breaches
There are some great tips here, and they all come together to paint a clear picture of the mentality you should go into these meetings with. The reality is that you're not in complete control of the situation, you're not the only one to blame if something goes wrong, and there are extraneous factors you can't possibly cover in the scope of that meeting - but you can't make it sound like you're more worried about that than you are about fixing the problem at hand. To management, you are the focal point of all things security -  everything they know about that realm they know through you. Don't assume they know things you take for granted, don't downplay aspects they think are important, but don't be afraid to tell the truth.

There is the common trap of the 'meetings for meetings' sake' that Chris brings up, and this permeates security as much as it does every other aspect of business. People are fond of asking the same question phrased multiple ways until you give an answer that agrees with them. People like to use buzzwords they don't really know the meaning of to sound informed, and expect you to play along. Certain schools of management tell them to play hardball simply to get the best results out of you/for the company, regardless of your position. None of these mean you can't spin that meeting to your advantage, get a plan in place that everyone likes, and perhaps most importantly, as the author says, breed some long-lasting trust.
Broadway0474
100%
0%
Broadway0474,
User Rank: Ninja
11/15/2014 | 9:23:39 PM
Re: Data Breaches
I especially like the "plan for the worst" tip --- although I wonder how well that honesty will go over in all boardrooms. I think the conventional wisdom among people familiar with cyber risk is that, like terrorism, you can't and won't be able to stop all attacks all of the time. A business leader may not want to hear that no matter how much they spend, the organization is always going to be at risk for a cataclysmic hack --- just like no one likes to hear that another big terrorist attack on US soil is bound to happen no matter how hard our security services try to prevent it.
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Author
11/18/2014 | 8:54:19 AM
Re: Data Breaches
Our sister site DarkReading.com has a great interview with Heartland CEO Robert Carr on data breaches, and Carr blames boards & CEOs for not making the investment they need to stop breaches. Carr knows his stuff -- he was CEO during Heartland's infamous breach, one of the earlier mega-breaches. 

We liked what Carr had to say, so we're having him speak at the InformationWeek Conference April 27 & 28 in Las Vegas. Here's a link to that article: 

http://www.darkreading.com/attacks-breaches/heartland-ceo-on-why-retailers-keep-getting-breached/d/d-id/1316388
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
11/18/2014 | 11:05:13 PM
Re: Data Breaches
Hi Chris, thanks for the reference to Dark Reading's article. It's an interesting contrarian position, given the "lamestream" explanantion is that companies are trying to prevent breaches as best possible ...but breaches are impossible to stop. So Carr suggests that breaches can be prevented? The arms race against hackers can be won?
Commentary
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll