Boardroom Conversations on Security: Part 1

by

Boardroom Conversations on Security is an ongoing series on how to discuss and present cyber security concerns to your board. It comes from an extended conversation between Enrique Salem, Investor at Bain Capital, and Erkang Zheng, CEO of JupiterOne. For your convenience, the entire series is available as a single download.

"Enrique, when you talk about participating in a board presentation, are there things you are expecting the presenter to cover when it comes to security?"

This is one where there's probably not a right answer, but there are a lot of things you have to think about. The first thing I always tell folks, in any presentation is you have to know the audience. If you think about a board of directors, they are not, for the most part, cyber security experts. Many of them are sitting CEOs. Some of them have been parts of accounting firms. They've been audit partners. You've got a big diversity of technical sophistication, understanding of security, and just the point of view that they bring to the table. You start by understanding that.

That ultimately means knowing the topics the board really cares about that the whole group can get their head around. Where that starts is this idea of what are the security or cyber risks to a business. What are the biggest things they, the board, need to be thinking about?

What doesn't work is a lot of charts showing red-yellow-green status reports of how we've implemented a technology. That to me, is the thing I used to see a lot of. People have evolved to say, "Let me try and think about what are the assets of the business, what are the real things that matter? Customer data, source code, or intellectual property around a chemical formula because we're big chemical company."

We are always trying to help our security leaders think before they come to present to the board, helping them to frame the risks to the business. Start with that. Then try to have a way of communicating the steps you are taking to protect against those risks.

I also like to see presenters comment on what do they need in two dimensions, from a support perspective from the board or audit committee and from the executive team. It's not just what they need from the board, but what do they need the executive team to do.

The other thing is, what do they see from a talent perspective? They have some needs in their own group. What expertise do they need to bring in? What are the sorts of capabilities they may not have that they want to have? You have to frame it that way. Frame the risk; how can the board and leadership team help and what are some of your needs.

Lastly, I try to communicate to people is thinking through how to to communicate progress along the initiatives at a level that makes sense. You're not going to get one shot to talk to the board. The board is going to want to talk to the security team, probably at least once a year. The audit committee may want a report from security every quarter or every six months, but more frequently than the board. You get multiple chances. You have to think about how to show progress.

The biggest mistake I see is this notion of, everything is always trending in the right direction. I think you lose a little bit of credibility when you don't say, "Hey, you know what, here's where we ran into an issue. Here's the thing that we need to go deal with."

Transparency and being very clear on what are the things that are working, what are the things that need improvement, is very important.

Continue reading with Boardroom Conversations on Security: Part 2, or download the entire series for easy distribution to your board and security team. 

Read the full Boardroom Conversations series:

About Enrique Salem

Enrique Salem - 300 x 300

Enrique Salem was the president and CEO of software company Symantec from 2009 until 2012, and was a member of Barack Obama's U.S. President's Management Advisory Board. Enrique joined Bain Capital Ventures in 2014, where he focuses on infrastructure software and services with a specialization in cybersecurity.

 

About Erkang Zheng

Erkang Zhang

Erkang Zheng is a hands-on leader in cybersecurity. He is an engineer by trade and an entrepreneur at heart. Before starting JupiterOne, Erkang was CISO, Privacy Officer, at GM LifeOmic Security. In August of 2021, Erkang was selected as one of The Top 25 Cybersecurity CEOs of 2021 by The Software Report

 

Mark Miller
Mark Miller

Mark Miller speaks and writes extensively on DevSecOps and Cybersecurity. He has published 9 books, including "Modern Cybersecurity: Tales from the Near-Distant Future"

Keep Reading

‘Type and go’ - New JupiterOne search bar enhancements
October 30, 2023
Blog
‘Type and go’ - New JupiterOne search bar enhancements

JupiterOne aggregates and normalizes data from hundreds of different sources so you can identify and triage security risks easily.

Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix
October 6, 2023
Blog
Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix

It seems like a simple question. “Are any of our deployed user endpoint devices missing an endpoint detection and response agent?”

Why Better Asset Visibility Matters in Cybersecurity | JupiterOne
August 30, 2023
Blog
Back to basics: Why better asset visibility matters in your security program

At the most basic level of the Incident Response Hierarchy, security teams must know the assets they are defending.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.