Boardroom Conversations on Security is an ongoing series on how to discuss and present cyber security concerns to your board. It comes from an extended conversation between Enrique Salem, Investor at Bain Capital, and Erkang Zheng, CEO of JupiterOne. For your convenience, the entire series is available as a single download.
"Enrique, when preparing for a board meeting, what are the things the board would like to hear from the CEO? Are there specific metrics or measurements you look for?"
The first place I would start with is to give a view of, "Where are we from a security risk perspective?" I look at it in two dimensions, starting with our own security maturity. Give me a point of view of are we just building a security program; Have we developed it? Is it something that's repeatable? How do we think about our security program and the maturity of the security program?
To me, what I would want to them to show me is, "Here are the functions we have, the roles of people in security, and here are the processes that we use." I'd want to see that. That's not a metric, that's more of a discussion.
Sometimes that can be challenging. It depends on the company and the actual security team's maturity. An immature security team can come to you and say, "We have a mature security program," without knowing what they don't know. It goes back to your point that this is not a metric, but a discussion. Otherwise, if you're just asking to see a chart of security maturity based on the red, yellow, green type of thing, it doesn't really uncovered the actual details of the maturity itself.
I look at it from the capability maturity. As an example, look at the work that was done on the old Carnegie Mellon Capability Maturity Model. There's lots of frameworks you can use to try and articulate the maturity of an organization. I'd want to have that discussion.
The other thing I would want to do is talk about a set of areas that really matter, that need to be reported on around compliance issues, specific regulatory compliance issues. I would like you to show me and have a way of communicating to me that if we're taking credit card data, are we PCI compliant? If you're in a healthcare business, are we HIPAA compliant?
I want to make sure there is a way to understand there are regulations that govern our business, and here's why I believe we are compliant with those regulations. Then there's a set of certifications that we care about. For example, a lot of my companies are cloud-based, so where are you on things like SOC 2 and other certifications that we need to have to be able to be in business. There's some very specific things that you should just be able to go through and show the board clearly that you're doing and have done and have taken good care of.
I would go a step further beyond what you said about compliance, Enrique. A lot of times the board asks, "Do we have SOC 2? Do we have HIPAA? Do we have PCI?" I would challenge the team to think about, "Do we have this continuously." It is not just, "Yes, the auditor gave me this report and stamped it yesterday."
What the board needs to ask and what the executive team and the CISO team needs to be able to present is, "At any given time, if the auditor walks in the door today, I can show you the same compliance status within moment's notice."
Continue reading with Boardroom Conversations on Security: Part 5, or download the entire series for easy distribution to your board and security team.
Read the full Boardroom Conversations series:
- Boardroom Conversations Part 1
- Boardroom Conversations Part 2
- Boardroom Conversations Part 3
- Boardroom Conversations Part 4
- Boardroom Conversations Part 5
- Boardroom Conversations Part 6
- Boardroom Conversations Part 7
About Enrique Salem
Enrique Salem was the president and CEO of software company Symantec from 2009 until 2012, and was a member of Barack Obama's U.S. President's Management Advisory Board. Enrique joined Bain Capital Ventures in 2014, where he focuses on infrastructure software and services with a specialization in cybersecurity.
About Erkang Zheng
Erkang Zheng is a hands-on leader in cybersecurity. He is an engineer by trade and an entrepreneur at heart. Before starting JupiterOne, Erkang was CISO, Privacy Officer, at GM LifeOmic Security. In August of 2021, Erkang was selected as one of The Top 25 Cybersecurity CEOs of 2021 by The Software Report.