← All talks

Cybersecurity & The Board: Choosing Success Over the Sarlacc Pit

BSides Islamabad · 20215:259 viewsPublished 2022-05Watch on YouTube ↗
Speakers
Brian Contos
Tags
CategoryCareer
TopicCareer & Soft SkillsGRC
StyleTalk
About this talk
Brian Contos shares strategies for communicating cybersecurity risk to board members and executives. Drawing on 25+ years of experience building security companies and advising boards, he explores what matters to board members, how to frame cybersecurity alongside traditional business risks like operations and finance, and how to demonstrate operational competency in governance discussions.
Show original YouTube description
BSides Islamabad 2021 Talk Brian Contos VP & CISO @ Mandiant Advantage With two IPOs & seven acquisitions Brian has helped build some of the most successful security companies in the world for 25+ years. He is a seasoned executive, board advisor, security company entrepreneur, author, and award-winning podcaster. After getting his start in security with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee, Solera Networks, Cylance, JASK, and Verodin. Brian has worked in over 50 countries across six continents. He authored the book Enemy at the Water Cooler and he co-authored Physical & Logical Security Convergence with former NSA Deputy Director William Crowell. He was featured in the cyberwar documentary 5 Eyes alongside General Michael Hayden, former NSA and CIA Director. Brian has written for and been interviewed by industry and business press such as Bloomberg, NY Times, Wall Street Journal, & C-SPAN, while also being a Forbes Magazine contributor. Brian is a dynamic speaker that is regularly invited to present at leading security industry events worldwide such as: Black Hat, RSA, Interop, OWASP, & BSides.
Show transcript [en]

[Music]

hi you're in front of the board and a lot of the times it's it's just speaking the language they need to speak because they only have a finite time to consider cyber security understanding what's important to them and every company and every board members is different of course but I've tried to take a pretty big sample set that I'll be quoting throughout this presentation to to kind of share various ideas and what do they care about how do they want to hear it what type of evidence uh do they actually require Etc so let's Jump Right In a little background about myself again Brian Kontos I work with mandiant but I've been in cyber security for about 25

years I've worked in over 50 countries started with disa and then Bell Labs then started building a whole bunch of startups for rip Tech Arc site imperva uh silence and and a bunch of others I've written a couple books and I was in a cyber warfare documentary recently as well so today's agenda again I'm going to try to keep this as fun and interesting as possible I don't want to be too this is a very serious subject of course but I I kind of want to you know interject some some fun and some some history and some other bits that I think paint a a more interesting picture than just sharing a bunch of quotes with you so a little bit

of History some conversations with board members of course we're gonna have a bunch of quotes throughout um some business relevance Hot Topics what do they care about in terms of cyber what's what's sort of on the on on the the tip of their tongue in terms of discussion points and then demonstrating operational competency so in the first uh first quote here I have is from a mentor of mine art koviello and art was the former uh president and uh CEO with RSA security and today he sits on the board of publicly trade financial services company multiple tech companies multiple security companies just a huge wealth of knowledge in this space and I'll be quoting him a couple times

throughout this presentation but this first one and I'm just going to read these quotes out so you guys don't need to read everything but while board members don't need to be cyber Security Experts they do need to be able to interpret risk metrics regarding cyber security just like they do when understanding sales or operations or Finance only when there is an understanding of risk can boards provide the most appropriate oversight and governance I think it's a very simple quote but it's it's really important because he's basically putting cyber security up there at the same level of sales and operation and finance things that are considered very strategic to the organization and each one of those has a level of risk some

some of that risk might be cyber actually but a lot of it's probably not and the fact that when they're looking at risk cyber is just one flavor of multiple things that they need to be able to consider and ultimately they're helping guide the organization so they need to understand what the risks are so they can provide the best oversight and the best governance if they have limited exposure to sales to operations to finance they're not going to be as effective just like if they have limited exposure to what's happening in cyber and there's been a shrinking threat window so about 3000 BC was the first historical reference that the C was actually used for trade for Commerce so

the commercialization if you will of the sea the first recorded Pirates weren't until about 1300 BC right so it took took a couple thousand years before somebody said hey that boat going between here and that Island why don't we just rob it right so that's a pretty big threat window we don't see threat Windows like that today so first commercialization of the sea pretty broad threat window then air the first commercialization of of air was in 1859 John wise had a hot air balloon it was used to deliver mail it uh crashed and failed miserably literally it it crashed it didn't work but it was a good idea at its core but we saw that commercialization of the air

well it started in 1859 the first hijacking didn't happen until 1931 and that was actually in Peru so um the threat window is shrinking but from our standards today still pretty uh pretty big then in 1962 we had the first commercial satellite Telstar just a couple years after Sputnik and this was used by a t for uh television broadcasting we haven't honestly seen that much happen in terms of space and satellite Warfare It's been a discussion topic for sure there have been some command and control systems and Bots the Trilla Data Theft happened in 2015 so it has been tapped into but because of access and other limitations it hasn't been exploited at least by criminal uh attackers the way

that you know we we would we would think of more terrestrial attacks happening and then in 1998 or 1988 rather and a cephna and MCI mail said hey you've got email users we've got email users why don't we charge them so they can email each other the commercialization of the internet right and pretty much as soon as that happened we had things like the Morris worm and other attacks so the threat window kind of went from thousands of years [Music]

Related talks

32:42
Cybersecurity & The Board: Choosing success over the Sarlacc Pit
BSides Barcelona · 2021
33:03
The CISO Is Dead. Long Live The CCSO
BSides Dublin
28:49
Exploring Discrepancies In CISO Job Advertisements: An Analysis - Leonhard Kurthen and Daniel Fall
BSides Munich · 2023
51:22
The Security Practitioner's Guide to Going from "No" to "Whoa"
BSides Vancouver · 2022
24:51
Pivot with Purpose: Future-Proofing Your Cybersecurity Career
BSides SLC · 2026
14:54
Talking Cyber To The Boardroom: What I Wish I Knew Sooner - Lee Ward
BSides London · 2025