Board Reporting for the "IT Guy" 101

foreign it's intimidating and I can hear my voice as well uh thanks so much Jane that's a great introduction I feel important now so uh thank you and I'm in somewhat intimidated expecting like two people here or maybe 10 but it's the four room almost reporting for the at guy you know you you're an IT guy or I.T person I I should rather say be a politically correct here and um you minding your own business doing all this interesting geeky stuff and then bam you have to dress up now for your Zoom call and then report to your Manco or your board ah would you start what type of report should you produce uh especially for such an important

presentation before we jump into it I would like to step back and uh say thank you to the sponsors especially the major ones and without you this important conference wouldn't be possible uh big thanks to the organizers the Amber Lake guys I mean as uh folks in the just unbelievable job to put this thing together and thanks to all of you local folks visitors to joining us for for this important conference and this beautiful Island oh yeah and uh all the best jokes thanks to Chad GPT uh I'll let you spot those throughout the presentation and the Funky Art Is by Dolly um it's my take on the augmented artificial intelligence you know so don't judge it's work in progress

now uh if your name is Vladimir these days you have to come with a disclaimer isn't it so I like to think I'm a good Vlad I didn't bring any cookies though uh James told me there's a plenty of food here if it's not that you know blame him um but I hope that I brought a little bit of a knowledge or or ideas on how to start reporting to you Mancos or to your boards or to your client boards for example so let's jump in we started to get engaged about you know two three years ago and realize there's really no blueprint of where to start there's so many different best practices there's a lot

of information on Google University tons of stuff that you can go through but if you just starting that kind of stuff where do you go and we uh we provide the compliance and risk and entity governance but with the introduction of cyber security guidelines by a local regulator more and more were being asked to provide board reports to Mancos or or the actual boards or they actually present to the board themselves so we kind of start building slowly but surely a little bit of a model that I would like to share with you is everyone these days I thought like hey you know why don't we run this by AI and Chad GPT we come to help in this

case uh I just realized there is a grammar uh issue it's not a GPT it's mine you you notice by now that English is not my first language so Chad GPT was pretty much spot on if you think about it like you understand the audience uh that's very applicable to all these different uh meetings but especially for this cyber security you really need to assess your board members their expertise in technology how patient impatient they are how much time they can allocate for you uh it certainly needs to be focused on business you can't just report silent specifically to technology you need to relate back to the to the business whatever that is risk uh Financial

impact regulatory reputational make the story together with the business provide the context absolutely anything you present during the uh your presentation or in your board pack should be factualized should be based on some sort of Statistics or some inclusive included reports and so on Simplicity is a key make it quite presentable no noise uh I don't know use a traffic light approach make it uh don't use a lot of technical lingo abbreviations make like you know play in English uh offer Solutions as well and then you know maybe some short-term long-term Solutions throughout your presentation or your board pack and kind of uh created just not just the state of current state of affairs of technology

or what you have done so far create this type of continuous Improvement uh flow when you do the presentation and last but not least um show the Improvement make the story do not report on segment by segment basis pick up from the last report and continue that story so your board start getting used to that you're constantly improving and hopefully that's the case so where do we start first what type of sections can you introduce to the board report and we we should start with the risk register and um I mean I assume that you have a risk register already if you don't that's something you need to consider and we suggest they start with three

different sections or segments I would say just you bring the basic one uh just to show your Row in residual risks kind of and and use a traffic light approach but in this particular case ignore your low risks okay chances are you're bored there's already approved this risk appetite and there's no reason to show something that is already approved and part of your risk appetite and just concentrate on a high and medium show the row and show the residual one and hopefully kind of give the board the subliminal messaging that your controls are are working and also include the ownership chances are some of those folks that own those risks are with you on this board presentation so you can

actually allow board to redirect the questions to the owners of the risk and you can kind of get them more involved so you can you know Chief compliance officer chief operation officer it can be part of your story part of your team when you deliver them and um bring those high and medium details to your presentation you can certainly include the full risk register as a part of the board pack but include those details and I like to use this as an example I'm sure local folks remember when we had to put the beneficiary ownership in the formation into those USB keys and someone have to walk to the uh government building and deposit it so

it's a really good example you yours your policy should dictate probably no USB storage but in this particular case as an exception and your board has to approve it and this you have an opportunity to explain that to the board as well as allow them to ask you questions so they can actually accept that type of um risk during the during the meeting incident section is very important even even if you don't have incidents just include that section because your board will start getting used to your structure of the reporting they can actually look and see they're expecting the incidents and if they're not it's a good sign just make it hey non and green

but also not necessarily consider capturing only material incidents think about significant interest as well there could be some basic or some sophisticated whaling email that goes to your CEO or you have some sort of brand jacking is taking place someone tries to impersonate your website something like that could be quite interesting for your board to to know because it potential leads to material material event fan testing do you reward these days uh so I think the regulator almost demands it to be at least annually so certainly should introduce to your reporting as well and take um some sort of reporting out of it and uh same idea just do a highlight on the traffic light kind of model and in this

case maybe introduce well maybe like a hybrid of traffic light introduce the low ones and maybe even informational ones as well simplified for the board so that they can understand what the findings are but also be ready to respond with the remediation steps remediation statuses because chances are they'll ask okay well someone discovered our website is not up to date what did you do about it so you can you should be proactive and include these type of statuses and be able to uh respond to them should you include the detailed report on pen test uh it's really up to you and that's kind of comes with you understand your board better than anybody else and in this case

some of those pen test reports that could could be quite technical so who knows if they're going to be beneficial for you board or not training awareness a very important one and again uh hopefully your clients or your companies are doing it as frequently as possible so get something that is uh reportable I mean there's so many different products out there that can give you a nice details back and now you can start with the correct and incorrect responses but we also suggest including participation because that's where the where the the importance um of that type of measurement is nice to the report back to the board because if there are a lot of incorrect

responses that's something to do with your training you really need to take and understand what needs to be done the people don't participate they ignore your training that's a different story and you know it's a good opportunity should you include a report in this type of stuff I don't believe so because you don't want to kind of Shame and blame all these employees that actually not participating enough or they're not really answering certain things correctly but at the same time it gives you a good opportunity to create that a newsletter concept where you're advising your employees hey we actually start reporting that statistics to the board so it's better your responsibility to take this seriously and attend those

sessions or respond to those emails from IT team and participate in those trainings because eventually that data will be accessible to your Senior Management protective Tech there's so many different different reporting capabilities I'm sure you're both aware there is a firewall and there is some infrastructure in place but how much do they know and it's your responsibility to simplify that type of reporting for them and make it digestible so in this case I mean this is just the simple examples I mean hopefully your firewalls or the infrastructure you have in place has the type of capabilities intrusion prevention detection systems can give you that type of details that you can build a nice story uh you can show

attack statistics you can show the malware that traveling through your infrastructure is it being into you know captured on the affordable basis so you let it in to your quarantine with the email and it's being dealt that way it's a nice statistic to show to the board and also just uh in general what type of activity are taking place in your ecosystem so there's other people coming into Wi-Fi with dropboxes are they using uh you know personal vpns are they using bittorrents I mean are they impacting your bandwidth by using some of the on um unlisted in your policies applications that that's certainly nice to to consider help desk a lot of internal auditors and The Regulators now looking for

evidence so you need to capture your activity with uit throughout the help desk and this one is quite interesting you can start with something that is could be as simple as a resolution rate and you can move from that simple resolutionary to something more sophisticated where you can show the statistics of which department is more active with the support which application requires more support and then build up on that kind of stuff going forward I don't know fishing another important aspect of it regular loves to see some of that going on I think it's maybe at least annually that should be performing again uh start with the basic maybe something you know open and clicked

would be enough for the board to understand hey how many employees and percentage and statistically would click on the link should we improve our training cyber security awareness training should you include a report with that uh uh with that presentation again probably not because you don't want to shame and blame your employees you want to kind of go through that nice process and again show the uh board a general picture and then at the same time come back to your employees and explain that this type of stuff is now being reported to the board so they have to take it more seriously uh just by the way piece of trivia for you when I try to get a joke from chat

GPT and I put the hey give me a joke on about phishing the response I got is phishing is a serious matter and shouldn't be joked about so that's why you got the regular fish joke foreign for you to show your improvement this is probably one of the best way to show because you have your Senior Management present you have your ultimate board present and this is really good time to find a way to quantify your uh progress hopefully the you know beneficial progress that goes from one uh presentation to another and that's where you're building your story as well and there's so many different ways how you can do it and it doesn't have to be a scientific

calculation of quantification from one presentation to another you can just say hey we've done third-party assessment of two vendors in the previous reporting and now we're going through the new one that's an improvement we've done some upgrades of the firewalls or some infrastructure that's an improvement you with all the asynchronous and work from home models these days we introduce additional supporting mechanisms and cyber security mechanism through the end of to the end notes of those users that's an improvement try to quantify it and same in the policies nowadays regulator demands that you review this policy not just to write it once and present it uh you know once and that's it you have to constantly mature your

policies going forward and that's a good opportunity to say hey we've done the two policies before and then four policies now that's an improvement from ammo point of view there are so many sections that you can introduce to your um to your reports and when you start with something simple you can go through the various different best practices you can evaluate your board or your Manco and uh go with some of this specific sections it could be a budget specific one usually it's going with the management report but in this case you can include some of the stuff in your presentation you can introduce different sections like uh uh industry events or some sort of activities that cyber

security activities that happen in the in the industry and that would be quite beneficial for the board to see that as well I really hope that some of the information uh was kind of beneficial to you you picked up some of the good points from here and not just the bad jokes but Chad GPT and uh if you have any questions some have tried to answer but thank you very much and I should get some sort of a prize for finishing in 25 minutes well you know absolutely I mean if you guys any I'll try to answer some of them but um oh wow that's that's perfect I actually don't like to answer questions thank you very much guys

[Applause] Vlad I do have one question did you put the joke content into chat GPT or did you say I just want jokes on does it still work oh um so yeah you just asked a question and say like hey give me a joke for this particular topic and boom I had to kind of ask a few times because some of them were okay Beyond even for me it was it was difficult to understand so yeah but yeah it's quite quite interesting Vlad I've got another question and I'll let you go um with your experience in the ball reporting how do you keep it fresh so you've got this information coming maybe monthly quarterly to the board

they're kind of you know their eyes may be glazing over the kind of traffic light system and actually the underlying kind of what you really want is like a check and challenge of the Senior Management at the CSO to kind of say like what is actually how do you with your kind of experience and gamifying a little bit how do you keep that how do you keep that dialogue fresh and how do you keep them engaged like month after month when it's often the same topics and actually the dial is not maybe moving as quickly as it needs to be any tips absolutely it's a great point and it's similar that we do with our cyber security awareness uh training

as well so we we try to introduce some of the activities that I have taken place in the industry something cool stuff like a deep fake voice uh the other day maybe a few years ago someone impersonated with a deep fake and be able to transfer 35 million dollars in in Dubai uh but it's simply uh impersonating someone with a voice with a callback so some of the stuff we kind of introduced in the middle and some of those additional sections and say hey uh this is what really happened uh uh in the industry so you're part of your procedure is called back when someone requests the transaction for example hey with the new technology the defect voice now you can

actually impersonate someone so some things that to to that to the extent um you also mix and match some of the uh reporting so for example you're reporting on uh your protective technology in one way and then you mix it up a little bit to next time so you can actually introduce uh maybe additional specifics that you found uh in the firewalls for example but make it very simple uh you usually when you engage in this case uh for some of the clients you have an internal audit that it takes a little bit of time as well because uh once a year or so you have to present on what the findings are from the internal radar so that kind of

mixes up a little bit as well so and that's at the end of the day it's really it's really up to you uh it's difficult so you we have uh boards that consist of two people and have boards that consist of six so you just you really have to read your your room which I'm not doing very well here but uh yeah but and uh yeah so I actually it's really a good point will someone actually compared my initial training to a dentist appointment or a colonoscopy so take that I recover after this you know and we did so it was it was it was pretty boring in the beginning but we tried to make it as interesting as possible

I should run away probably like you know no I have a question thanks so much [Laughter]