InfoSec is a Board Responsibility

hi uh I'm Scott and basically I'm here to talk to you today about why info security is a board level responsibility um so basically quickly who am I um I'm logical steps to see so um I love technology also an MBA graduate and uh qualified cissp um yeah um most of my time spent um Consulting doing Enterprise security architecture um also an MSC student part-time at Royal Holloway doing information security so today basically I want to talk to you all about why infosec is a governance issue it's not just an I.T function basically who your target audience is role what the problem is how you actually sell the problem to the board um compliance and the board's

responsibilities and to conclude basically with why comes down to board's responsibility basically sat in the scene um the boards and Senior Management comprise of an awful lot of non-technical people you've got Financial director sales and marketing HR none of them generally have a strong background in technology so um with a few exceptions of technology companies um so I basically over the past two decades technology has become more and more key to doing business in the 21st century you can't do business without technology and so that's why confidentiality the integrity and the availability of that information is critical but information technology and information security require investment in both money time and resources so for the good of the organization

and you basically have to try and convince uninterested Senior Management uninterested directors to commit resources and funding so that they can apply them to your security projects basically understanding How We Do It um there's needs and there's wants now originally um there was someone called Maslow who came up with his hierarchy of nice on here um and that was further built upon by someone called um Herzberg he went on to his hygiene factors essentially on needs of our basic requirements our food our water our shelter our once on the other hand are what we really want our high-end cars are big houses okay so it's nice simple acronym that was produced for sales and marketing

people called Ada and that is attention you need to capture capture your audience's attention first of all you need to get them interested once you've got their attention get them build their interest up and then without desire for your product so once you've got that then action begins you can sell that product to the board a quick example a few years back um I was working somewhere we only had picked firewalls in place and I had to convince them why we needed to set up a DMZ when we replace where the service currently were I also had to convince them why when they'd only ever use picks there we needed to choose a firewall from different vendor to put on the

perimeter so I ran through essentially that same process I've just gone through there and eventually convinced the Senior Management and got the funding and the resources necessary in order to implement firewalls from separate vendors of the perimeter basically further moving on we've got them got to ensure that when you present to your Senior Management to your board they're what you're presenting to them is what I would call board talk rather than Tech talk they don't want to hear lots and lots of three letter acronyms they don't want to know about SQL injection attacks cross-site scripting they don't want to know about whether you should be using Cipher block chaining or Cipher feedback mode on your

ciphers in your encryption what the board is generally concerned about is their sales their income their Top Line their gross income they want to know about the return of investment they want to know the quality of the product to service your delivery now what's it very interesting though they are concerned about risk and that is a key area where you can sell in for security um dealing with it mitigating it and they're also concerned about the cash flow making sure there's enough money for all the projects running around and they're in testing what their competitors are doing yeah and the other thing that concerns the goal the board is legal and Regulatory Compliance depending on which jurisdiction in the

world you're working in you need to ensure you comply with the local laws so the challenge you want to basically be able to sell them um the benefits not just the features so by that they don't the board don't want to know every different um parameter of a particular firewall they don't want to know about it's 3. etc etc what they want to know is what it gives them how it helps them do their job how it helps the company to make money what the bottom line is so people buy the benefits not the features and there's three little words we can use to sell that and those three little words are which means that

so a quick example that's what up here um imagine a secure 3000 IPS that you're trying to sell them this updates its signatures every 30 minutes and which means that the company will have rapid protection from zero day attacks so to have it's basic human nature people are drawn to people sending to themselves it's just one of those Unwritten rules um now the Senior Management are not necessary going to need to know about the extent of your technical knowledge it can even be off put into them so you need to come across to a certain extent as one of them you're pitch into them so make sure you're using open questions to them don't just look for something

that's going to give you a yes or no answer better ask them something that's going to give them an idea or give you an idea of their objectives their advantages what their wants are their attitudes their needs and how that can be integrated overall so and don't oversell your risk really you'll get away with it once and get investment but if it doesn't pay off and it's cost them a lot of money they're not going to take you seriously again keep it real and when you pitch something to them listen to them ask them questions watch their responses watch their body language that's kind of critical and questions coming back from they're good look for

the questions that means they're actually paying attention to what you're trying to sell them so looking back over what they're interested in regulated compliance this is really key anywhere within it or infosec where you've got a compliance requirement so a good example is the UK data protection act you need to see what's required can you look at have a look at what the company is currently doing a quick Gap analysis there once you understand that and you understand the cost that's gonna involve to meet that Gap analysis then you can take your proposal to the board this is very critical because serious purchases of the DPA can result in companies being fined for large sums of

money up to about half a million pounds I think now I'm sorry unless the organization is going to take a top-down approach pushing through the objectives the changes that it's leaving itself open to lots and lots of serious threats it is part of the board's governance so why is it a board level responsibility the boards decide what are the key information assets within its organization they decide how much you need to protect those and they also control the funds and the investment in projects so they have to be the ones to prioritize various um initiatives also the ball the board's going to be responsible for pushing out cultural change within your organization and if anything goes really wrong the

board are going to be held accountable and in some cases they have to step down if it's a serious infrastruct breach so looking quickly at the regulation again whichever jurisdiction you're operating in this organization there's various compliances requirements so they might be ISO 27001 they might be the data protection act in UK government systems that might be hmg's ias-1 in the ministry of Defense you've got your GSP 440s things like that um over in the state you've got for medical you've got HIPAA compliance um Etc so basically the the risks are there you need to comply with them as I mentioned before on the DPA fines of up to 500 000 pounds for serious breaches

so the board has to be proactive mandating any information security changes to go through so to conclude if no one else wanted the information asset it wouldn't really be an asset you need to ensure that confidentiality is maintained in to ensure the Integrity of the information is there and you need to ensure it's available only to the people who need to access it it is a governance responsibility of the board it does require a top-down approach to implement and you need to be really sell it to them in order to get it achieved so any questions yeah um you say that the board care most about revenue and profits so how do you tie a deeply technical projects such as

a new IDS system or new firewalls into something that they care about these ideas to together um you need to sell to them basically what the benefits of that will be what will it do to the company if you implement it you know of its features you know that essentially it might be able to detect signatures in real time and it might and block those drop those particular packets but they're not going to buy that they're not going to understand what you're talking about there and basically you have to say to them if we set these up at our perimeter if we can stop attacks before they enter our Network how much benefit will that give

us how much how much will that prevent a drop of productivity across our staff that's the sort of angle you need to be looking at to try and sell that to them anyone else Beyond well to avoid having the board goes down with that really bad route of only spending just enough to take the boxes and Appliance um sometimes it's worth setting up a demo if you can do if you've got the time the cost the availability of that that's uh one way of approaching it or look at other case studies where only taking off the PCI DSS list meant that they were still breached and there was lots of reputational damage

okay just how do you explain the risk when nothing bad has happened I often get that won't happen to us okay um there's a you can once again take an example and I'll rephrase it slightly in I've seen that before in certain manufacturing industry they were producing um bolts that were for an upstream Supply contact now they said no one's going to care about our systems all we do is produce bolts for manufacturing here what they didn't realize was those components were being sold on to a military contractor for their aircraft manufacturer because their security was lapsed um people in that they knew the specs of those boats suddenly they knew the tolerance of those and from that they

could infer the tolerance and requirements of the aircraft and that was quite a serious security breach when you look at it that way so you need to look for examples and sell them examples so and send the features and sell them the benefits anyone else