Talking Cyber To The Boardroom: What I Wish I Knew Sooner - Lee Ward

Good morning everyone and uh thank you for coming. Um I just want purpose of this talk is just to explain how you can be a better communicator if you have to talk about cyber security to the board. So the problem is isn't so much that boards don't understand cyber security. They understand it but they don't understand all the technical ins and outs. They don't know what CVS are. They don't really want to know about how you calculate any scores. A board's job is to look at the big picture, look at uh strategic risks and uh deeper five of the company. Um they know about cyber security in the fact that they know that it can cause

problems, but that's as far as their knowledge tends to go. Um, so they set the tone of the wrists basically and you just need to know how to capture attention. So why does it matter? Well, this that stat I think was from uh the government security strategy earlier this year. 90% of wars do see security cyber security as top risk but only 25% feel confident understanding it and if you think most organizations out there they're not like 3100 companies so they'll be small boards they won't necessarily have a dedicated CESO or CIO or whatever it is and there's also so many other persons competing for their time there is a not on their agenda. So,

not that they don't care. It's fact that they've got very little time and they need to look at the big strategic picture. So, here's a little framework I like to use when I'm talking about security to BS in general. So, three are relate, risk, and recommend. Relate the threat you're seeing to a business goal, okay? To a wider strategic company goal. This instantly gets their attention and they know and they can relate to it. Then the risk of explain what could go wrong. Explain what the impact could be and don't just say, "Oh, it's an efficient attack and there's a lot of movement." you need to take. If realized we could have downtime off a certain

amount, this could mean that we can't take orders of that floor is going to be disrupted and basically we may miss crucial business targets. Again, link your specific threat to the wider business need and they'll be able to understand and you've got their attention which is basically what you want. Um, third of all recommend give a clear and concise recommendation. Um, maybe only two or three sentences. Here's what I need to do. Here's how I'm going to do it. But don't go into too much detail because otherwise you'll lose them. Cuz if you get this right, you will gain the confidence of the board and then you've got very very influential friends. So ransomware, we all know what

ransomware is. Yeah. Lateral movement. Yep. Right. BS don't necessarily know about that movement and bits and pieces but will know about a interruption that it could cause. You could have your entire sales team um lots of help. You go to management and then you have to you either you know negotiate or just refer to backups whatever you have but the all the time there's ransomware in the system that's time that the business is loyally that's money that the business. So make a clear recommendation, have multiffactor authentication and regular backup testing. Uh two very easy simple to understand recommendations that board will be able to sign off on common pitfalls. If your presentation is too technical,

author won't understand. If they don't understand, they'll lose interest and lose confidence. Okay? Present them with a clear plan of action. This is the issue. We are going to do X, Y, and Zed. I just need your sign off on it. As tempting as it is, don't use scare tactics. Don't say, "Oh, if we get a ransomware, it being infected, we'll lose sales over Christmas and then we'll be calling the insolveny service because we're going bad for us." That's really tempting. It really is, but it doesn't it doesn't ruin friends. Um, unfortunately. Um, also use plain English. Okay? Simple plain English. Again, that's how you build your relationship with the board. Right? If you need to go into

presentation, rehearse it first with a non-technical colleague. Have a strong story. I'm not saying once upon a time in the far away forest. So there there there was ABT196 threatening our downfall. But just have a clear strong story and end the story with a clear plan of action for the board to remain. Again, it doesn't need to be long. Maybe 5 10 minutes. Brevity, believe it or not, brevity is your friend because if you're brief and concise, but again, they will appreciate that. Again, it goes back to building trust and confidence. So, here I want to talk about something which may you may not initially think on your register and that's supply chain risks. Okay? So, it isn't just what

you're seeing yourself. So, earlier this year, there was a chilled food distributor had a ransomware attack. Okay. So, some warehouse and logicians coming out and attack their customers were major supermarkets Tesco sainsburries Audi etc. So, you can instantly see that there's a bigger strategic issue here. Um so the point is identify your main suppliers and also tell the board about these as well and tell them you're constantly working with suppliers as well. You understand your supply chain and their threats that they're facing as well because again business like they like continuity. They like being able to know that their business keeps running. Um and again this adds value to say real value to your discussion with the board.

Um bit of a side one be proactive. Okay. So has anyone heard of the Japanese giant Ashari? produced I forgot what beers they produced but they're um they were hit by a ransomware attack I think back in September but it's okay they had a backup they had the fax machine now some people may not know what a fax machine is um but believe it or not this fax machine this analog technology it was business continu community. Yes, they had a major issue and their suppliers had to their customers had to get into contact with them a different way, but they were still receiving orders. They were still processing sales. Business operations continued as normal, albeit slightly uh at a slightly

slower oldfashioned pace. Uh, and if anyone has any transit envelopes in their office, know most people don't know what transit envelopes are. Okay, don't throw them away. Um, again, this is all about business continuity. So remember, we don't just secure systems, we secure decisions. Okay? Remember the three Rs, relate, risk, and recommend. We don't need to be a CESO to influence decision to influence. We just need to be calm, compelling, plain English. Um, and that is it.

Yeah, for one question. Yeah. >> Anyone have any any questions?

Hi, thanks for the talk. That was really interesting. I' I'd quite like to know at what point did you realize that you needed to take the strategy? How did you get to this point? I mean I'm a governance professional so I look at governance structures as risks and it's all about how can we ensure that business continuity is there and this is why I was saying about that example with the fat machine um because if you've got a clear strategy you may have some lack recommendations trying onies or whatever. But if you present it as to is a business continuity issue, it may slow us down, but we will still be able to be in business. Wards like him and things

like that. Um, so it's, you know, there's an important message. We just need the board to sign off on it and let's relate it to good governance basically. Um I suppose I was also wondering for example you reference um not using too many acronyms and everyone knows that technical people are guilty of that. Is it something you learned the hard way or is it just something you observed other people doing and learned your lesson that way? I mean this is why I was going back to the slide about rehearsal with nontechnical colleagues before you have to go in and to say look do you understand what I have just said if they say yes great if not then you know

that's why I'm saying that hurt it because when they say yes we understand what the issue is then you know you'll be able to go into the board use that language and you'll be able to get them to give made the decision that I needed. >> Thank you. >> Do one more question I think if you'd like.

>> Hi. Um, so I'm thinking about the flip side when you have a to told you so moment where the board has never listened and something's gone wrong, the servers encrypted. How would you handle that? Already never been in that situation, but what do you think about that? This is really in I've never really been in that situation, but it's all about look at the end of the day, you're asking them to sign off on it. If they can document that they've seen the option and they decided to disagree with it, once it's minuteed, then you've got told you so. You can say, "Ay, please see my email where I did raise this issue with you. you did

discuss it and decided against it. All about documentation. >> So keep an email trail. >> Absolutely. That's why we love governments, email trails. >> Question. >> Um thank you. I was I was really interested in uh one of the first points which was about uh there's lots of other priorities. And how do you make these risks stand out against all the other operational issues that are in the organization? You've got to your competitors basically >> basically someone like a company secretary can be your best friend because you basically say okay do I go to the audit risk committee first if there are sub committees they're always talk to the company secretary and people work for the company secretary because

they control the diary they control the meetings they can authorize you what the best way is to Get in there. >> Awesome. Round of applause for Lee, everyone.