Emily Muraguri - How To Sell Cybersecurity To The Board

good morning everyone my name is emily moragori i'm going to be taking you through how to sell cybersecurity to the board i hope you've had a good start to the conference and you've had informative sessions during the morning sessions or the talks that came at least before this one so like i've mentioned today i'm going to be taking you through how to sell cyber security to the board a little bit about myself my name is emily moragueri like i've said i'm an information security professional with experience in web mobile and network security penetration testing user awareness and it audit currently i work with a local bank in nairobi kenya so that's what i do as my day job in

addition to that i like teaching robotics to children so during the weekends or at least when i'm free i also teach robotics to children using the first lego league and i'm also a judge in the same competition so without any further ado i think let's get into the topic of the day because we have a lot to cover and unpack during the session so what we will do during the session we'll have an introduction to the topic we'll do a case study to help us understand more on the pointers that we are going to learn during the session and lastly we are going to conclude the session so an introduction we are going to look

at what is a board and what is its key role in the information security sector of any organization or any business so what is the boat the boat sits on top of an organization and it's responsible for knowing and over saying everything in the company the board knows the operation the ins and outs of any company and how the company operates and the key risks that are threatening the overall success of a company so the board is responsible for overseeing the overall success of a company and also identifying the key threats to any company a major risk in any organization so at the moment right now is the cyber security risk be it a bank

be it a hospital be it a school because of the data that they carry poses or is is threatened by the center security risk so like any other strategy in an organization cyber security should take a top-down approach what do i mean by that the strategy of an organization or a business should be driven by the board of directors they're the ones who give the directive on the direction that the company should take like any other strategy the cyber security strategy should be driven by the board such that it should have a top-down approach it should be driven by the board and the top-level management it cannot come from a junior employee and go up it should

come from the board and be trickled down to medium level manager and the junior employees and so on and so forth so a case study xyz hospital has been in operation for two years now and has a fully fledged corporate network the hospital also has an open wi-fi that gets used while visiting the hospital there is no way yet to separate the corporate network that is the servers the databases that carry the customer or client information from what the guests can access from their wi-fi having identified the risk the cisco requires board approval to acquire a network access system to to segregate the two networks that's the corporate network in which that carries the servers the databases the data of

the organization and the wi-fi that the customers or the clients that come to the hospital use maybe to browse the network or download documents so how should this is to go about it so this is what we will use to analyze and bring out the the concept of how to sell cyber security to the board so i'm just going to allow like 30 seconds for you to read through the case study and internalize it so maybe i can go through it again xyz hospital has been in operation for two years now and has a fully fledged corporate network the hospital has an open wi-fi that gets used while visiting the hospital there is no way yet to

separate the corporate network and the network in which the the customers or the clients use to access the network the the internet sorry while visiting the hospital the ciso has identified this as a key risk i'm sure why we i'm sure we all know why this is a key risk if public if the wi-fi that the customers used to access the internet can also be used to access internal resources so the ciso has identified this risk and requires board approval to acquire a network access control tool to segregate the true networks so how should they go about it so a few pointers that you will cover the first thing is empathy and emotional connection do not ever underestimate

the power of these two the second thing is cyber risk and not cyber security and risk calculus the other thing is permission to decide the other thing is context scheme always a business perspective you should always give context to thing that you cover the other thing is lead and teach the other thing is a framework the other way thing is business objectives so these are the things that we are going to cover during the session so on to my first point of empathy and emotional connection the first thing is it is easy it's very easy to lose human connection we are talking about malware risk ram somewhere and network security when you get into the technical dragons

it's very easy for you to forget that you're actually talking to humans and that they actually connect you should actually connect on a human to human level with them you should make a human connection and take the customer's perspective our audience does not care about maps or chats or cyber security statistics you should always keep in mind that you're talking to the topmost management level of an organization all they want to know is what is the impact of my of the cyber security risk to my organization they do not care about they care about the risk and the impact associated if the risk is actually actualized by concentrating only on the data metric graphs you see

all this presentation that we usually carry when we are presenting our cases to the board you will miss the unconscious and very human element of decision making process that is the feelings your audience is only interested in how you will make their world a better place for them to live in that is if the board is only interested in making the organization a profitable organization or a successful one and if you put across the point that for instance if customer data is accessed from the public wi-fi it might lead to financial penalties the more the board is more often than not likely to pay attention to you when you capture that aspect of the presentation

and your audience only speaks finance with an emphasis of profit and loss risk and reward as a result your story needs to be relatable to the audience that is driven by either fear game or uses actual risk expressed in monetary terms especially to communicate the future state of the world if they choose for instance not to acquire their network network access control system and if they choose to actually acquire it you cannot reach the audience with data that expresses leaks in terms of low high medium you have to actually connect with them on a personal level and tell them if for instance if we do not have a network access access control system our client data might be reached

and we might be subject to penalties as we have infringed some of the laws like for instance their gdpr law the other thing is personal brand personality in marketing opinions are important because they convey a sense of urgency about your story without an opinion there's no passions opinions challenger prospects to think you want them to think about why you are selling them and not why you're selling them this idea and not that so you need to give a back story of how of why we need to like of why we need to acquire the network access control system instead of giving instead of getting the board to sign of an additional spend because it will do

this and that will prevent future malware attacks get them to sign off an investment in the future of the company an investment that will increase the company's brand credibility through customer safety and lead to increased revenue customer loyalty and profit so the board i'm sorry to say this but more often than not it cares about how much money i'm making how is my company looking from the outside view how are my customers viewing me so while presenting the case you should always make sure that you also give an a connection to all those things if my customer for instance if customer information is breached of course that will have a very adverse effect on the said company

and so there is need to acquire that network access control system so when you put across that point in that manner instead of just giving the technical dragons to the board of directors you're more often than not to cut across the message to them so you are the cso and thus credent credentials which establish in from your authority but authority by itself is not enough refocusing the conversation on the fiduciary outcome instead of threat vectors and vulnerability landscape will improve your credibility as well so i i think i hope we are together on that so your brand personality needs to insist through your actions communications demeanor that you are all about the risk in the organization and

that till your blaze is designed to accommodate their needs and not yours so you should always have the interest of the company at hand don't be just don't just be throwing technical dragons around have the strategy of the business in mind also as the strategy of the business is what will drive the cyber security strategy of any organization the other thing is cyber risk not cyber security and also you should calculate the risk calculus so when presenting your case to the board you should always have cyber risk in mind not cyber security i know i know it's very tempting especially as from the tech side it's very tempting for you to put up to put across the point

using very many technical things that the board might not understand have this in mind that the board is the driver or overseer of the business strategy so the audience is used to making risk decision based on financial impact of the business like now for instance if you tell them if we are exposed as a company and we in in one way or another our customer data is accessed by a customer for instance and they're not supposed to access that data we might be fine let's say 10 million dollars you see if you put across that point in that way now the board will say huh it this thing is actually worth investing into as it's a risk to my

company as it might decrease my profit it might have a detrimental value to my company brand so your audience does not know what to do with this position that begins with the 30s this is characterized by low medium and high time to probability events but the audience does know what to do with a case study that involves an incident that occur due to not taking appropriate measures on a similar issue so while doing your research you should also have a case study of a similar event that occurred and the repercussions that it took there are so many events that have occurred recently and in the past of cyber security breaches and the impact that it had to organizations or

businesses so it would be wise if you came across if you came with such a case study to present to the board so the other thing issued you should give the board the permission to decide so once you've presented the case you've come up with a case study that and that has the financial implications that has been hard you should give the board the permission to decide so the story that you've given them uses terms that the board and the c-level buyers can understand and relate to from the case study that you have pre presented they will be able to see the value in actually investing in the system or in the software that you want

to to acquire so in addition to this in addition the story will also strike to important emotional drivers that is one fear and safety so when we present when you present the case and the board will see the need as they can see that this is something that has actually happened and these are the consequences of what happened when for instance this network access control tool was not bought and customer data was able to be accessed from an external party the other thing is always have contests give the the board context and always a business perspective when you're thinking about your story keep in mind your audience content deriving a technical delivering a technical view of cyber

risk will completely confuse the business centric board so you should always have a business you should always wear your business hat while presenting the case to your board you should start your pitch by introducing risk from the business perspective eg we hold very confidential medical records and unauthorized access of them could have financial implication it is critical that we separate the two networks immediately so when you start with that rationale it's more likely than not the body is more is more likely to listen to you as they can see they can contextualize the risk that is at hand and they can contextualize their they can contextualize the impact that will occur if the risk is actually

actualized so the other thing that cesar should do while presenting cyber security to the board is to teach and to lead remember you're the you're the technical quote-unquote person here you're the person who's tasked with providing direction on might as cyber security in any organization or business so as they see so your job is to get the board to recognize and acknowledge the realities of today's threat landscape so they need to understand they need to have to have they need to separate the two networks so you should explain to them and they need to separate what is accessible from the internal network and what is accessible from what we are giving our customers so teaching your

board about these threats and the associated risk provides them useful insight to better govern the organization and further publishes your credentials as a proactive and helpful member of the team so don't you ever forget that the work of the cso is to provide direction on matter cyber security so you should always give the board an understanding of why you want for instance to acquire a network access control too you know that is a cost and more often than not the cyber security team is always looked at as a cost center so you should always aim to teach the board on why you require a certain tool or a certain software so the other thing is to have a

framework in which you are basing your case on so most systems are comfortable with frameworks which is good because we are suggesting one that will work effectively for your board communication so if your presentations are framed within a model of cyber risk that is familiar to your board they will have a major much better chance of being hard this bot this model structures for attributes of cyber risk which an attacker is at its core so what is the probability that someone using the public wi-fi that we have provided for them will be able to access the customer's records so success susceptibility what is susceptibility to that risk are we susceptible to that risk severity what what is the impact if the

risk actually occurs in urgency how fast do we need to actually actualize this network access control tool so while presenting your case to the board you should keep in mind this for upset aspects the probability that it will actually occur how susceptible are we to this actual risk and how severe will it be if this risk is actually actualized and how urgent is it for us to incur the cost to for instance like in our case study acquire the network access control tool the other thing is always have the business objectives in my list this debate we always have should the business strategy drive the cyber security strategy or should the cyber security strategy drive the business strategy

from my own assessment i think we should all look at the business strategy and it should what should drive and it is what should drive the cyber security strategy so technology may be where a cyber threat begins and how it will be mitigated but the business impact is what matters so at the end of the day as much we are as much as we are technical past people the business strategy should what should be what that should be guiding us so if for instance we want to be pci dss compliant and we still have this risk in our environment there is no way that this business objective can be met so while presenting the case to the

board you should also have in mind the business objective and the business strategy so where is the business heading is acquisition of this tool going to also drive the business strategy so as you address each audience you might tailor your story to integrate their business objectives so if you're talking to the board for instance you should always have what what are the board expecting from the business if you're talking to management about the what you're trying to acquire you should always have the objectives of the management for the business in mind when presenting your case the other thing is the conclusion so moving away from your procession is just as just a call center who is constantly

getting in the way of progress is actually easier than it sounds so more often than not in many organizations you will find that cyber security teams are always viewed as cost centers or no departments so we should always strive to move away from that perception in any business so it starts with your ability to begin framing cyber security challenges in a cyber risk context in line with business objectives so when you are able to measurably impact the business through helping your organization define its risk appetite and by identifying alternate path to mitigators in a language and models that are understandable to your board in the entire season you will finally be seen as a certified and participating peer

member of the executive tribe so it's i think it's high time that we people or organizations turn around the notion that they have that cyber security teams are always call centers and they are always derailing the business or strategy or the business objectives so when you when you put across your point as mitigating the risks that occur in the business and also driving the business strategy i think we will turn around and we will have an effective way of communicating cyber security to the board so thank you for your time i hope it was an informative session so you can always reach me on linkedin through my linkedin handle which is emily morangori so thank you and have a

good day i hope you learn a lot from this training thank you