CG - How to Win Over Executives and Hack the Board

as you can see you're here to listen to the amazing talk how to win over executives and hack the board with alyssa miller couple quick housekeeping things before we begin um number one all our sponsors are important but we definitely want to take a moment to thank our diamond sponsors lastpass and paulo and also some of our gold sponsors uh google intel blue cat sponsors kind of help keep us running just as much as you the attendees do uh number one please silence your cell phones we all have cell phones and we don't want to hear yours for the next hour so check right now i don't you know just make sure they're on vibrate or quiet uh no little re reiterate no photography or video unless all of the people in the picture the video consent all of the talks are being streamed they're all going to be recorded you don't have to you know you don't have to hold stuff up that's about it at the end will alyssa will be taking some questions anybody who wants to ask a question just come up to the mic ask a reasonable question and then sit down and alyssa will give a reasonable answer with that i'll get out of your way and let's enjoy the talk [Applause] wow well hello b sites here we are again it's been three years i think since i've been here so this is uh i mean in person right because it's been like three years since any of us have been here in person for this event um you know i once gave a talk in an airplane hangar i think it was quieter there i mean i'm glad because it's keeping us safe we've got the air purifiers this is wonderful but wow um so i'm excited to be here um really excited to see all your faces and you know what let's let's just dive right into this thing so we're talking about talking to the board which i know for a lot of people maybe we don't get that opportunity so even if you're not speaking to boards i'm going to try to make this applicable because it really these concepts apply anytime you're talking cyber security to someone who maybe isn't all there on the cyber security side of things which makes up the vast majority of people that we're trying to talk to in most of our jobs so i figure that that kind of fits so a little bit about me first of all that is that's me did you did you figure that out i mean i don't know first and foremost i'm a hacker and a researcher i'm a lifelong hacker if you look at my bio it says it every time i was that kid who took my toys apart at 12 years old i went out got a paper route saved up a bunch of money went to best buy and i bought a computer and a couple months later i hacked into this thing that some of you might remember called prodigy okay i saw a few heads nodding i'm not that old yet good um been through a long career but at this point now i am the chief information security officer for a company called epic global that is not the health care company that is not the gaming company uh we actually do legal services and some cyber security work too um author and a blogger i just finally over code finished my first book cyber security career guide thank god that's done that is a hell of a process i don't want to i don't want to do another one anytime soon let me just put it that way and the reason i'm here talking on this particular topic i've been in leadership for 16 years cyber security leadership back i go way back to when i was leading a penetration testing and vulnerability management program for a financial services company i went through years and consulting work and working for reseller and for a product company but you know in that time i i had the opportunity to speak to a lot of boards and in fact my previous role before i joined epic global i had responsibility for reporting into eight separate boards that sounds ridiculous but when you understand that regulators when you're in a highly regulated industry they like to appoint their own advisory boards and so you end up talking to them a lot too so think about what that does now i mean before i got into that role i you know i had spoken to i'd been a consultant so i was used to going into the boardroom and having those conversations going to elt meetings little executive leadership team meetings and talking to executive leaders and explaining to them you know what was going on in their organizations and things that they needed to be aware of and so but it was when i got to this particular role i used to work at s p global and you know i walked into my first board meeting and it was it was still a little daunting because that was the first time like i was reporting to the board for my own company and i got in there and you know i spent some time in the lead up really thinking about how i was going to present i got in there i presented and i know this is a little maybe it's a little humble brag i don't mean it that way but we get to the end of it and the thing i remember most about it and what really inspired me to have this conversation and to do this talk for you all today was one of the board members who stopped me and he said you know i think i can speak for everybody here when i say cyber security is the thing that keeps us up most at night and for the first time i actually feel comfortable that we've got somebody in place who's got this in hand then he went on to say i've been on the board for seven years and that's the best presentation i've seen on this topic now that's not me bragging on me yeah it's great and wonderful and i'm really excited because my my boss was there to hear it and so that went over really well but no the reason i i tell you that is because as i said that was the inspiration because i got to think like wait you've been hearing from our cso for years why now that a be so business information security officer is in front of you is this the best presentation you've ever heard and i started really paying attention to what i was hearing from peers in the industry and i started to become aware that like you know what we've been fighting for a long time to get to the board right i can remember back in those 16 years we've been talking about there's been media articles everything else about how the csos just don't get time in front of the board and how cesaro's need to be there we need to have more of that opportunity and that goes for all of cyber security and you know what we're getting progress i don't know how many of you saw us from the sec but the sec is actually putting out guidance now that says cyber security needs to be a part of the boardroom discussion that we need to have cyber security experts in the boardroom but what i worry when i hear comments like that from board members by the way board members who had to ask me what a cso was okay when i hear that you know those presentations haven't been going so well and they haven't been getting that comfort level it tells me we're not ready for this as cyber security folks in general or at least that we have room to improve so that's what really inspired this and so as i said i kind of took that to heart like it's important to me to analyze things like that that's just kind of how i am i overthink things anybody else in here one of those people who just kind of overthinks things probably most of the room right and you know so i got to thinking and i'm like i started like i said i started really listening to what people were saying in the industry and i realized there's a lot of really misguided things things that i'm going to call myths now i don't say that to be derogatory but they're things that we've we've tried over the years things that a lot of times many of these scenes and things have been come cliche and we've kind of accepted them as truth but i don't think they're really true and so i'm going to start there and i want to really dig into some of these because i'm sure some of you have heard these some of you may subscribe to him i've said them myself so i'm not proclaiming innocence here i'm proclaiming that i've given us a lot of thought and i think there's a better way so let's dive into these because i i think it has to start with understanding what i believe we're doing wrong today when we get in front of the board so anyone heard this never let a good crisis go to waste what does that mean to you to me when i talk to people it seems to mean that like hey we just had a breach or something so the pocketbooks are open and i can spend all the money and we approach it that way right i mean i've read articles on this we saw this with past high-profile breaches in the industry where you know what hey we had a big breach we went out spent a couple million dollars over the course of a year or 18 months and then we just kind of forgot about cyber security and we got breached again shocking but it's because we approach it like this now imagine you're in a breach and imagine you go in there with this line from mr mueller now how many of you and don't be shy because i will raise my hand too have uttered these words or something similar before it's not if but when imagine going into your board and you say or your executive leaders you say you know what it's not if we get breached but when now spend two million dollars on that iem solution so i can make sure we don't get breached how effective is that now we wonder why they don't want to give us money and that's the kind of thing that happens we go in there and we've had a breach and we talk about well we need this we need this we need this and it sets the stage that well we weren't doing anything we weren't doing these things right and so once we fix them then we'll be secure and that's the narrative that we build when we go in there and we take that idea of don't let a good crisis go to waste spend all the money now now there are good ways to make use of a good crisis i'm not gonna lie and we'll get to that but going in there and just thinking that the crisis is your excuse to get funding and that's how you want to drive it there might be better ways because as i'll share later i've watched to cecil get fired for mishandling this so our second myth security is a risk management function we've heard this one before some of you i see a few nodding heads really do we want to minimize what we do down to risk management is that all we do i mean risk management's responsible for a lot of things if i look at this risk management what plays into business risk there's a whole lot of different things here if i think about the brick wall that is risk management all those various bricks cyber security is one little brick in that wall i really hope we're delivering more than just risk management because that really kind of minimizes the value that we bring to an organization and so when i'm in front of senior executive board level leaders and i say you know what well i i i manage risk i've already got a risk management team that does that you're just one little area of that so clearly cyber security is just a small component if i've only got 10 people on my risk management team why do you need 50 for cyber security see how that logic works that's what you're putting in it remember these are people who don't do cyber security every day as their day job to us we understand why do i need 50 people when there's only 10 in risk management but to them when i say my job is risk management i'm a risk management function that's what i'm telling them i'm just a small piece but there's the whole other side i hate venn diagrams by the way but they tend to be useful sometimes there's all the other stuff that we do that isn't risk management and we'll talk more about that a little bit later too an offshoot this one has come up more recently so i hear a lot of csos and i love that they talk about this saying security's job is to enable the business i love that unfortunately when i ask them what that means and you prod at that a little bit more some of the answers that i'm hearing are a little less than inspiring because you know i mean how does risk how does reducing risk enable the business think about this for a minute being in business the actual inherent existence of being in business carries with it risk right if i'm going to start a business big or small whatever level i'm at there is inherently risk just to being in business there's all those different areas of risk which means that by virtue of being in business i have now accepted that risk as tolerable enough to stay in business so if all that security does for me is reduce that risk that i've already said is acceptable well that's not very exciting that kind of makes me question why am i spending millions of dollars on a security program every year the other problem here is does anybody know the four ways you can manage risk there's there's four techniques for managing risk do you know what they are i know it's gonna be hard to hear you i think i heard them and they're similar to what i've got but yeah it's you can avoid the risk you can reduce the risk you can accept the risk or you can transfer it right now as security practitioners those bottom two really get us fired up no don't risk accept everything okay but don't transfer the risk we hate cyber security insurance don't do that that's not secure all right well i could avoid it which means i could just shut down those applications that are high risk how many business leaders you think are going to support that idea of hey let's turn off that revenue generating thing because that cost center in security says we should do that that's not such a popular option so you're kind of left with reduce the risk that's our only option here that's all we bring to the table is that one component come on we got to do more we want to be we want to be more than just risk all right my last one i'm harping on risk because we use this a lot oh i love this one the most the language of business is risk walk into your boardroom sometime and see how much they talk about risk is it is the language of business really risk what's the language of risk i see it back here yo it's money people i'm not in business because i want to manage risk i'm in getting business because i want to talk about risk management all day i want to talk about how all these different threats are putting me at risk and all the horrible things that i have to be aware of every night i'm going to be oh my gosh you know these things are going to keep me up and i got that's so exciting yes i'm going to go start my business no we get in business and make money the language of business is money and the avenues for how we make it that means innovation that means new markets that means expanding and getting more efficient cutting costs all the things that are going to put more revenue at the top line and indirectly put more net income at the bottom line that's what the board cares about all right because the other day they're there for the shareholders they're there to make sure that business is doing the right things to make money and to protect that money and to keep making more like it or not we live in a capitalist society that's that's where we're at that's what we do that's what business is all about all right let's move away from risk because i've beat up there's probably some like risk management folks in here right now like god she just keeps harping on risk okay we get it yeah but there is more the board needs metrics now this isn't really a myth because it's not necessarily false this is one of those where we just our application of the concepts a little off how many of you seen board presentations with dashboards like this oh look at all the pretty vulnerability colors and wow we patched all those different things that's a pretty donut chart donut charts are horrible by the way any of my accessibility experts in here talk to them they'll tell you why donut charts suck don't use donut charts oh hey look at all that stuff we blocked with our ddos filters yeah that's exciting you know when you find out how useless these metrics are when the board member or your ceo or your cfo looks at you and says yeah but what does that mean yeah no kidding these are great metrics we in the security world know what they mean and they're great to anyone outside of security this is completely without context it is completely meaningless it does nothing to demonstrate that we're doing the right things or that we're you know protecting the business i mean they look great you know all right yeah we we did all that stuff is that good or bad what do our vendor what do our competitors see i don't know yeah well now your board is wondering like how competent are you really yeah yeah you gave us some pretty pictures we like those pretty pictures but we gotta do more so metrics are great and we'll come back to metrics too because metrics can be a good thing they are a necessary thing but they need to be used in the right way this one is a little more rare in the wording okay i don't know that i actually hear people say this too often but this is the approach right so the board needs to understand your projects hey here's all the cool things i'm doing i'm doing this i'm installing this i've got all these different vendors we're using this and we're using this and so we just bought this new edr platform but then we're going to move to xdr and we bought this ddos and package and and by the way uh so we had to deploy micro segmentation and so we implemented this tool and and now we're going to move to this next-gen whatever whiz-bang military-grade whatever crazy vendor product we're going to install next and you know what your board members are doing they're looking at their phones those are the kind of board meetings i've sat through i've watched technology people go in there and talk for a half hour about all the cool technologies and the board members aren't even paying attention anymore they're gone they're out they're done they've seen it they're not interested because none of that means anything to them when you go in there and you say hey we're deploying crowdstrike on all of our workstations yeah so what does that mean they don't know they don't care they don't need to know so telling them the what that i'm doing all of this stuff i can throw a bunch of logos on the screen this doesn't tell them anything we in security when we walk into these high-level meetings we are there to give them the information that they need in order to make decisions at the end of the day when i'm going to the board i want them to have to understand my view of our security posture so they can make the decisions i want them to make so in the spirit of the talk in the spirit of being out here at hacker summer camp you know i'm a lifelong hacker it's what i do it's how i think about things so it's time to start thinking like a hacker there's got to be a better way i want this system the system being my executive and board leadership to respond to me in the ways that i would like maybe not the ways that they're used to maybe not the ways they're designed to that's the reality so now i if you read the uh the abstract for this session today i promised you some real world examples then i changed jobs so i can't really give you you'll notice it's a little more redacted than i would have liked but you know i i can't leverage some of those things because i don't work there anymore there's like intellectual property constraints there they get kind of sensitive about that i i can't figure out why but we're gonna go through this and i'm gonna we're gonna look at this from the hacker's perspective so put your hacker mindset on for me you don't have to be a pen tester you don't have to be a hacker but just imagine looking at this problem the way a pen tester or a hacker might look at this i want to manipulate my board i want to win them over i want to make them my friends i want to make them stand up and say i get it how many people do you need on your team how many do you have now let's get