CG - How to Win Over Executives and Hack the Board

as you can see you're here to listen to the amazing talk how to win over executives and hack the board with alyssa miller couple quick housekeeping things before we begin um number one all our sponsors are important but we definitely want to take a moment to thank our diamond sponsors lastpass and paulo and also some of our gold sponsors uh google intel blue cat sponsors kind of help keep us running just as much as you the attendees do uh number one please silence your cell phones we all have cell phones and we don't want to hear yours for the next hour so check right now i don't you know just make sure they're on vibrate or quiet

uh no little re reiterate no photography or video unless all of the people in the picture the video consent all of the talks are being streamed they're all going to be recorded you don't have to you know you don't have to hold stuff up that's about it at the end will alyssa will be taking some questions anybody who wants to ask a question just come up to the mic ask a reasonable question and then sit down and alyssa will give a reasonable answer with that i'll get out of your way and let's enjoy the talk

[Applause] wow well hello b sites here we are again it's been three years i think since i've been here so this is uh i mean in person right because it's been like three years since any of us have been here in person for this event um you know i once gave a talk in an airplane hangar i think it was quieter there i mean i'm glad because it's keeping us safe we've got the air purifiers this is wonderful but wow um so i'm excited to be here um really excited to see all your faces and you know what let's let's just dive right into this thing so we're talking about talking to the board which i know for a lot of people maybe

we don't get that opportunity so even if you're not speaking to boards i'm going to try to make this applicable because it really these concepts apply anytime you're talking cyber security to someone who maybe isn't all there on the cyber security side of things which makes up the vast majority of people that we're trying to talk to in most of our jobs so i figure that that kind of fits so a little bit about me first of all that is that's me did you did you figure that out i mean i don't know first and foremost i'm a hacker and a researcher i'm a lifelong hacker if you look at my bio it says it every time

i was that kid who took my toys apart at 12 years old i went out got a paper route saved up a bunch of money went to best buy and i bought a computer and a couple months later i hacked into this thing that some of you might remember called prodigy okay i saw a few heads nodding i'm not that old yet good um been through a long career but at this point now i am the chief information security officer for a company called epic global that is not the health care company that is not the gaming company uh we actually do legal services and some cyber security work too um author and a blogger i just finally

over code finished my first book cyber security career guide thank god that's done that is a hell of a process i don't want to i don't want to do another one anytime soon let me just put it that way and the reason i'm here talking on this particular topic i've been in leadership for 16 years cyber security leadership back i go way back to when i was leading a penetration testing and vulnerability management program for a financial services company i went through years and consulting work and working for reseller and for a product company but you know in that time i i had the opportunity to speak to a lot of boards and in fact my previous role before i

joined epic global i had responsibility for reporting into eight separate boards that sounds ridiculous but when you understand that regulators when you're in a highly regulated industry they like to appoint their own advisory boards and so you end up talking to them a lot too so think about what that does now i mean before i got into that role i you know i had spoken to i'd been a consultant so i was used to going into the boardroom and having those conversations going to elt meetings little executive leadership team meetings and talking to executive leaders and explaining to them you know what was going on in their organizations and things that they needed to be aware

of and so but it was when i got to this particular role i used to work at s p global and you know i walked into my first board meeting and it was it was still a little daunting because that was the first time like i was reporting to the board for my own company and i got in there and you know i spent some time in the lead up really thinking about how i was going to present i got in there i presented and i know this is a little maybe it's a little humble brag i don't mean it that way but we get to the end of it and the thing i remember most about it and what

really inspired me to have this conversation and to do this talk for you all today was one of the board members who stopped me and he said you know i think i can speak for everybody here when i say cyber security is the thing that keeps us up most at night and for the first time i actually feel comfortable that we've got somebody in place who's got this in hand then he went on to say i've been on the board for seven years and that's the best presentation i've seen on this topic now that's not me bragging on me yeah it's great and wonderful and i'm really excited because my my boss was there to hear it and so that went

over really well but no the reason i i tell you that is because as i said that was the inspiration because i got to think like wait you've been hearing from our cso for years why now that a be so business information security officer is in front of you is this the best presentation you've ever heard and i started really paying attention to what i was hearing from peers in the industry and i started to become aware that like you know what we've been fighting for a long time to get to the board right i can remember back in those 16 years we've been talking about there's been media articles everything else about how the csos just don't get time in front of

the board and how cesaro's need to be there we need to have more of that opportunity and that goes for all of cyber security and you know what we're getting progress i don't know how many of you saw us from the sec but the sec is actually putting out guidance now that says cyber security needs to be a part of the boardroom discussion that we need to have cyber security experts in the boardroom but what i worry when i hear comments like that from board members by the way board members who had to ask me what a cso was okay when i hear that you know those presentations haven't been going so well and they haven't been getting

that comfort level it tells me we're not ready for this as cyber security folks in general or at least that we have room to improve so that's what really inspired this and so as i said i kind of took that to heart like it's important to me to analyze things like that that's just kind of how i am i overthink things anybody else in here one of those people who just kind of overthinks things probably most of the room right and you know so i got to thinking and i'm like i started like i said i started really listening to what people were saying in the industry and i realized there's a lot of really

misguided things things that i'm going to call myths now i don't say that to be derogatory but they're things that we've we've tried over the years things that a lot of times many of these scenes and things have been come cliche and we've kind of accepted them as truth but i don't think they're really true and so i'm going to start there and i want to really dig into some of these because i'm sure some of you have heard these some of you may subscribe to him i've said them myself so i'm not proclaiming innocence here i'm proclaiming that i've given us a lot of thought and i think there's a better way so let's dive into these because i

i think it has to start with understanding what i believe we're doing wrong today when we get in front of the board so anyone heard this never let a good crisis go to waste what does that mean to you to me when i talk to people it seems to mean that like hey we just had a breach or something so the pocketbooks are open and i can spend all the money and we approach it that way right i mean i've read articles on this we saw this with past high-profile breaches in the industry where you know what hey we had a big breach we went out spent a couple million dollars over the course of a year or 18 months and then we just

kind of forgot about cyber security and we got breached again shocking but it's because we approach it like this now imagine you're in a breach and imagine you go in there with this line from mr mueller now how many of you and don't be shy because i will raise my hand too have uttered these words or something similar before it's not if but when imagine going into your board and you say or your executive leaders you say you know what it's not if we get breached but when now spend two million dollars on that iem solution so i can make sure we don't get breached how effective is that now we wonder why they don't want to

give us money and that's the kind of thing that happens we go in there and we've had a breach and we talk about well we need this we need this we need this and it sets the stage that well we weren't doing anything we weren't doing these things right and so once we fix them then we'll be secure and that's the narrative that we build when we go in there and we take that idea of don't let a good crisis go to waste spend all the money now now there are good ways to make use of a good crisis i'm not gonna lie and we'll get to that but going in there and just thinking

that the crisis is your excuse to get funding and that's how you want to drive it there might be better ways because as i'll share later i've watched to cecil get fired for mishandling this so our second myth security is a risk management function we've heard this one before some of you i see a few nodding heads really do we want to minimize what we do down to risk management is that all we do i mean risk management's responsible for a lot of things if i look at this risk management what plays into business risk there's a whole lot of different things here if i think about the brick wall that is risk management all those various bricks

cyber security is one little brick in that wall i really hope we're delivering more than just risk management because that really kind of minimizes the value that we bring to an organization and so when i'm in front of senior executive board level leaders and i say you know what well i i i manage risk i've already got a risk management team that does that you're just one little area of that so clearly cyber security is just a small component if i've only got 10 people on my risk management team why do you need 50 for cyber security see how that logic works that's what you're putting in it remember these are people who don't do

cyber security every day as their day job to us we understand why do i need 50 people when there's only 10 in risk management but to them when i say my job is risk management i'm a risk management function that's what i'm telling them i'm just a small piece but there's the whole other side i hate venn diagrams by the way but they tend to be useful sometimes there's all the other stuff that we do that isn't risk management and we'll talk more about that a little bit later too an offshoot this one has come up more recently so i hear a lot of csos and i love that they talk about this saying security's job is to enable the business

i love that unfortunately when i ask them what that means and you prod at that a little bit more some of the answers that i'm hearing are a little less than inspiring because you know i mean how does risk how does reducing risk enable the business think about this for a minute being in business the actual inherent existence of being in business carries with it risk right if i'm going to start a business big or small whatever level i'm at there is inherently risk just to being in business there's all those different areas of risk which means that by virtue of being in business i have now accepted that risk as tolerable enough to stay in

business so if all that security does for me is reduce that risk that i've already said is acceptable well that's not very exciting that kind of makes me question why am i spending millions of dollars on a security program every year the other problem here is does anybody know the four ways you can manage risk there's there's four techniques for managing risk do you know what they are i know it's gonna be hard to hear you

i think i heard them and they're similar to what i've got but yeah it's you can avoid the risk you can reduce the risk you can accept the risk or you can transfer it right now as security practitioners those bottom two really get us fired up no don't risk accept everything okay but don't transfer the risk we hate cyber security insurance don't do that that's not secure all right well i could avoid it which means i could just shut down those applications that are high risk how many business leaders you think are going to support that idea of hey let's turn off that revenue generating thing because that cost center in security says we should do that

that's not such a popular option so you're kind of left with reduce the risk that's our only option here that's all we bring to the table is that one component come on we got to do more we want to be we want to be more than just risk all right my last one i'm harping on risk because we use this a lot oh i love this one the most the language of business is risk walk into your boardroom sometime and see how much they talk about risk is it is the language of business really risk what's the language of risk i see it back here yo it's money people i'm not in business because i want to

manage risk i'm in getting business because i want to talk about risk management all day i want to talk about how all these different threats are putting me at risk and all the horrible things that i have to be aware of every night i'm going to be oh my gosh you know these things are going to keep me up and i got that's so exciting yes i'm going to go start my business no we get in business and make money the language of business is money and the avenues for how we make it that means innovation that means new markets that means expanding and getting more efficient cutting costs all the things that are going to put more

revenue at the top line and indirectly put more net income at the bottom line that's what the board cares about all right because the other day they're there for the shareholders they're there to make sure that business is doing the right things to make money and to protect that money and to keep making more like it or not we live in a capitalist society that's that's where we're at that's what we do that's what business is all about all right let's move away from risk because i've beat up there's probably some like risk management folks in here right now like god she just keeps harping on risk okay we get it yeah but there is more

the board needs metrics now this isn't really a myth because it's not necessarily false this is one of those where we just our application of the concepts a little off how many of you seen board presentations with dashboards like this oh look at all the pretty vulnerability colors and wow we patched all those different things that's a pretty donut chart donut charts are horrible by the way any of my accessibility experts in here talk to them they'll tell you why donut charts suck don't use donut charts oh hey look at all that stuff we blocked with our ddos filters yeah that's exciting you know when you find out how useless these metrics are when the board member or your ceo or

your cfo looks at you and says yeah but what does that mean yeah no kidding these are great metrics we in the security world know what they mean and they're great to anyone outside of security this is completely without context it is completely meaningless it does nothing to demonstrate that we're doing the right things or that we're you know protecting the business i mean they look great you know all right yeah we we did all that stuff is that good or bad what do our vendor what do our competitors see i don't know yeah well now your board is wondering like how competent are you really yeah yeah you gave us some pretty pictures we like those pretty pictures

but we gotta do more so metrics are great and we'll come back to metrics too because metrics can be a good thing they are a necessary thing but they need to be used in the right way this one is a little more rare in the wording okay i don't know that i actually hear people say this too often but this is the approach right so the board needs to understand your projects hey here's all the cool things i'm doing i'm doing this i'm installing this i've got all these different vendors we're using this and we're using this and so we just bought this new edr platform but then we're going to move to xdr and we

bought this ddos and package and and by the way uh so we had to deploy micro segmentation and so we implemented this tool and and now we're going to move to this next-gen whatever whiz-bang military-grade whatever crazy vendor product we're going to install next and you know what your board members are doing they're looking at their phones those are the kind of board meetings i've sat through i've watched technology people go in there and talk for a half hour about all the cool technologies and the board members aren't even paying attention anymore they're gone they're out they're done they've seen it they're not interested because none of that means anything to them when you go in there and you say hey

we're deploying crowdstrike on all of our workstations yeah so what does that mean they don't know they don't care they don't need to know so telling them the what that i'm doing all of this stuff i can throw a bunch of logos on the screen this doesn't tell them anything we in security when we walk into these high-level meetings we are there to give them the information that they need in order to make decisions at the end of the day when i'm going to the board i want them to have to understand my view of our security posture so they can make the decisions i want them to make so in the spirit of the talk

in the spirit of being out here at hacker summer camp you know i'm a lifelong hacker it's what i do it's how i think about things so it's time to start thinking like a hacker there's got to be a better way i want this system the system being my executive and board leadership to respond to me in the ways that i would like maybe not the ways that they're used to maybe not the ways they're designed to that's the reality so now i if you read the uh the abstract for this session today i promised you some real world examples then i changed jobs so i can't really give you you'll notice it's a little more redacted than i would

have liked but you know i i can't leverage some of those things because i don't work there anymore there's like intellectual property constraints there they get kind of sensitive about that i i can't figure out why but we're gonna go through this and i'm gonna we're gonna look at this from the hacker's perspective so put your hacker mindset on for me you don't have to be a pen tester you don't have to be a hacker but just imagine looking at this problem the way a pen tester or a hacker might look at this i want to manipulate my board i want to win them over i want to make them my friends i want to make them stand up and say

i get it how many people do you need on your team how many do you have now let's get you more because that is something else i've heard from a board and that is gold so let's dive into this all right first and foremost if you are going to any board or executive level meeting you need to assess the perimeter just like you would if you were a hacker what are you going to do you're going to go out there you're going to do some passive scanning you're going to be really quiet and subtle about it your board is no different get out there understand who it is that you're going to be talking to

and when i say understand don't just you know okay well that's their name that's her bio that's on a website or something okay that's great you know or hey yeah i know all my executives i know who they are or i know my senior leadership look at their background where do they come from people don't end up in board leadership positions because they're you know cyber security experts or they're oblivious to running businesses these are people who are running businesses elsewhere they have a perspective on things and that's something you can use to your advantage do they come from healthcare if their day job is they're a ceo of a healthcare company and they serve on the

board of your company that does something completely different use that to your advantage they understand the concepts of privacy because they're probably inundated with hipaa talk all the time so use that maybe you're not even in a regulated industry at all but you can use that context to talk to them and help them understand it do they come from financial services same thing they understand pci regulations they understand things like the sec the occ e-i-e-i-o we can go through them all right all the regulators out there you can leverage that information have they worked in pharma maybe they understand the complexities of being you know going through compliance all of these different things understand where they come from because when you go

into there and you understand the audience you're talking to those are things that you're going to leverage but you have to understand it so that you can you can build that plan but it's all about understanding where they came from because that is what's going to tell you what are they thinking knowing and being able to predict what your board is thinking is crucially important because you want to plan your targets all right just like if i'm in a pen test i go out there i do first thing i do is i do that reconnaissance right i kind of assess the perimeter i figure out where do i want to go first what looks juicy what looks interesting

what do i need to be prepared for where am i probably going to find some counter measures that i'm going to need to evade so i start to plan my targets accordingly well it's the same thing when i go in front of the board i want to know what is it that they want to know they don't really want to know how many you know denial of service attacks we blocked or how many ransomware emails we caught in our email system or how many people clicked on the phishing test they asked those questions because that's what they hear they hear it in the industry they've probably seen it in their own companies they've probably heard it from your

predecessors or your peers and so what are they really trying to assess well they just want to know are we secure are we safe from being breached now that question in and of itself might be problematic to you it should be because going back to that it's not if but when yeah that's actually true nobody wants to stand up there and say yes we are ultimately secure and we cannot be breached i mean i would love to be able to say that but you couldn't pay me enough to get me to say that but that's what they're asking they wanna say they're looking for that comfort to say all right we're doing the right things they also want to

understand are we spending the right money in the right places again their job is to make sure the business is profitable whether we're talking executives whether we're talking board members they are there to make sure the money looks good so if they're spending money on cyber security they want to know that it is delivering as promised that they're spending money in the right places that at the end of the day they're not going to be spending more money to clean up a breach to do all the pr work following a breach to deal with the reputational impacts that believe it or not do actually impact the business and then finally they just want to know

ultimately should i be worried what's out there that i need to be worried about what are the things you know if i've got a competency so when i trust my cecil what's keeping them up at night what are they worried about [Music]

oh my lord we have a tradition here where the uh speaker is allowed to make an outrageous request and we do our best to honor it although sometimes we honor it in evil genie fashion we had a request for a crown and scepter suitable for the duchess of hackington would you say we have delivered i would say you have most definitely delivered please take your scepter

out i appreciate it thank you so much i think we'll keep this for the rest of the presentation then [Applause] you know so for those who i don't know if you caught it at the beginning when you when you uh send in a cfp submission to b-sides they ask you for any outrageous crazy you know requests allah like a bowl full of brown m ms or whatever right no other colors so see there you go blue monkey yeah i threw this out and i well i guess i guess he delivered so here we are now completely sidetracked and i've completely lost my train of thought i love it all right so we're talking about what the board really wants to

know ultimately they want that peace of mind you know i shared that story with you intentionally because you know that board member said hey you know what cyber security is keeping us up at night it's the thing that we're worried about but you've given me comfort that i understand that somebody is watching out for us and they're doing the right things and that's what your board wants to hear from you that's what they want to hear from every leader that they talk to when i t comes in there they want to hear are you doing the right things from a technology perspective to make sure that we're staying competitive are you doing the right things from a

risk management perspective to deal with all that different business risk way beyond cyber security and make sure that we're doing the right things when the business leaders come in are you doing the right things to address market conditions so when they hear from cyber security they want to know at the end of the day that we've got it in hand that we're competent we know what we're doing because that's their job their job is oversight over the business so keep that focus remember that when you walk in there you're not there to tell them about a bunch of stats that don't mean anything you're there to make them comfortable you're there to make them feel like

you've got this in hand you're also there to confidently explain to them where there are deficiencies that you need their help in getting addressed now i mentioned that problematic idea of are we secure enough you'll also run into these questions when you walk into these conversations at those levels so uh when are we done spending on cyber security or when are we when are we secure enough those are questions i've gotten those are questions i'm sure anybody who's been in a board presentation has heard i'm sure many of you may have even heard those from scary enough your own cyber security leaders my answer is really simple well when if technology stops evolving or we stop

adopting new technology and new business lines maybe we can kick back our feet a little bit and chill on cyber security not really true but the fact of the matter is technology is never going to stop we're not going to stop innovating because that would be the death of our company so we need to flip that narrative we need to manipulate the inputs we're providing to them if they ask us for metrics and we go in and we hand them a dashboard like you saw up there earlier we're just playing into that same narrative that allows them to think that at some point there's an end state to this there's no end state and if you're having a hard time

messaging this to them just point them to that business concept hey you know what we don't stop investing in new business we don't stop exploring new markets that we can dive into we don't stop changing our technology footprint to take advantage of new technologies and new features that will make us more profitable so why would we do this why would we do that with cyber security cyber security is a part of your business too it needs to keep evolving keep growing and keep getting stronger and when you put that in that context form now it makes sense because that's something they can understand they understand the evolution of business how new markets are explored and how that progresses so use that to

your advantage that's where knowing your audience happens now one of the things i remember from pen testing my days when i did this was how often pen testers would lose sight of the big picture even hackers you'd get in there and you'd find something juicy and like that this looks really really cool i'm gonna dig into that and you'd spend so much time on this one little thing that you know looked like it might have an exploit maybe it finally successfully exploited only to find out you know what it didn't really get you anywhere because you lost sight of the bigger picture you weren't looking at the whole application or the whole network or you weren't understanding the greater

context of what it was that you were attacking in the first place you got so hyper focused on the ones and zeros of what came back from your nessus scan or you know that error message you got when you dumped a tick mark into a login field and you got all excited because who's sql error yay sql injection yes yes yes we do the same thing when we go in and we talk about cyber security especially when we get in and buried in those metrics we don't want to look at metrics on a one-off it's great to say yeah you know what we closed 4 000 critical vulnerabilities this month hooray so what does that mean

i don't know we we still have you know 2 000 open all right so you're telling me you you you fixed 36 of them what about the other 33

and at the end of the day it's meaningless why did we have 4 000 vulnerabilities why did we have 6 000 vulnerabilities that needed to be remediated in the first place where did they come from is that more or less than we had last month well i don't know well okay i'll go look at that i'll get you those numbers all right great did we do more releases did we do fewer releases how fast are we introducing releases and is that having a direct impact positively or negatively on our vulnerability accounts these are the kinds of questions they start to ask because they're natural questions especially for somebody who is you know used to the business numbers

so they're going to ask those questions when you start to put those all those numbers in front of them without context the fact of the matter is when you're up there and you're telling them these things you're not up there to tell them the what so we think about the projects we think about our metrics we're not there to say this is what we're doing this is what we did it's not about the what it's about the why why did we roll out crowdstrike or carbon black or fender du jour because i don't want to pretend like i'm endorsing somebody here i'm really not why do we roll out that new mdr tool or edr tool

explain to them that reasoning see the bigger picture and tell them why say you know what hey i'm looking at our overall cyber security posture right now and we're in this really reactive state which means we're doing a lot of really good things but it's taking away from the business because you know what we're having to react we're not being proactive we're not ahead of the game you know we we we've discovered vulnerabilities and then we close them but we're not doing the right things to reduce the number of vulnerabilities and you know what that's having impact on the business it means that our developers are spending more time fixing p1's out of their backlog

than they're spending implementing new feature functionality now maybe you don't have to get quite that deep but they understand that idea of innovation is being slowed down because we're reactive i want to bring our cyber security program up to this next level i want to make us proactive because that's where we're sitting today at this reactive state now you're starting to show them where the business value is because oh alyssa's telling us she's going to make the business run better by improving our maturity in our cyber security program that starts to speak to the language of business the real language of business all right great so i got in front of the board i told them hey you know what this

is what i want to do you know i want to get us from here to here i'm going to drive all this business value great but now what i want to make sure they invite me back because you know what that happens too csos get in front of the board and they bore the crap out of the board and they never get asked back or when they do the board is all set for them to be boring or doom and gloom and these are i mean i'm literally quoting studies and articles you can find out there if you want to go digging that's the way the board members often think of the cso is my god they're just

they're always telling me how bad everything is so i want to give them a reason to invite me back so if i say hey you know what this is our current maturity this is where i want to get to here's the elements that are going to get us there and here's how we're going to get there so rather than throwing a bunch of you know here's here's my strategic program of 45 new initiatives that we're going to do in the next three years okay how did you pick those no give them the road map well hey you know what first we're going to implement this this new email security program then we're going to do some i don't know

take your pic what uh maybe security awareness training and then on top of that we're going to do some micro segmentation and that's gonna move us from here to here in terms of our maturity for defending against uh phishing attacks that drive malware and ransomware malware ransomware they know those words they hear those in the media you just gave them three initiatives for them to invest in that are gonna that tell them hey this is how that scary thing you're hearing about in the media with colonial pipeline getting breached or whoever else this is how i'm fixing that for you i have a plan this is how i'm going to get there they're comfortable because they feel

like you have it in hand they want you to keep coming back and telling them how's that going and they want to invest in that because you're speaking to something that they're hearing every day road maps are a buzzword okay for many of those folks out there in the cyber security world who just want to focus on the tech when we hear road maps we cringe because it is a buzzword that gets used a lot but they are actually important this is the context where they are important this is what a road map needs to be to build off of this i told you a story before that i there was a cso who got in

my opinion now this is just my opinion i think this cecil got fired in part in part not alone because he failed to embrace this when he went in to make the most of a crisis company gets breached c so it had a three-year strategic program lined up you know he was doing all these different things but they were all just it was literally the laundry list of initiatives and so when the company got breached now they got breached but they didn't have any real like material impact as they would refer to it because well you know nothing ultimately ended up getting exposed they caught it fairly early you know they had to do some things it

was a little bit impactful but they stopped it so what does he do well never let a good crisis go to waste he goes in front of the board and says hey here's all the things we found that we need to improve because of this crisis that we had you know what the board asked them the first thing how many of those items were in your strategic vision or in your strategic plan oh none what did you just tell the board you spent all that money you invested all that stuff in in me and the things i told you we need to do and none of it had any impact because what he didn't do is he didn't

go in there and focus on the things that were positive well how were you able to detect it oh yeah because you know that mdr tool or that edr tool we invested in hey it actually alerted and we saw it quickly you know that micro segmentation we invested in we were able to shut off access across the network to limit the scope of where that ransomware got to so when we talk about you know not letting a good crisis go to waste use that crisis to reinforce how the things that you have done worked how the controls that you did have in place helped even if ultimately you got breached and man you know what

they shut us down for a week at least talk about where are those bright spots what went well what elements do you have in place to build on where was there something positive because otherwise at the end of the day you just look incompetent and i'm convinced with this see so that that is part of what drove him out of this organization because you can't go in there and and talk to the board like that after a high level breach and basically tell them that nothing that you've done in the last three years in your millions of dollar program actually helped and then finally we need to prioritize so going back to the thing about the

hackers mindset one more time when i'm looking at exploits i'm prioritizing for impact i need to do the same when i'm thinking about how i'm going to enable a business now if i really actually want to enable the business good is if i can show some cost savings i'm putting in an imp and implementing something that's going to save us cost it's going to make it easier for us we're going to be more efficient great better though is if i can show how my item my my new initiative is going to let us tackle a wish list item all right that's wonderful because now every it organization every technology organization in the world has those

wishlist items they can't get to a great example of this i did in one organization you know what a four minute i keep talking about edr i don't know why but that just keeps coming up i'm sorry i don't know why i'm so focused on edr today that's really bad but no we we put in an edr solution and one of the things we looked at to get to justify it was hey you know i t what's what's frustrating you the most or where are you spending most your time where do you see an inefficiency and it was rebuilding machines that were getting infected with malware now this was you know five years ago well hey if we put this edr solution and

we're able to block that malware that should free up your help desk people so they're not rebuilding computers all the time and they can do other things and indeed they were actually able to do that they were able to invest in a wishlist item that they had for uh deploying virtual uh i think it was aws virtual workstations because now they had the time to dedicate to it because they weren't sitting there dealing with you know having to rebuild these physical laptops all the time because we're blocking that the best is if you can show them how your initiative enables a new market hey you know what we rolled out that i am solution so that means that product

that we're selling yeah we can leverage that same im solution so we can federate authentication to your application to the customers so they can integrate with it with sso they're not dependent on us anymore they can implement all of the things that they want to from their side their access reviews everything else happened from their end they're happy look that's something new that makes your customers happy that shows you understand the business and how your cyber security initiative can play into that that is absolute solid gold when you go in front of anybody from the business side with a cyber security initiative so last two slides yeah i'm counting slides wow um [Music] so you get invited to go present to your

elt your executive leadership team or the board what do you need to do my suggestion three slides if you're making a presentation for the board don't plan on presenting more than three slides now you can have more slides that go into an appendix that have a bunch of metrics and other things but focus on three slides three things you should be giving them ah i took it off the screen talk about what's happened what's happened since the last time you met give them that update they're all gonna want that then tell them where we are these are the risks i'm seeing right now these are the three or four top risks that i'm focused on almost every board

and every elt they're going to ask you this they want to understand what's the top risk right now russia's going bonkers in ukraine does that matter to us maybe it does maybe it doesn't ransomware i'm hearing all about that do we care about that yes we do put that in front of them and then finally tell them what you're going to do about it tell them the why tell them the story of hey you know what we saw this here's what i'm worried about right now here's what we're going to fix to make sure that that's less of a risk for us finally when you go into a board meeting some things to be aware of first

and foremost watch your time get the most important stuff that you can out as quickly as possible because you know what just like kanye they are going to interrupt you they are absolutely going to interrupt you and because these are people who are used to they're moving at the speed of light just like we all are and they may seem rude but it's the way that they behave they will interrupt you in the middle of your session so get the most important stuff in front of them how do they interrupt you well they are going to come with every question imaginable and some of these questions are going to be wild you're going to say hey you know what

yeah we've been working with cisa to understand all these emerging threats and what we should be doing and you know what attacks are being exploited and then they'll say something like well are you working with the nsa and darpa on that too we're not a defense contractor we're not international so i'm not really sure that nsa and darpa have much applicability here but those are the kinds of questions they're going to ask because they hear their peers talking about it okay so you want to be prepared to answer those questions that sometimes are just not going to make any sense at all you can't know every question they're going to ask but be prepared to handle

that on the fly because they will stop you and they will ask some really interesting questions at the end of the day you're up there to educate them you're there to make sure that they understand the cyber security posture of your organization so they can make decisions just remember this quote from einstein genius is making complex ideas simple don't go the other direction don't make simple stuff complex enough of this as complex as it is so the magic slide i always always invite you to continue the conversation if you've got questions or you think i'm full of crap tell me in a nice way if you wouldn't mind that'd be best but i'm more likely to respond if you do

but please reach out to me on social media and then finally big big thank you to b-sides for the crown and the scepter and having me up here i mean this is great thank you to my organization for you know letting me be up here and talk about working for them and you know giving me some time to get away from all the craziness going on there and thank you to all you for being here

so the big question now is do we have any questions

have i ever seen a board fire a ceo because of a presentation from the cso not directly however i have seen hard questions asked when a cso went and made a really poor presentation where the ceo is now getting asked or sometimes you know the cto or the cro depending on who that cso reports into they'll get some pretty hard questions if a ceo if a sissel walks into a board meeting and really drops drops the ball yeah i've seen hard questions come from that and i'm sure sometimes that you know ceo role is just as tenuous as any other when you're in front of the board so yeah

see now we're getting ready for hot takes who do i think the c t or who should the c cell report to so here comes the fence writing answer of it depends um i think it can work in a number of ways you know ideally i would love to see the day where we get to cso's reporting directly the ceo or the cfo businesses aren't ready for that it can work with the cso reporting to the cio ask me how i know all right it can you can have cios who are or ctos who are very into this and very much appreciate it and will give the space but that has to be a working

relationship that works and generally that works best if it's a technology driven company if you're in an industry it's not technology driven that doesn't work so well that's where you might want to look at something like maybe reporting into risk or reporting into their sa audit um not the greatest either but because no matter where they report honestly other than to the ceo there's always going to be that potential for conflict of interest you know and and so yeah there's not one magical answer i can say i've seen it work and i've seen it fail in all particular configurations so you know take that for what it's worth i wish i had a more definitive answer but

i don't last one

what would be my advice to handle the most unexpected question this is a lesson to learn for all of life right it's well that's a really good question start there because that gives you a few minutes to figure out how you're gonna answer i'll tell you the way not to answer is that's a really good question are you freaking nuts um you know but what it does do is it gives you a second to say or you know that's a really interesting idea you know i mean you want to be complimentary but i mean sometimes you do just have to be direct and and point out to them why it's not you know that that darpa

question that's actually when i fielded okay she asked this board member asked me if i was working with darpa and i'm like so my answer to her was that's an interesting idea you know in our space we're really not you know working with dod or with the military or you know we're not even a federal contractor so you know we get more applicable information out of sisa than we would get out of darpa it's kind of the way i approached it and so you know it's a way of saying like yeah that's you know there's legitimacy because clearly she had heard that somewhere she had up here who said you know we work with darpa and get all this in

yeah no we work with sisa because they're the ones that are focused on private sector and really trying to build that relationship so all right well i think we are out of time so thank you so much everybody i really appreciate it [Applause]