Your Board Deck Sucks!: Why you can't get buy-in for your security program

than for coming uh sorry I'm between you and lunch and I'm going to talk about uh boring business stuff so uh we'll try and keep it Lively a little bit uh my name is Walt Powell my title is lead field ceso so I'm a recovering ceso who leads a team of recovering cesos who talk to cesos about their problems because we got tired of having real responsibilities and thought it would be more fun to talk to people about their problems as part of that we talk to dozens and dozens of cesos and we've seen how programs work well and how programs work poorly and as part of that I've seen lots and lots of board decks

and lots of ways that cesos present their programs to the business and most of them do it very poorly do we have anybody in here who leads a security program anybody actually have the ciso title yeah um of you who have the ceso title any of you actually get to report to the board this is the problem um any of you have somebody else report to the board on your behalf y all right um this is a very very common problem and part of the reason that that is and that we're seen as these like second class C levels and we don't get to report directly to the board is because we have poor messaging

um we don't do a good job of telling our story we're not good ambassadors for ourselves what ends up happening imagine if a CFO walked into the business and said we can't really tell you exactly what our earnings were this month in the terms of dollars but we can show you a red yellow green that tells you that it went up we don't really know where all our assets are but we kind of have a good idea where our assets might kind of be right um we we don't really like know what's going on but I can tell you the accounts receivables team is killing it they did 45,000 receiv Ables this month and they had a meantime to close of 4

hours that's what we're doing when we're going in and telling the story and that's a terrible story they would get laughed out of the boardroom and they would immediately be voted out of their job and so that's what we can't be doing you can take a picture of this slide and then you can go to lunch because this is the whole thing if you want to stick around and figure out how to do this then we'll talk about that a little bit but this is the whole thing we need to understand what the boards and the directors and the executives need from us we need to be ble to tell the story in the terms of dollars we need to be

good translators of our security terms into business terms message that tell that in the terms of an actual story and tell the right story to the right people and that's the whole thing so the first thing is we got to understand who we're talking to so businesses have these Boards of directors and who are these Boards of directors well they are people who represent the owners and generally when we think of boards we're thinking of public companies right um but but that's not always the case boards just represent the owners nonprofits NOS have these boards um private companies often have these boards and we'll talk about a famous court case here in a minute about

a private company's board but generally we're talking about public companies and they uh are representing the shareholders right and they have a fiduciary duty to the owners meaning they owe them a duty a set of Duties the first is a duty of care and the duty of care says uh we have to make sure that we are not letting other people come to harm that was foreseeable the duty of loyalty says I have to act in the best interest of the company in good faith and not self- deal the duty of obedience says I have to follow all the laws so if I run like a trucking company for instance even though it would be more

profitable for me to tell my drivers to speed because we would get more stuff more places faster that would be breaking the law and I can't write a policy that says you have to speed right so I owe these duties well what happens if I don't right like what if I just say forget that I'm going to do whatever I want to do well the owners can sue you like if you break the law you could be held criminally liable but the owners can sue you directly as a board member and that's what they're trying to avoid that's what they care about is upholding these duties and not getting sued personally however it's very hard to

make the case that you're going to get sued because they have this business judgment rule as long as you acted in good faith and you showed your duty of loyalty and we're a person of reasonable Prudence so reasonable legally means like a norm noral reasonably intelligent adult of normal caution but Prudence means that you understood the risks and took them into account when you were decision-making and that is very important because it means you have to pay attention to the risks and you have to understand them and you have to have paid attention to them so these court cases are known as KARK cases right because the first one was the carmark company who's the insurance company who

does pharmaceutical insurance and stuff now I have them they suck um um that first case uh their board sued them and what came out of this was this idea that if you aren't keeping up your duties that you can be sued directly as a board member the next one was BlueBell ice cream BlueBell ice cream kept having this situation where they were poisoning people with food poisoning because they had such terrible controls this was a private company the private owners sued their board because they didn't have good controls in place to keep from poisoning people and that's where the idea of reasonableness and breach of loyalty came from the next one was Boeing those planes were crashing right

this is where the idea of mission criticality came in even though they have all these different lines of business where the ice cream people just had one line of business you have to pay attention to things that are mission critical then there was a case called senson versus the fireman that said cyber security is Mission critical hypothetically because that case got thrown out and so they never actually had to hold anybody account for cyber security but hypothetically cyber security is Mission critical however when solar winds came along they didn't hold the solar winds people to account even though cyber security was the whole bag there they never had any meetings in their board about cyber security but they did have

it in a subcommittee so they decided trying is good enough however the McDonald's case like McDonald's hamburgers uh they decided that this Duty doesn't just apply to board directors it also applies to managers and Executives and stuff they had a Human Resources officer who uh didn't take uh sa stuff into high enough account right um so what they decided was it's really managers who are responsible for execution and it's just board directors who are accountable for oversight the SEC came to the same conclusion so the SEC put out these rules and in the proposed rules we were going to make the boards have to have cyber security expertise and they were going to be held to account for this and

then they chicken out and what they ended up with and what they said in the final draft of the rule was boards have oversight Executives do the execution so our boards Vision oversight governance that's what they care about that's what they need and then Executives do the execution so the exe so the executives have to report to the boards tell them what's going on and the board's job is to understand and consume that and they have to do it on a fairly regular B basis so that's what your board is that's what they need from you they need to understand the risks and you need to be able to talk to them in their language so what is their language right

you've probably heard align your program to the business speak the language of the business but nobody ever tells you how to do that right well let's fix that so there are four languages of the business accounting Finance economics and risk right so accounting is all that uh income sheet balance sheet cash flow statements those types of things that are in accounting you should be able to read those you don't need to go get an MBA you can go study it in 15 minutes online and figure out how to read an income sheet it's pretty easy um binance is valuations like what is your company worth how is it valued how is it valued on the stock market it's about

projections and how do we C do Capital allocation economics is all that uh supply and demand inflation type of stuff and risk this is a place that's right in our wheelhouse this is what we care about and you think we would be really great at this but this risk is business risk not it risk and this is where folks get it wrong a lot so the first part of this is talking in their value language in their money language right so we have to understand what determines value for your business right how is value created how is it made is it for stockholders is it for partners where is value delivered is it in the stock price is it in creating

dividends is it in uh capital appreciation is it uh assets where do we make this value go make your CFO your best friend and find out the answers to these questions because you can align your program to these things and you can speak their language it's pretty easy to do once you understand what their language is how the things that they're shooting for is it about earnings per share is it about evida is it about capitalized growth annually what is it they're trying to hit you can then help them hit it and align your thing you're doing to the thing they're talking about if their goal is capitalize growth and you're talking about we're hitting

45,000 vulnerabilities closed per month they don't care about that they care about capitalized growth right risk this is the place where we're supposed to be awesome at communicating we're terrible at communicating about it because when we go to talk to the board we're talking about risks all in the wrong way because they have all these risks and our risk is the tiniest little part of it they worried about talent management they're worried about uh liquidity risk they're worried about uh economic on global scale risk they're worried about how they're going to pay dividends they're worried about health and safety they're worried about price competition they're worried about all these other things and your little it

risk is just part of that and when you go to the board meeting they've been listening to all these other risks all day and they're trying to figure out where are we going to invest our money and you're just another person coming in saying like invest your money over here right but a lot of the other things they were trying to invest their money in are things that are going to make them money and you're probably not going to make them money right so like what's the case for you to go say invest your money over here if you're talking about risk you should be talking about it in one of these terms and if you're not using one

of these terms you're probably communicating it wrong to the business because these are business risks right Financial operational Regulatory Compliance legal reputational strategic health and safety if you said any other term it's probably wrong right that these are the risks that businesses care about the other thing that happens a lot is folks in security confuse the idea of risk and threat and exposure and I see this all the time people create a risk register and they put a bunch of stuff on the risk register that are not risks they will say okay here's my risk register my biggest risk is ransomware my second biggest risk is unpatched osses my third biggest risk is I don't know fill in

some other thing all right both either one of those things are risks like we just said what risks are risks are things that cause harm risks are things that have a probability and an impact and we'll talk about that here in a second um you should be able to use them to make an informed decision um and the way that you treat risk is you have a handful of choices you can avoid it stop doing the thing that you would do to have the risk happen to you you can transfer it to somebody else like get insurance and have somebody else take on that risk you can reduce it mitigate it you can get a control by a firewall or

whatever or you can accept it and say whatever we're just going to take that risk on those are your choices right the other things are threats threat is the thing that is the actor that could potentially cause the harm that would be like the ransomware group or an exposure is the vulnerability that could let lead to the threat doing the thing to us which would be like those unpatched operating systems right these are two different ideas if you look at the way that fair or like your uh IC cissp defines risk risk is likelihood times impact and if you look at how fair decomposes likelihood likelihood is threat times vulnerability so when I'm talking about threats or vulnerabilities

in terms of risk I'm only telling half the story and the half of the story that I'm leaving out is the impact and the impact is the so what it's the who cares it's the what the business gives gives a crap about right is the impact to the business and so when I come in here and say my risk is ransomware I miss the whole so what and that's why they don't care the other reason they don't care is because I come in here and I take these risks and I put them in this thing you guys have probably seen this thing right this are pretty typical risk Matrix nist tells you to put it in Risk Matrix like

this like nist is the government why would you not listen to the government they tell you to do this well this sucks and let's talk about why this sucks so this is what's called ordinal meaning in order right low medium high they went with five things here low medium high medium medium high medium whatever it still sucks like okay uh how are these things different because how is a 3x5 and a 5x5 those are the same so are they really the same like how much different are they what would I have to do to move a 5x5 to a 3x5 if I have 30 highs and and 15 and 50 mediums and 100 lows am I better off to

fix one high or 15 mediums who knows it doesn't tell me any of that it doesn't give me any kind of granularity it doesn't give me any kind of accuracy I can't do any math against this it doesn't help me tell the story so let's take a look at some people's real board slides so these are people's real board slides that they've showed to their real boards I've changed the name so that we're not being totally mean to people but I'm going to show you things that people have shown their actual s this one came from a big name like one of the big names that you pay millions of dollars to for advisory services like

one of those big names like the accounting firm big names came up with this they paid millions of dollars for this piece of crap all right so if we look at this we'll see that R1 and R4 are they're very highs right however they're not the highest on likelihood one of them is the highest on impact one of them is not the the things that are the highest un likelihood are only highs so why is that even though this one is the highest un likelihood or on impact and this one's not they're the same so how are they the same what does this mean how would I make this one be the same as that like this doesn't make any

sense this is stupid um also it doesn't tell me anything about how do I prioritize this or what do I do about it additionally um they're pretty close with what's actual risk loss or alteration of intellectual property is actually a risk so they're on to something there at least let's take a look at this one and I'm going to throw it out to you guys this is a super Common Board slide like I see this all the time this is a good risk register when I show this to people people are like this is awesome give me this slide I'll give me this as a template what do you think about this what do you like

what do you not like anything he jumps out at you is like that's not cool just shout it out yeah that's not even my problem with it that's probably also true but let's start off with are these even risks no data exfiltration not a risk malware not a risk virus outbreak not a risk exploit not a risk Speer fishing not a risk none of those things are a risk if we look at the description at least they start getting closer lost of intellectual property or damage to the brand that's that's almost a risk right how about when we look over here in the likelihood and impacts again they went ordinal high medium high medium high

medium high medium high medium are these all really the same is social media like somebody post something bad about you on social media really the same as spear fishing is that really the same as a virus outbreak are those the same I don't know maybe but if they are how did they come up with this prioritization did they come up with this prioritization based on mitigation complexity well if so that's stupid too because they got malware virus outbreak how would we mitigate those like probably some kind of endpoint EDR EP right like I can go by crowd strike that's super easy the first one that's the same complexity is data exfiltration I the DLP and data classification and

Discovery and data governance it's the hardest thing you can do like that's a siso resume generator they have it the same difficulty as like buying crowd strike this is stupid I this is like one of the worst slides I've ever seen how about this you see this all the time this is how many open incidents we have we got our meantime to close down here are our risks right like this leads me to my next Point stop sharing operational metrics with your board just don't do it there's no reason for them to see it they don't need to see these operational metrics we need to be telling them the story in their terms so kpis versus kis kpis are performance

indicators for you to see how your program is performing Kris are risk indicators for you to talk about how how risk is made in your business right here's a real world example company came to us and said hey we're trying to tune up our Kris can you help us we took a stab at it we had these Kris and we turned them into these kis turns out neither one of them were Kris they started off with we have a bunch of outgoing emails that are unprotected and we have a bunch of incoming emails that are full of malware and they changed that to we have a bunch of automated outgoing emails and outo manifest and

they just decomposed it into like crazier numbers and then they went with the number that we blocked versus the number that we detected of incoming bad stuff but still who cares these are operational metrics they took a kpi and they made more kpis what they needed to do was create a kri and one of the easiest ways to do that is just to take your kpi and create a Target right like this was our goal and this is what we achieved toward our goal and just turn it into a percentage instead of a number right like we wanted to block x amount we blocked 40% of all of the ones that came in we blocked 60% of all of the

ones that came in now we're starting to get close to something that could be a business metric right additionally on those ones that are we were sending out emails that had sensitive information in them I can start to quantify this very easily I can just go out and take a look at what uh uh ponymon says is the cost per breach record and apply cost reach breach by number of records and say okay we had a 40% reduction in 150,000 emails at $60,000 emails at $160 per record I saved you $9.6 million in breach exposure that is a kri boom I turned it into a dollar figure that's I saved you $9.6 million versus we blocked 150,000

Bad Emails which still sounds bad right how about this slide this was another real world one that uh I was actually given as an example by a guy who was teaching cesos how to be good cesos um never do this so this is like not only did he show like all these tools but he like left ones that he didn't intend to fill in we don't have time to talk about it but so let's talk a little bit about what good looks like first you got to start by understanding the assignment what are you there to do you're there to educate to inform to explain to them what the risks are to report to them what the business risks

are to update them on what's happened one of the most important things you're there to do is to instill confidence the board's one of the board's main jobs are to determine who the executives are and to hire and fire Executives sea level employees so they're there to determine who's good for that job and one of the things that you're there to do is to prove that you're the guy for the job and it's one of the main things you're there to do so make sure that you're doing that and then to demonstrate that you're doing your fiduciary duty and you're demonstrating your loyalty you need to do that by telling a story go in and have a story arc to what

it is you're trying to explain understand your audience make sure you're telling the right story to the right people and then engaging stories that have a story path make sure that you like Ted Talk slides minimalist slides super clean on brand go to your marketing department have your marketing department help you with your slides keep them super on company brand like super clean you saw me do this at the front the old Bluff stole this from the military tell them in the first 30 seconds what is the key takeaways like here are the things you need to care about so when they tune out and stop listening to you after 30 seconds that you got a across the point you need to

get across make sure that you're telling the right story to the Right audience the board is not who you go beg for money the executive leadership team or your uh your committee or whoever it is board or budget time that's who you go beg for money you don't go p in hand to your board to beg for money your board is who you get buyin from it's who you build confidence with it's who you report the risk to what you need to explain to the board is how I spent your money what you got for your money how that measures up to the expectations I set for you last time what is our current risk exposure

what's my plan to deal with that what can you expect in as the return on that plan and why I made that particular decision you need to do of that in 15 minutes without getting sidetracked because they're going to ask you a bunch of questions and try and take you off track the executive management team that's where you get budget you need Buy in from them too this is where you explain deeper risks and threats and how you're going to buy things down you do a lot more decisioning about the optionality of things um but still this is where you talk more about the wise um yes your board probably once a year wants to know about threats and you

should brief them in in on the State of the State once a year they're probably also going to want to know how do we compare to our peers they're probably also going to want to know uh what are some emerging Trends are we compliant things like that we can throw those things in but there are two places to have these talks there's the board deck and there's the book the stuff you give them the documents all the technical detail should be in the documents that you give them in advance the deck clean simple 15 minutes in and out when they ask you crazy questions it's in the book straight from the Harvard Business Review I was on a panel with a board

director two weeks ago and she echoed these same sentiments what board directors want are for you to tell them in dollars the metrics and they want thirdparty attestation they want assurances that someone other than you has validated what you're saying those are the two big things that they want so how do we do that we have to quantify our risk man I'm so out of time time um it used to be super hard it used to be impossible to do it's not hard anymore you can buy it as a tool you just go out and buy a risk quantification as a tool you don't have to do bayy and math and crazy confidence levels and stuff

anymore you can just go buy it as a tool you still however have to have the conversation with your Executives and your board about what is your risk appetite what level of risk do you want to be taking on right like zero risk is not true businesses are about risk that's what businesses do like entrepreneurship is risk right so there is a level of risk you want if you think about driving in your car 70 is your target up to about 85 you're still cool over that you're probably not cool there's a place where they will just yank your license immediately if you're doing below 45 that's risky too right same thing in Risk where is your target

figure that out talk to your executive talk to your board figure out what your target is and then when we're talking to them we can tell them hey we have an annual exposure of $144 million a year this is our minimum exposure our maximum exposure this is what our tolerance is we want to be at about 54 million which means we're over by 84 million our program yep I'm out of time our program uh has a $4.5 million budget and buys down our Risk by $60 million look at this enormous return on investment you get you still have exceedance that's what we're treating next right what a great story like look at this return on

investment this is how you get Buy in this is how you explain the value of your program this is how you get buy in for what you want to do next right hey you still have uh $84 million that we need to treat right how do we want to treat it well we have these 14 projects they're going to cost $6.2 million they're going to decrease our Risk by $52 million it's going to bring us down into our tolerance range it's going to bring us up into compliance this is the plan we can show them in a dashboard and this particular dashboard if you want it you can grab I will share it with you in

the slides how we spend your money what you got for it uh what's your risk exposure versus the target what it means to our business here's the external validation here's the plan how we intend to invest your money what you will get how's it going here is the executive version of that when you're sticking to language one of the other tools you can go grab that you might love balance scorecard this is a thing they're already doing they already talking this language balance scorecard is a thing that everybody learns in their NBA Financial perspective customers perspective growth operational you can take those percentages that you couldn't turn into dollars and cents and jam them into the

balance scorecard hey uh we're really great at turning in projects on time we're really bad at m&a due diligence we're really great at uh uptime really bad at protecting customer data in the terms you care about taking care of our customers taking care of our finances in the long version of this there's a map on how exactly you do that here's an example of a bad one where uh they missed none of those are risks and they said quantitative and then put qualitative metrics here on their red yellow green do and D super fast know what you're walking into if you can talk to all these people in advance go make friends with your CEO go make friends

with your CFO these people are friendly go be friends with them go meet your board members find out who they are they all have different backgrounds came from different places they have different knowledge and they need different things go meet them and talk to them know in advance how much time you have I missed um ask the board how they what they want how they want the information presented what they need be prepared be professional be concise stay calm uh when they ask you crazy questions stay calm stay on track don't let them derail you um you may be kept waiting don't freak out don't complain don't lie don't exaggerate don't be boring um don't

Lobby pitch beg uh stay away from jargon acronyms stuff like that they won't understand them a lot of the time this is not a place to you got to be careful when you say things that are political like ESG and Dei and stuff are real big in boardrooms right now but it's also a political third rail so you got to be careful when you're talking about things don't be extra there was a guy that I know a legit actual CEO who went and bought flowers for all of the female board members don't do that uh and uh be bright be brief be gone get out don't overstay your welcome get out they don't want you there that's it I'm

going to do the same thing later go eat [Applause]

lunch