#CLOUDSEC2016: Key Questions CEOs Should be Asking About Cybersecurity

In a keynote panel discussion at CLOUDSEC in London on September 6 2016, a panel of experts discussed C-level engagement in cybersecurity

One of the most effective ways to engage the board in cybersecurity discussion is to present benchmarking, advised Darren Argyle, global CISO at Markit. “They’re always interested in benchmarking against competitors, so it’s a good conversation to have. They don’t want to be spending too much or too less. You need to demonstrate the value of your investments.”

The panel agreed that CEOs are now asking the right questions. According to Argyle, CEOs are “more informed than you’d expect. They totally get it.” In fact, CEOs are now wanting to drill down into the next level of detail. “We need to be better informed about how to communicate with them at their level in business terms,” Argyle stated. “Boards change, executives change, you just have to keep it relevant and keep a risk-aware culture.”

Troels Oerting, global CISO at Barclays, attributes the growing C-level interest to regulation and personal liability. “It needs to be understood, however, that you can outsource work, but not responsibility.” With this in mind, Oerting recommended testing and re-testing your suppliers and their services.

“There is a great temptation to outsource because there is a lack of understanding that you can’t outsource accountability. But that’s not the case - you can outsource everything but accountability,” added Rik Ferguson, VP security research at Trend Micro.

Ferguson argued that although Boards “get it”, they sometimes don’t get how mature the business model is in organized crime. They need to be careful, he said, not to under-estimate the adversary.

Ferguson believes that attitudes in board rooms have changed. “This is demonstrated by organizations like Barclays hiring people like Troels [Oerting]. A few years ago, these kind of hires weren’t happening.”

That’s not all that has changed, agreed the panel.

“Security used to be an after-thought, but now it’s built in to everything we do,” said Michael Wignall, national technology officer at Microsoft. “But, the user is still the highest risk-factor, and it’s our responsibility to educate our customers.”

Targeting that educational message appropriately is ultimately the key to successfully imparting that message, added Ferguson. Taking it one step further, Ferguson suggested “it’s about time you start sandboxing your employees.”

In conclusion, Oerting said that “Any road to a successful technical future leads through security. We build security by design, so we can skip the penetration testing in some areas” he said controversially. “Invest in intelligence not about what’s hitting you now, but what will hit you in the future.”