Security leaders must “speak truth to power” more often to succeed in the boardroom, although the board needs to listen better and ask more questions related to risk, according to baroness Harding.
The former TalkTalk CEO spoke to attendees at the opening keynote of Infosecurity Europe 2018 in London this morning about her experiences in charge during the infamous breach at the UK telco.
She urged introverted security professionals to be “brave and honest” rather than “hide and be heroic” in their dealings with the board – on everything from skills shortages to incident response.
She also had strong words for board leaders everywhere, claiming “no one is asking the right questions” when faced with their organizations’ security experts.
“The vast majority of boards want to abdicate responsibility by asking their security professionals ‘are we ok?’,” she argued.
CISOs should resist such questions, or steer them towards discussions around risk, Harding urged.
For those organizations in which security and business leaders both make an effort to “lean in” to better understand each other, there are potentially great rewards.
“That’s when you do brilliant product development,” argued Harding. “The danger with cybersecurity is that it becomes taboo. I’m willing to talk about [what happened] because if we make it a taboo the bad guys have won.”
Among the most crucial areas for security leaders to focus on is advising board members on the importance of decommissioning old pieces of the IT infrastructure that could be increasing their cyber-risk, she said.
It was a legacy website which ended up costing TalkTalk dear as it suffered an SQL injection attack which resulted in a breach affecting over 100,000 customers.
Despite conducting thorough pen testing the firm’s security team did not find the vulnerability “although we should have done,” said Harding.
She also expressed regret at not having disclosed the incident to customers sooner, despite commentators at the time arguing that the firm’s confusing media statements ended up doing more harm than good.
The Met Police wanted the firm to delay its announcement to see if they could get their hands on the suspects, she said.