#SecuringEnterprise: Talking Risk to Boards

Written by

In a panel focused on securing the enterprise at a conference by the same name hosted by MIT CSAIL and BT Security, moderator Michael Siegel, principal research scientist, management science at MIT Sloan School of Management, talked with panel members about whether their organizations are secure.

“Rather than going out and doing some big review, we started with red teams,” said CIO and CSO of the Commonwealth of Massachusetts, Dennis McDermitt. “That was a revelatory experience. We continue to do them over and over again. We have done eight of them now, and that has really informed our answer to the question of whether we are secure or not.”

As a practitioner and vendor in the space, Debby Briggs, CSO, NETSCOUT, said, “I’m relatively secure, but it gets back to how do you quantify that. Sometimes it’s a challenge from a security perspective when you look at people, process and technology to determine how to have one message that meets everyone’s needs.”

In response to Briggs, Siegel posed to the panel the question of how to approach quantifying whether the organization is secure with the board. "I often find myself in the boardroom,” said Kathy Orner, VP, chief risk officer at Carlson Wagonlit Travel. “The number-one thing with board of directors is to educate them. Security is new to them, and the acronyms we use are foreign to them, even something like an IP address. 

“We bring in experts from the outside and inside and give them briefings. I would encourage boards to listen, to speak to the experts in their group, and to really try to understand the basics,” said Orner.

So what is the information that goes to the boards? McDermitt said the conversation needs to change. “Security is not a problem of risk transfer. Cybersecurity is akin to competition in a business. Cybersecurity is attack and defense, attack and defense, and it’s something they need to pursue actively.”

Yet some boards are having more risk-based conversations around cybersecurity. “The boards I have worked with are capable of seeing that it is a spectrum, so you can talk about how much risk are you willing to take. It’s an uncomfortable decision, but once you’ve had that conversation, it gets easier,” said Andrew Stanley, CISO, Mars.

What’s hot on Infosecurity Magazine?