Leveraging board governance for cybersecurity

Chris Sienko: Hello and welcome to another episode of The Cyber Work with Infosec Podcast. Each week I sit down with a different industry thought leader to discuss the latest cybersecurity trends and how those trends are affecting the work of infosec professionals, as well as tips for those trying to break in or move up the ladder in the cybersecurity industry.

Today on the show we have a repeat guest, Michael Figueroa, president and executive director of the Advanced Cybersecurity Center, or ACSC. Spoke with us previously about the ACSC collaborative defense simulation. If you missed it, I highly encourage you to go back and check it out. It was a great episode. This episode, Michael and I are going to talk about the importance of leveraging board governance for cybersecurity initiatives.

Michael Figueroa, CISSP, brings to the ACSC a diverse cybersecurity background serving at times as an executive technology strategist, chief architect, product manager and disruptive technology champion. His past work has spanned the broad security spectrum as an enterprise security architect. Figueroa managed teams securing large scale systems integration efforts for several US government agencies, including the Department of Defense, Homeland Security and Veterans Affairs. Figueroa is a graduate of the Massachusetts Institute of Technology in brain and cognitive sciences and from the George Washington University in forensic science concentrating on high tech crime investigations.

Michael, thank you for joining us again.

Michael Figueroa: Oh, thanks for having me again, Chris. It's a pleasure to speak with you.

Chris: Yeah, absolutely. This is going to be fun. So last time we talked about the ACSC defense simulation in which multiple organizations came together to collaborate their skills and techniques in case of catastrophic attacks and how that can provide more security and safety for the entire community.

So today's topic is more concerning, but in a different way. You noted in your report that in 2014, one third of North American firms did not have a chief information strategy officer or CSO and that the US government did not appoint its first CSO until 2016. As of 2018, many companies still don't have CSOs or acknowledge their importance and the folly of considering this position is anything but indispensable these days obviously. So why are so many organizations still unaware of the imperative need for strong unified security planning?

Michael: Well, I think that a lot of it comes back down to just not understanding how we manage security from a strategic perspective. And so when you look at a typical business person, a typical business person is handling business risk all the time. And when they look at cybersecurity, they don't necessarily see it as an executive level risk area that needs to be managed. They generally will see it unfortunately as maybe just an IT area where even when you have a security director, a lot of times you might have a director of cyber security or something like that, they're reporting to the CIO, or maybe in some cases they're reporting to, say, the CFO for protecting financial records, that sort of thing.

So businesses just haven't seen that elevate to the strategic level in a lot of cases of that secured program. I mean, we're seeing it across the board. It's not just business, but I know for example, Maryland just announced this week, I believe, that they were hiring their first chief information security officer and they're only one of a handful of states that have a dedicated chief information security officer. So I think what we're seeing is we're seeing the trend moving up, but understanding the strategic aspects of cybersecurity and how you manage to those aspects is still something that's kind of a mystery to most organizations.

Chris: Yeah, yeah. I guess maybe is there an aspect where the head of the company thinks, "Well, it's just another risk that I have to deal with," and so they think either, "I'll deal with it," or like you said, "It's an IT issue," or something like that?

Michael: It's a great question, Chris. I would tend to look at it based on the findings from our leveraging board governance report. The way that we are hearing about the problem is number one, it could be a shared responsibility. And I think in what you might consider more advanced organizations that don't have CSOs, generally security is an executive responsibility, but it might be the responsibility of the CIO, for example.

But then in less and maybe smaller enterprises, smaller organizations, I don't know if it's so much the CEO who's taking responsibility for security versus what I hear are organizations that don't have that sort of security specialization or expertise on staff are overwhelmed by the problem of security and they're so overwhelmed that they just figure, "Well, I'll just keep operating my business and I'll see how it goes. And if I need help, I'll call someone."

Chris: Right, right. Yeah, wait until after it's too late. I'm looking at my next question here and I think I kind of got the perspective a little bit wrong, so I'll have you clarify. But what actually happened in this meeting between ACSC members, CSOs and CIOs representing organizations from a range of sectors along with four outside experts. It said that you shared perspectives that painted a common picture of board engagement focused around board management relationships. So that was more of a survey thing? It wasn't actually a meeting where you all [crosstalk 00:05:20]. Okay, so tell me about what that was about.

Michael: So really the basis of this, we talked about last time, Chris, our collaborative defense simulation, which was based on findings from our collaborative defense report that we published a year ago looking at what are security executives seeing as the big gap areas in the way that they're managing their security programs. And exercise was one of those areas, really exercise around how they engage with the resources of their counterparts at other organizations like business partners, et cetera.

What the other side of those findings were is that they lacked proper guidance as far as from a board level perspective, how do they engage with their boards and how do they communicate appropriately to their boards? Well, one of the things that we've seen probably over the past couple of years, there are a number of organizations out there who are studying the problem, but we tend to get sort of condemned into this cycle of infographics. I've heard CSOs tell me, for example, that a board member will come to them and say, "Why are you asking for more budget when you already need the budget range that's listed in this report from major analysts?" And it lacks the infographics, lack the context of how the CSO is actually practicing their craft within the business. In large enterprises, large enterprises may have multiple CSOs that are handling different kinds of business responsibilities within the security domain. So those infographics don't really say a lot.

What we were aiming to do is get more of that experiential understanding of how the CSOs are really engaging with their leadership teams and engaging with the governance function at the board level to really go to what our mission is at the Advanced Cybersecurity Center of understanding the effective practices that people are using today and understanding what practices have they tried that didn't work and being able to leverage that as sort of an opportunity to build a stronger capability, in this case at the executive level in managing a security program for an organization.

Chris: Now, can you tell me a little bit, were there any sort of compelling hypotheticals or real situations that some of the CSOs and CIOs shared with you that make for a good story or was it just more of a general concept?

Michael: The range of conversations that we had through those interviews and subsequent conversations that I've had with CSOs from that has really been interesting from a research-oriented perspective, because while we can see some trends, the experiences are so across the board that really one of the things that strikes me most is we really don't have a good idea of what it is to be a CSO. I was a CSO 10 years ago and the role has changed a lot over the course of 10 years, but still it's catered to the organization and what the organization's business is.

I just mentioned one CSO who was talking about that engagement with a board member regarding infographics and budget. Another CSO who we talked to was talking about how the nature of his business is, the board is changing all of the time, and so a lot of his time is spent just doing basic level setting with the board members of what a security program is meant to do versus engaging the board members on strategic decision making regarding the evolution of the security program.

I've talked to other CSOs as well who find that they don't talk to their boards at all. They don't have that level of engagement where you end up hearing things like ... I'm lucky if I get 15 minutes in front of the whole board each year. And I might get a half an hour each quarter with a given committee on the board for large organizations. So really the diversity of experiences actually tells us a lot about the maturity of the profession and it gives us some really good indications as to where are some of the places that we can build improvement.

Chris: Okay. Yeah. And I'm sure the board would be happy to give you more than 15 minutes if something went catastrophic wrong. One of those deals. Having absorbed some of these warnings and hypotheticals, obviously you've put together this report and these recommendations. For an organization that has been neglecting its digital cybersecurity strategy, what would be the first step? I'm guessing rushing off and just hiring any old CSO is a bad place to start. What is the sort of groundwork, the preliminary evaluations and action steps that a company would need to do to start getting caught up?

Michael: Chris, I think that there's a couple things and the first step really is for us in the community to sort of demystify what it is to be secure. We throw around terms like cyber-hygiene fairly promiscuously these days and we said similar things 20 years ago when I first came into the security industry. We need to understand security is done from a business risk oriented perspective and we need to begin to start communicating what the minimum needs are that organizations need. We like to call it minimally viable security, a phrase that I've stolen from a good friend of mine, Michael Sentara Angelo.

The minimum viable security is an important concept in trying to understand what is the baseline level of protection that your organization needs to protect your business or mission objectives? A lot of times we'll go in with the sense that we need to do an assessment and find out so we can help you identify what your security needs are. I don't think that a CEO who's overwhelmed with even the concept of security needs somebody coming in telling him or her all the problems that they have. They know they have problems. That's why they're asking, right? Let's start focusing first on what is their business and how do we best protect that business.

But from the organization's perspective itself, I think the first thing to do, security people will generally say, "Inventory your assets," right? But we know even in a big enterprise, we can't inventory our assets. So let's not focus so much on the ideal, but let's focus on what assets are the ones that are most critical to your business function? And for most organizations, for example, that's going to be financial. It's going to be bank accounts. It's going to be making sure that people get paid and that you're able to collect money, right? Because you want to keep your business. Well, then that's where we should really start and the organization should start by asking questions as to what can they do to protect their money flow, their cash flow and make sure that somebody is not going to come along and be in a position to steal it. So that's the company side.

For companies that have boards and they may not have a security executive on staff, then there's a board responsibility and the board responsibility there is to challenge the leadership team to ask them the questions, "How are you dealing with security in your area of business?" How is the CFO addressing security? How has the CEO addressing security from a business management perspective, the CEO from an operations-oriented perspective? And start there. Asking the questions will do a lot for being able to identify where the critical gaps are pretty quickly and really puts you on the path to being able to solve those gaps.

Chris: Yeah, so that perfectly transitions into my next question here. Obviously we've made it clear that it's not just about hiring a CIO or CSO and assuming they'll take care of it. The report calls for building your board cyber expertise. As you say, a board should have a baseline knowledgeable digital strategies and cybersecurity challenges in order to fulfill the role of risk oversight and governance. So you were just saying having each of these sort of board level, C-suite level people having some stake in the game, but what are some steps one can do to make your board more cyber seasoned both with planning and day to day operations? Where do we start in educating them?

Michael: Sure. I think that in the report, the CSOs who we had interviewed had come up with some really good suggestions. And one of the things that the report emphasized, which is really disputing some findings that we've seen in other places lately, is that the CSOs don't think it's important for the board to hire a security executive to join the board. We're seeing a big movement to do that. But what the CSOs were concerned about is they're concerned that that then puts too much governing authority in one person on the board who may have their own bias or it doesn't practice that diversity of thought that you want in governance from a board to have one person where all the board's going to go look at that one person and say, "Oh, well that's a cyber thing, so so-and-so is handling that."

But instead, one of the things that they're looking for is they're suggesting that the board maybe bring in a security advisor, bring in a security advisor to help sort of baseline the security information for the board, but really to help the board understand the business, how the business is impacted by security from that specific business-oriented perspective. And what that does is that starts capturing the governing responsibility of each individual member of the board and what their background is.

We don't need to, I don't think go through some significant cybersecurity training for the board versus an understanding of how security is being applied to the areas that they're most important in governing today. So that's going to take a little bit more of a high touch sort of focus until we're able to develop the executives and understanding how to govern the security executives as they start moving up. They'll start naturally filling into port positions from a business governance perspective.

Chris: Okay. That settles it in my mind a little better. I was imagining a situation where everyone on the board is taking a security plus class or something like that, but as long as they have the sort of the top level sort of concepts and why it's important, that's what you mean by board education basically?

Michael: Yeah. When you think about how a board actually functions, and a lot of us don't have very many interactions with boards, so we don't necessarily know how boards function. And when you think about what a board's function is, you really have from a business-oriented perspective, you have that sort of governance side of it and the governance side isn't the board telling the CEO or the COO what to do. The governance side is to ask questions and to be able to have the knowledge of what questions are the important questions to ask in order to challenge the leadership to really define and describe and defend their decision making.

And so when you look at it from that governance-oriented perspective, in fact the board member doesn't need to be the one who's responsible for understanding security so much as being able to probe in just the right ways that the person who owns security for that given area of the business is really being thoughtful and strategic about how they're addressing security as part of their overall risk equation. I think that that's really the movement, that's a more appropriate movement for boards to be making rather than trying to throw a bunch of security expertise on the board and hope that that's going to address it.

Chris: Okay. So in your report you noted that there's a need for "a risk standard" much like those frameworks that financial and audit risk functions have refined over the decades that would help guide decision making and operations as they relate to cyber risk management. So what are the first steps that would need to be taken to craft such a standard? Are you imagining a universal standard or that each board is sort of crafting their own standard? And has there been any work on this since the release of the report?

Michael: I think fundamentally it does need to be a broader sort of universal standard, be it something that's actually defined or something that just grows from a grassroots-oriented perspective, which generally the standards do except when there's regulatory or legal aspects to what needs to actually happen. But I think what it's really going down to is the security executives don't really have a firm understanding of what metrics are most important for measuring security to communicate to the board and the board doesn't know what metrics it needs. And so really the first step in being able to find those standards is really start coming together and collaborating in sort of research and exercises that we're doing to understand what's going to be effective at being able to give the measurement that the board needs in order to effectively serve its governance role.

And so there's been a lot of talk about measurement and metrics and what CSOs are going to use to communicate to the board. We really need to start settling on some good understanding as to what are the measurements that really do go to the connection of cybersecurity to business objectives. And it can't be something huge or vast. We start with a few simple measures that we just start to agree that these are the ways that really give us a good understanding as to what is an acceptable risk in cybersecurity versus what's an unacceptable risk and then how do we measure the progress in overcoming the unacceptable risks.

Chris: Okay. So these collaborative meetings that you've already had, are you imagining them as sort of traveling and other sort of boards around the country getting together and sort of coming up with this? I assume you're going to be sort of spearheading this or your organization is, but who do you see sort of involved in the sort of crafting of these [crosstalk 00:00:20:01]?

Michael: It's definitely an area, Chris, that I would love to be able to spearhead. We don't have the sample size to really do it effectively. And so there are really two things, two aspects here. I think that within say the market sector of a given organization through their information sharing and analysis centers, like the ISACs that govern that given sector in the United States, so financial services ISAC for example being one of the larger ones, FSISAC, but there are ISACs for most of the big major business sectors, I think it's probably going to come down to sector-specific sort of orientation of cybersecurity to governance versus what we on is more of the cross-sector community development side of it.

So I think what we can do at our level is start building more of a network effect around having the conversation and building up that sample size of what are people actually doing and what are the practices they're showing to be effective, and then working collaboratively with the rest of the information sharing ecosystem to start developing that standard. And that's really in light of if there is no other effort that goes on as far as managing that standard. And there are several standards organizations out there that very much could focus attention on this and start working on a standard because they've got the support of the major organizations who would actually abide by it. We're just not seeing a lot of consistency of direction right now.

Chris: I see. One of the focus points of The Cyber Work Podcast, which has changed a little bit since you were last here, is cybersecurity career and career strategy and so forth. One of the findings of the report, what do the findings of the report, I should say, have to tell someone or say to someone who is looking to get into the cybersecurity field either as an executive level CIO or CSO or even at a lower level? Is this surprising gap in security leadership a sign that career climbers should be planning their experience and skills around filling this leadership gap in the decades to come?

Michael: It's basically saying if you're interested in being in cyber, then just go to it and you're going to find a place somewhere in it. I think that one of the things that we focus a lot of attention on, unfortunately, as far as workforce development and cybersecurity is we focus on the technical side of cybersecurity and the technical skills that are necessary. But what our report is showing is that cybersecurity is really owned at a multidisciplinary level. It's not the CSO who owns cybersecurity. The CSO is really just the coach and the captain. The entire leadership team owns cybersecurity and has some level of ownership and association with their area of business responsibility.

So what this is basically saying is for seasoned professionals, go seek those opportunities to learn about the governance of cybersecurity, security management. There are actually a number of educational programs here in Massachusetts and New England in general that are actually focusing attention on executives, business executives, learning cybersecurity and how it relates to their business and preparing them for more of that governance-oriented role in cybersecurity.

So if you're an executive, the opportunity, cybersecurity could be your pathway to advancing to a board position, for example, in your area. When you're just getting into the space, I think what newer cybersecurity professionals should look at is the experiences that CSOs are reporting as far as being a security professional and trying to elevate from that security professional into a business executive role. The experience that the security executives are learning is that they really are coalition builders. They need to learn how to not just communicate effectively across leadership teams, They need to learn how to build coalitions, build partnerships and building partnerships at a business level perspective takes a lot of compromise, give and take, negotiation. Those are all skills that unfortunately we just don't learn as security people.

And a lot of times we're looking at CSOs who are just crashing into the executive suite because the board decides they need a CSO and they're like, "Oh, well the salary's right. I'll go ahead and be a CSO," and then they find themselves, they want to get their hands dirty, right? They want to go to their comfort zone of fixing things. And what they're not attuned to is, how do you fix the business?

Chris: Yeah. Yeah. No, you have to become the ideas person rather than the nut and bolt person.

Michael: Yeah. Hack the business processes the way you used to hack the code.

Chris: Right, right.

Michael: It's taking that mentality. At that professional level, at that more lower level professional, seeking those opportunities to actually engage with people, to actually deal with confrontation and deal with conflict, joining a Toastmasters or joining your local chapter of some business group or something like that, looking for those opportunities where you can work on translating your security understanding, your security knowledge to the business that you're working in will pay dividends in the future as you're moving up the executive ladder.

Chris: Okay. So thinking a few levels down within the company, if you see your board or you realize that they don't really have a security posture, is this something that as a lower level employee that you can try to petition the board with? How could you make the case to maybe your supervisor or the president of the company or the company board even that the findings of this report applied to them as well?

Michael: Being an influencer is a long and grueling-

Chris: Disappointing sometimes.

Michael: Every opportunity is an educational opportunity whether you crash or burn or you succeed wildly, right, which I think most of us who have been security executives or our security executives, we've had plenty of both. I think that one thing that lower level folks need to understand is ... One of the analogies I used to use a lot when I was working with big teams who are seeing these problems is I would tell my team, "Okay, each of you give me your top three problems you see." And then I would say, "Now imagine that my manager is asking me for my top three problems," and then their manager and so on and so forth, until you get to the top where they're asking, "What are your top three problems?" And all of a sudden all these dozens and dozens or hundreds of problems end up getting distilled into three problems, right?

Understanding that from a security-oriented perspective what you think is going to be a sky is falling event, when it trickles all the way up, how much do you really think it's going to be a sky is falling event? Report it, advocate for it. And if it doesn't move up the ladder, that next rung of the ladder, and you think it really should, then assess what you did wrong in communicating it. You're not communicating it at the right language. If it truly is that big of an issue, you're not communicating it in a way that's being appreciated at the upper levels, right?

But I'll say from experience, Chris, chances are it's a problem that is being accepted. Business is about accepting risk. Most of what business is is accepting risk. And so being able to at least put visibility to it has done your due diligence and then leverage your experiences in influencing to move up to that next rung so you're the one who's making those decisions.

Chris: Okay. Yeah, that's true. Yeah. The sky is always falling somewhere. So assuming the board takes these recommendations seriously and decides to begin to ramp up the company's security strategy, what should be the first steps, just in a practical nuts and bolts way, what should be the initial actions between say a newly hired security executive and the board and also what steps should be implemented in advance to prevent poor follow through if they say, "Well, we've got a CSO. I guess we're fine now"?

Michael: I think that it's the ongoing communications. Security executives, I tend to find, especially newer security executives, the security executives who are retiring out right now of industry were generally business executives who ended up inheriting security roles. Now we've got security executives who are moving from security positions into executive roles and they're not going to be comfortable with the level of communications that are needed.

And so I think that the first step is really building that honest understanding as to what do the communication flows look like. I would start with incident response planning. That's probably where the proactive approach is most necessarily needed is incident response planning, understanding who's in charge of response, understanding who's going to be communicating about the response, who's representing the organization, who's making decisions, when and where, how are you even going to contact people?

Starting from that step and then working your way backwards from there will help you have a bunch better understanding as to how cybersecurity is aligning to business risk, and it's through that process that you'll actually start to get a better understanding as to what are the assets you actually need to be protecting or you need to enhance protections for now.

Chris: Okay. So as we start ramping up for this episode, what do you think that this push towards more across the board risk strategy for organizations and more push towards security literacy for boards will mean for people trying now to break into the cybersecurity industry? Can you speculate on how it might grow or change the needs of the overall cybersecurity workforce?

Michael: Gosh, that is an excellent question, Chris. And if I think about it, I think that it can only improve what it means to be in cybersecurity and it will improve our ability to get the resources we need to do the efforts that we have and this and that. But I think that one of the implicit benefits of it will be we're going to start seeing many more, let's call them cyber native professionals, business professionals moving up in organizations because we're going to make cybersecurity a much more natural sort of thought process in all business people's minds just by virtue of the fact that the questions are being asked.

Chris: It's going to be kind of as natural as it's necessary to have computer literacy. There was times when executives, your secretary printed out your emails for you. You'd assume that you need to know computers. Maybe you think in the future, maybe it's going to be assumed that you need to know some aspect of security.

Michael: Yeah. Right now everyone needs to understand how to use a word processing program, right? 20 years ago, that wasn't the case. Everyone needs to know how to use a spreadsheet, especially in security. We use spreadsheets all the time in security and PowerPoint, slides, slideware. those are all basic skills that everyone needs to know. We all have those sort of that native business execution capability.

Michael: I think that security is going to become one of those native things. We're not talking about really advanced stuff. You're still going to have your Excel black belts who can go under the covers and just move pivot tables like crazy in ways that nobody else can understand or what have you. You're always going to have your advanced publishers who are going to be doing a whole lot more than what Google Docs is able to do, but it's going to be the same thing in security. We're going to start seeing the roles differentiate. We're going to start seeing a lot more specialization where we need specialization, but we're also going to have a lot better common understanding, baseline understanding of cybersecurity and how we're interacting with it in our day to day sort of business efforts.

Chris: Okay, so if our listeners want to learn more about the findings of the report or download a copy for them ourselves, where can they go?

Michael: They can go to our website, and we have a blog site that talks about the leveraging board governance for cybersecurity report and so if they go to ACSCenter.org, and I believe right now it's right at the top, at least right at the top of our blog site. So you can just click on blogging and access the report.

Chris: Michael Figueroa, thank you so much for joining me today.

Michael: Great. It was great to be here, Chris. I always appreciate the chat.

Chris: My pleasure and thank you all also for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcast catcher. See the current promotional offers available for podcast listeners and to learn more about our Infosec Pro live bootcamps, Infosec Skills On Demand Training Library and Infosec IQ Security Awareness And Training Platform, go to InfosecInstitute.com/podcast or click the link in the description below. Thanks once again to Michael Figueroa and thank you all for watching and listening. We'll speak to you next week.