Boardroom Conversations on Security is an ongoing series on how to discuss and present cyber security concerns to your board. It comes from an extended conversation between Enrique Salem, Investor at Bain Capital, and Erkang Zheng, CEO of JupiterOne. For your convenience, the entire series is available as a single download.
"Enrique, when you talk about participating in a board presentation, are there things you are expecting the presenter to cover when it comes to security?"
This is one where there's probably not a right answer, but there are a lot of things you have to think about. The first thing I always tell folks, in any presentation is you have to know the audience. If you think about a board of directors, they are not, for the most part, cyber security experts. Many of them are sitting CEOs. Some of them have been parts of accounting firms. They've been audit partners. You've got a big diversity of technical sophistication, understanding of security, and just the point of view that they bring to the table. You start by understanding that.
That ultimately means knowing the topics the board really cares about that the whole group can get their head around. Where that starts is this idea of what are the security or cyber risks to a business. What are the biggest things they, the board, need to be thinking about?
What doesn't work is a lot of charts showing red-yellow-green status reports of how we've implemented a technology. That to me, is the thing I used to see a lot of. People have evolved to say, "Let me try and think about what are the assets of the business, what are the real things that matter? Customer data, source code, or intellectual property around a chemical formula because we're big chemical company."
We are always trying to help our security leaders think before they come to present to the board, helping them to frame the risks to the business. Start with that. Then try to have a way of communicating the steps you are taking to protect against those risks.
I also like to see presenters comment on what do they need in two dimensions, from a support perspective from the board or audit committee and from the executive team. It's not just what they need from the board, but what do they need the executive team to do.
The other thing is, what do they see from a talent perspective? They have some needs in their own group. What expertise do they need to bring in? What are the sorts of capabilities they may not have that they want to have? You have to frame it that way. Frame the risk; how can the board and leadership team help and what are some of your needs.
Lastly, I try to communicate to people is thinking through how to to communicate progress along the initiatives at a level that makes sense. You're not going to get one shot to talk to the board. The board is going to want to talk to the security team, probably at least once a year. The audit committee may want a report from security every quarter or every six months, but more frequently than the board. You get multiple chances. You have to think about how to show progress.
The biggest mistake I see is this notion of, everything is always trending in the right direction. I think you lose a little bit of credibility when you don't say, “Hey, you know what, here's where we ran into an issue. Here's the thing that we need to go deal with.”
Transparency and being very clear on what are the things that are working, what are the things that need improvement, is very important.
Read the full Boardroom Conversations series:
- Boardroom Conversations Part 1
- Boardroom Conversations Part 2
- Boardroom Conversations Part 3
- Boardroom Conversations Part 4
- Boardroom Conversations Part 5
- Boardroom Conversations Part 6
- Boardroom Conversations Part 7
About Enrique Salem
Enrique Salem was the president and CEO of software company Symantec from 2009 until 2012, and was a member of Barack Obama’s U.S. President's Management Advisory Board. Enrique joined Bain Capital Ventures in 2014, where he focuses on infrastructure software and services with a specialization in cybersecurity.
About Erkang Zheng
Erkang Zheng is a hands-on leader in cybersecurity. He is an engineer by trade and an entrepreneur at heart. Before starting JupiterOne, Erkang was CISO, Privacy Officer, at GM LifeOmic Security. In August of 2021, Erkang was selected as one of The Top 25 Cybersecurity CEOs of 2021 by The Software Report.
Posted By Mark Miller
Mark Miller speaks and writes extensively on DevOps and Security, hosting panel discussions on tools and processes within the DevOps Software Supply Chain.
Mark actively participates in the DevOps/DevSecOps community by building DevSecOps tracks at security conferences such as RSA Conference, InfoSec Europe, CD Summit, AppSec USA and AppSec EU. He is the Senior Storyteller and Senior Director of Community and Content at JupiterOne.
As well, Mark is Executive Producer of the DevSecOps Podcast Series (300K+ listens), and the Executive Editor of the LinkedIn DevOps Group (124K+ members).
To hear more from Mark, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.
Subscribe to our newsletter!
Get updates from JupiterOne Mission Control
Fresh content and cool cybersecurity news alerts delivered to your inbox at least 2x a month! Just let us know where to send it.