Boardroom Conversations on Security is an ongoing series on how to discuss and present cyber security concerns to your board. It comes from an extended conversation between Enrique Salem, Investor at Bain Capital, and Erkang Zheng, CEO of JupiterOne. For your convenience, the entire series is available as a single download.
"Erkang, there might be a bit of trepidation when you are going to talk to the board about security because you've got to talk in the language of the board, not in the language of a technician."
We're at a bit of a slight advantage at JupiterOne for a few reasons. The first is, we're a security company. I was a former CISO. We also have a very strong CISO on staff. Our board members like Enrique, Latha the CISO of Uber, and Anders Ranum from Sapphire Ventures, have a great understanding of security, technologies, risks and business operations along those skill lines related to cybersecurity. For me that actually has been pretty easy. There isn’t a struggle to discuss security related topics. That isn't the same for every other company out there.
A lot of those challenges that Enrique mentioned, and the recommendations, are for general organizations that may not be in this situation. I've been in large organizations and small organizations, startups and companies of my own, and I still find security doesn’t get discussed as much as we'd like. For you and I, Enrique, I would think that because of our background and understandings, we would be more proactive in bringing up security related topics. Do you still see that type of dynamic?
Yes. The thing I've seen a lot is that security in some companies is always getting a small slot in the discussion. Sometimes I've even seen it get skipped. From my vantage point, I really believe, Erkang, you and I have a unique situation because we can actually talk about the technology at a fairly deep level.
The other thing I would ask is, “How do you collect the information you want to share with the board in a way that's actually not a different process than what you use every day for running your business?” If you do lots of work for a discussion with the board that isn't part of how you're running the operations with the security leadership team at a scaled company, you're doing extra work and you're probably not communicating the right level of information.
Don't create some new artifact to show people, “Here is how things are working.” You show them how you run your own business.
That's exactly right. That is very practical advice. I think everybody should take away; Show the actual work being done. Show the operations. Show the actual strategy of the things being done in down to earth plain discussions. Be direct with what's working, what's not working, connecting back to the business risk. Talk to the level the board understands.
The other thing I would say is it's okay to ask the board's help because the board gets a chance to interact with the CEO. You can explicitly say, "Hey, look our CEO definitely talks about security, but I think it would be good if he would emphasize..." Or, "Here's things that the CEO can do." You're not throwing them under the bus, you're saying, "Security is an important topic. He, or she has said it's important, but here's some things they could do."
It can be simple things. It's sometimes the CEO in an all hands meeting, making a comment about the importance of security and that she is expecting that security is not this ghetto of people off in the corner working on security. It's everybody at the company's responsibility to look out for the company.
Statements can come from the leader of the company that really help people understand, "It's all of our jobs to think about security." Get the board to help you by getting messages to the CEO. The CEOs will often listen to the security team directly, but the board can always slowly reinforce that with the leader of the company.
That's great point. To really make security meaningful is a company-wide topic. It's not just, “How do we talk to the board?” It is, “How do we shape the company's culture to have security to be part of it?” If we do that, it comes more naturally as part of the board conversations on what you need the company focused on.
We focus on the top line, bottom line, the sales and the marketing. Those are the things that we place emphasis on at the all hands at the annual kickoffs. If we put a similar emphasis on security throughout the day to day operations, then it will come across in board conversations, and we will have the right metrics to show.
We, at JupiterOne, have the right level of discussions. I'll give you an example. We actually do a bi-weekly company round table with everyone. We will have varying topics to discuss. Security has a voice. I will always ask Sounil Yu, my CISO, "What do you have to add on the security side of things? What are we doing for FedRAMP? What are we doing for SOC 2? Give everybody an update.”
It is not just some little project that security is working on their own. Get everybody to understand what's going on and participate in helping the security of the company overall.
Read the full Boardroom Conversations series:
- Boardroom Conversations Part 1
- Boardroom Conversations Part 2
- Boardroom Conversations Part 3
- Boardroom Conversations Part 4
- Boardroom Conversations Part 5
- Boardroom Conversations Part 6
- Boardroom Conversations Part 7
About Enrique Salem
Enrique Salem was the president and CEO of software company Symantec from 2009 until 2012, and was a member of Barack Obama’s U.S. President's Management Advisory Board. Enrique joined Bain Capital Ventures in 2014, where he focuses on infrastructure software and services with a specialization in cybersecurity.
About Erkang Zheng
Erkang Zheng is a hands-on leader in cybersecurity. He is an engineer by trade and an entrepreneur at heart. Before starting JupiterOne, Erkang was CISO, Privacy Officer, at GM LifeOmic Security. In August of 2021, Erkang was selected as one of The Top 25 Cybersecurity CEOs of 2021 by The Software Report.
Posted By Mark Miller
Mark Miller speaks and writes extensively on DevSecOps and Cybersecurity. He has published 9 books, including "Modern Cybersecurity: Tales from the Near-Distant Future", and the popular "Epic Failures in DevSecOps" series.
Mark actively participates in the DevSecOps and cybersecurity communities by producing DevSecOps tracks at security conferences such as RSA Conference, InfoSec Europe, CD Summit, AppSec USA and AppSec EU. He is the former Senior Director of Editorial Strategy and Content at JupiterOne.
As well, Mark is Executive Producer of the OWASP Podcast Series (500K+ listens), and the Executive Editor of the LinkedIn DevOps Group (125K+ members).
Subscribe to our newsletter!
Get updates from JupiterOne Mission Control
Fresh content and cool cybersecurity news alerts delivered to your inbox at least 2x a month! Just let us know where to send it.