We Need More FUD: CISOs Should Not Adopt the Board's Language

Every close-knit community evolves its own language. Over the last century company boards have created a special language of their own.

It's laced with its own jargon like internal rate of return, net present value, GAAP and non-GAAP, and the ever-popular EBITDA. A technologist sitting in on a board meeting will feel like the new kid in the classroom. He/she will be reticent to chime in for fear of not knowing the lingo.

For over two decades, I have heard security pundits exhort CISOs to “learn to speak the business language.” Yet, here we are, twenty years later and boards are still woefully ignorant of the threats against their organizations posed by attackers.

One of the primary culprits is risk management-speak. Distil everything down to scores and risk metrics. This is the language the board supposedly understands.

They are old wise men (the “old” and “men” part literally, the “wise” part maybe) who carefully weigh risks and make the right choices based on data and balancing risks.

If you think that’s how boards actually work, you have not attended many board meetings. Board members make decisions based on emotions derived from past experiences, just like every human does.

It’s the CISOs job, first and foremost, to protect the organization from cyber attacks that lead to breaches, loss of critical data and reputation. Part of that job is extracting the required resources from the C-suite and the board. If they show up with power-point slides and risk metrics they are going to fail.

Have you ever watched from the outside as a company makes a seemingly crazy bet? Remember Symantec betting the farm on acquiring Veritas? Or Intel acquiring McAfee? Or Google inexplicably buying Mandiant? These were multi-billion dollar gambles made on emotions.

Often it is the fear of losing out (FOMO). Other times there is a backstory that involves the CEO’s bonus.

So don’t show up to a board meeting with your risk management slide deck. Your goal should be to evoke emotions.

Of the three motivational emotions—fear, uncertainty, and doubt—fear is the strongest. How can you instil fear to get what you need? Easy, through education. It’s a good thing that most CISOs are good educators.

Here are two examples of how this could work:

1. Brief the board on the latest attack methodology.

Take SolarWinds as an example. Walk them through how a spy agency in Russia (SRV) infiltrated the software development process at Solarwinds to weaponize its product and distribute it to 18,000 customers.

Support your story with NotPetya, an equally sophisticated attack against a small software company in Ukraine run by Russian military intelligence (GRU) that cost the likes of Mearsk, Merck, FedEx, and Cadbury’s billions of dollars. Go ahead and get into the weeds.

Describe Eternal Blue and the vulnerability in Windows Server Message Block (SMB) protocol. Demonstrate the command of your own lingo.

Induce fear by pointing out that there is no defence against an attack on your software supply chain. Every day the operations team is blindly installing software updates and patches.

2. Report on the attack teams that targeted you in the past week alone.

It may be a ransomware gang or even the SRV, GRU, or another APT group. Show where in the MITRE D3FEND framework you detected them and how close you came to being pawned before you stopped them.

Do this and instead of the CFO asking how much additional cyber insurance they should get, they will meekly ask if you have the resources to fend off the next attack. You will walk out of the board room armed with their support to continue the battle.

This article was taken from the Steinnon Substack blog. Read more at stiennon.substack.com