[BreachExchange] Stop Doing Five Things—and Convince Your Execs and Board to Properly Fund Cybersecurity

Audrey McNeil audrey at riskbasedsecurity.com
Tue Mar 28 18:57:29 EDT 2017


http://infosecisland.com/blogview/24903-Stop-Doing-
Five-Thingsand-Convince-Your-Execs-and-Board-to-Properly-
Fund-Cybersecurity.html

If you want to convince your execs and board to properly fund
cybersecurity, you can start with this: Stop telling them scary stories and
using Hollywood clichés to make your case.

Hackers . . . hackers . . . hackers . . . they are everywhere. Stealing
millions from a bank. Using ransomware to force grandma to pay up or never
see the pictures of her grandkids again. Taking and selling millions of
logins and passwords on the darknet.

But why keep calling them hackers? Why not start calling them what they
really are: criminals.

To many, a hacker has become a Hollywood caricature, striking fear and awe
into minds as it conjures images of Neo from The Matrix. An unstoppable
technical adversary and Kung-Fu Master who can fly, stop bullets with his
mind, and gain instant access into any system in the world—no matter how
well secured—by simply mashing a keyboard.

It all started back in 1983 with War Games, when Matthew Broderick’s
character David accidently hacked NORAD, thinking he’d broken into a
computer game company.  Why couldn’t he just play a nice game of chess
instead of starting a Global Thermonuclear War? The movie reputedly freaked
out President Ronald Reagan enough for him to ask Gen. John W. Vessey, Jr.,
the chairman of the Joint Chiefs of Staff, if something similar could
really happen.

The answer that came back, of course, was “yes” and resulted in a
classified national security decision directive, NSDD-145, titled “National
Policy on Telecommunications and Automated Information Systems Security.”
We can only hope that the next thing they did was change the admin password
on the W.O.P.R. to something other than “Joshua" or, at the very least,
enable two-factor authentication.

While this was certainly a case study where Hollywood helped instill some
highly productive and motivating fear, uncertainty, and doubt into the
President to take action on developing and implementing cyber security
policy, it unfortunately became the model for how IT communicates risk to
executives.

For years to come, pocket-protected nerds with taped-up glasses would
continue to build super complex systems that only they and angst-ridden
teenage boys seemed to be able to understand how to operate while corporate
executives and government officials would increasingly distance themselves
from the ability to understand what these geeks were talking about.

Subsequent hacker movies such as Sneakers, Sword Fish, Hackers, and The Net
have only continued to add to the ridiculous fictional creation that is the
Hollywood hacker, making it harder for non-technical executives to take any
of this computer and Internet stuff seriously.

And that, in my opinion, is exactly how we landed in the mess we’re in
now—where we aren’t looking at the real threats posed by today’s real
hackers.

So What Else Can You Stop Doing?

#1 Stop using sensational news headlines in your presentations.

The torn-from-the-headlines slides have become so cliché that no one really
cares about them anymore. In fact, over the past few years, they’ve
progressed from shocking to mildly unnerving to boring to annoying.

A much better use for sensationalized headlines is for scenario-thinking
exercises. As part of your board meeting, executive retreat, or security
team training, take a few of these real-life stories and deconstruct them.
Imagine that the exact scenario in the news article has happened to your
organization and then role-play through exactly how you would address the
situation.

At each level of the organization, there are many lessons to be learned
from this approach. It not only helps to ground the discussion of the
problem in reality, it also engages participants in helping find solutions
and trains your teams on a process that can be used for dealing with a real
breach.

This way, the next time you need to upgrade those firewalls, the executive
leadership team and board will have a much more relevant understanding and
context of the situation and will likely be able to apply more effective
governance to the decision-making process.

#2 Stop using hacker-themed stock clipart.

There are basically only five pieces of crappy stock clipart that accompany
every presentation and article about hacking. The one with the
sinister-looking guy in the hoody, the one with the white-and-black-striped
bandit running away with the laptop, the one with the skull floating in the
Matrix-esque 1s and 0s, the one with the padlock, and a picture of anything
with HACKED in big red letters written across it.

Instead of stealing bad clipart off the Internet, you’re much better off
getting to the point and using real data specific to your organization that
supports your business case or policy-change request in infographic-like
representations. Fewer words on each page that let the visuals help tell
the story.

#4 Stop using industry jargon.

The CPA on the board can’t relate to an APT that has exploited privileged
user credentials to install root kits on multiple endpoints and has
bypassed our IPS by encrypting command and control messaging.  He can,
however, relate to the message that we need to spend $100k on a thing
called a firewall because criminals just tried to steal $20 million worth
of customer credit card data that would also expose the company to the risk
of PCI-compliance violation fines and potential class-action suits in the
tens of millions.

#5 Stop using fear. Start using reason.

If a CFO were proposing a new program to deter fraud and identity theft
that is costing the company millions of dollars in lost revenue and eroding
the trust of customers, he wouldn’t toss in a bunch of pictures and quotes
from Ocean’s Eleven or The Italian Job to spice up his board presentation.
So again, why should we in IT try to characterize our challenges in the
context of fictitious movie plots and characters?

When you present scary stories and Hollywood clichés to an executive, they
become a consumer of information much like watching a movie. An executive
can’t take action on fear or fictional references. Nor will them. They can,
however, act on a clearly articulated risk analysis accompanied by
well-conceived strategies to manage that risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170328/3b6bc7f2/attachment.html>


More information about the BreachExchange mailing list