Effective Cybersecurity Planning Starts and Ends in the Boardroom
The Boardroom Battleground: Security Planning vs Security Compromises
It’s no secret security leaders, as well as IT leaders, have struggled to get executive board-members to prioritize security for years. A frustrating back and forth dance between both parties has left security leaders frustrated and often having to make decisions between more extensive security measures and budget restraints. A recent article in Infosecurity Magazine brought this challenge into the spotlight by revealing 40% of board members admitted cybersecurity is not a regular discussion on their agenda. This gross statistic comes three years after Cybersecurity Ventures predicted cybercrime damages will cost upwards of $6 trillion annually by 2021, increasing $3 trillion since its 2015 prediction.
So, how can security leaders convey the severity of prioritizing cybersecurity to their organizations? In this roundtable discussion, VerSprite experts weigh in on the battleground between board-members and security leaders.
Key Discussion Points in This Security Roundtable:
- Are executives pushing cybersecurity to the side?
- Should security tools be your first thought when looking to increase effectiveness inside your organization?
- The best ways to successfully implement and execute cybersecurity inside your boardroom
- The difficulties around assessing the scale of risk in cybersecurity
- CISOs and IT manager's poor communication with board members
How Security Leaders Can Get Companies to Prioritize Cybersecurity
April Brown: Hey, everyone, on behalf of VerSprite, I just want to welcome you guys to our VS Roundtable, Unfiltered Cyber. Today we are going to be talking about a really contentious topic within the cybersecurity community and it's something that you might actually have strong feelings on yourself. Today, we are going to be talking about why cybersecurity is not cared about within organizations. But before we go ahead and dive into the topic, I want to introduce everybody here on our panel today.
So today we have VerSprite's CEO, Tony UcedaVélez. We have VP of Product Security & SecOps, Greg Mosher. We have our Marketing Manager, Courtney Bramlett. And we have our Managing Consultant and GRC Practice Leader, Larry Buffington. We also have VerSprite CISO, and Senior Security Consultant, Brian Puster. And my name is April Brown, I am the Marketing Director here at VerSprite. And I am also going to be your facilitator for today's discussion.
So this whole thing stemmed from a recent article that was published in Infosecurity Magazine that highlighted a Harvard Law School poll that stated around 40% of board members for organizations admitted that cybersecurity is not a regular discussion on their agenda, even though the same amount of board members also admitted that there is a need for the technology innovation in order to run their business. And so, when you combine these, it actually creates a risk and puts these organizations at greater risk. So, I'd like to open the discussion today with Brian.
Brian, after working so closely with organizations from all industries, do you find that this trend of organizations pushing cybersecurity aside to be true outside of this academic poll?
And also, what are some of the problems associated when organizations do this?
Brian Puster: Yeah, so I have seen it in numerous organizations where security just is not as much of a priority as it should be, or there is sometimes an inability to communicate about what level of effort is associated with security, what level of investment is necessary, and how to turn it strategically. I do want to push back on a premise though of people do not care about security. I think people do care about security. I think organizations care about security, it is a matter of they do not know how much to care about security, or how much to do about it. There is there is lots of there is lots of communication gaps about, you know, what, what the organization is actually exposed to based on what vulnerabilities or threats exist.
It is, it is almost analogous to like an insurance industry, except without actuarial tables. So, we are trying to communicate about these potential outcomes and about these, these issues. And we can point to industry trends, we can point to specific examples. But you know that the data is not as robust for cybersecurity risks as it is for some other more hard data. I think it relates to the fact that, you know, exploiting cybersecurity risks is a crime and so there is a little less data about how often that happens and what goes along with it.
April Brown: Good. Thank you. Tony, I am gonna go ahead and push it over to you, and it is the same question.
Tony UcedaVélez: Yeah, no, it is a great topic. I think, you know, what's interesting about that study is that, you know, if you look at different industries, that number might fluctuate up and down, you know, if you go to banking, finance, highly regulated, you know, they see some of the impacts of non-compliance to security requirements versus like, transportation, manufacturing, or other industries where, like Brian said, I don't think there's really an executive that's going to overtly say, I don't care about cybersecurity, but they may not understand some of the points that he brought up, and especially in those latter industries that I mentioned.
So, I think that if you think about like board members, you know, they're thinking about like, things like growth, they're thinking about market share, they're thinking about, you know, cost cutting, especially in a pandemic. So, those are the main topics and the board discussion. So, if you are basically voicing cybersecurity, you really need to be able to know how to translate those cybersecurity themes discussions into business impact, and that is difficult for many cybersecurity professionals. Even at the CISO or CSO level, because they, you know, they're looking at alerts, they're looking at, you know, high level vulnerabilities or incidents that are being reported by tools. How does that really translate to some of the business goals. I opened up with market share cost reduction, you know, for many executives as well they have this perspective of well, they kind of look at it as like if there's a flood I have flood insurance, so there's a fire of fire insurance, if there's a cyber attack, I have cyber liability insurance. And so, it is a having an executive as a CISO to be able to look at that provide the net net if there were, you know, to be able to provide the net net of these threats are likely because we have these vulnerabilities that are open.
And this is the feasibility of exploitation and here is the impact. I think if you look at those four variables, you can quickly change the perspective about how executives really consider cybersecurity to be something more at the top of their minds.
April Brown: Thank you. I think that was a good point. Courtney, I am gonna go ahead and push the question to you as well.
Courtney Bramlett: Okay, I would agree both with Brian and Tony, I think it's there's definitely a disconnect between C-levels. I don't think that they're trying to push cybersecurity aside, I just don't think they truly understand what is an effective cybersecurity effort by their cybersecurity team. And I think having the CISO, which is kind of like the middleman between your security team and your C levels, I think sometimes to that they are always, I think the average turnover of a CISO is 18 to 24 months. So, every 18 to 24 months, there is a chance of someone coming in, you know, hotheaded and wanting to change all the platforms out. So, how are they going to be able to portray a message to C-levels, if every, two to three years new products are being used, new software are being used, new numbers are being displayed to the C-level suite.
So I think, from an organizational standpoint, and workflow standpoint, I think there's still a lot of work to be done on those positions and how they communicate to the C-levels in cybersecurity isn't a unique risk. It is just as important as the other risk that directors and C-levels are dealing with, on a day to day basis. So I think, really focusing on what products are being used inside of a security team, and having CISO and C-levels that have trusted, you know, talent underneath them to be managing those, those aspects. But that is from just like an organizational workflow. I think that has a lot to do with the stats that you opened up with.
April Brown : Yeah, I can definitely see that. Larry, I am gonna go ahead and move the conversation over to you. What do you think on this topic?
Larry Buffington: So, I think, so far, everybody is headed down the same path, and when it comes to companies and not caring about cybersecurity two things come to mind. The first one is “how cyber-mature are the companies that were queried?”, because a very, very mature company is going to have a different answer than a company who is not cyber-mature. And companies that are not cyber-mature, there is generally a lack of understanding of cybersecurity and a lack of understanding tends to lead to an abundance of avoidance, which looks like a lack of caring. So, you see the trend of now a lot of CISO used to, and a lot still do get reported in through the technology structure, and to the CTO or the CIO.
And that’s being moved out now, to report direct to the CEO into the board, which helps improve the understanding and lessens the lack of avoidance and gives you an appearance of more caring, when it's all boils down to not understanding leads to avoidance. So, companies are as a whole maturing, but those that are ahead of others have a better cyber maturity, maturity model. And they tend to do much better with it.
April Brown: I like that - I agree. I think it makes a huge difference where people are on their cybersecurity journey, and how much they've already kind of looked into it in the past. Greg, I am gonna go ahead and push the question over to you as well.
Greg Mosher: Okay. Yeah, I mean, I kind of echoing what the others have said. I do not believe that there is a lack of caring about cybersecurity. I think some of it is avoidance, as Larry said. But the reality is, though, is I think it really does depend on what are the drivers for the company itself, as Tony mentioned, you know, companies that are highly regulated, they have that external driver, they have that audit cycle, that they actually have to adhere to that they have somebody come in from the outside, look at their company, and they really you have to match and meet those otherwise, there's actually significant real impacts that a board can understand to the company. I think once you get outside of that, it gets a little bit tougher.
And I do not believe you know, I think part of the original premise was that maybe like, people are not carrying there seems to be less focus. I do not think there is less focus. I do not think anybody's de-prioritizing cybersecurity. I think really, what it comes down to is those that are not quite as mature right now, you know, because they don't have some sort of external apparatus is that I just don't think they really know where to start, and it goes back to what has been said here, and a lot of cases is that it can't be translated and actually brought to the business risk that the actual the board or the C-level suite can actually understand.
And so I think that's really the main gap that we're actually seeing that you know, from, from cybersecurity professionals, there's been some changes, you know, I think, in the past few years, as Larry mentioned, as far as you know, some of the different reporting structure, but I think we need to do a much better job of actually taking those risks that are out there, those risks that we know that are out there, and really getting those translated into business risk. Then I think you'll start to see maturity kind of across companies in general, not just specific industries actually start to mature. And I think we will start to make some progress.
April Brown: I like that. I think everyone here today, at least, can agree that it's not necessarily a lack of organizations don't care, but maybe they don't really understand and therefore can't act on it because they don't understand what to do with you the information they have, or the lack of information that they have.
So, Larry, I am going to go ahead and move over to you for our second discussion question and I am going to open with you. So in the same study, Harvard suggested that cybersecurity is such a large risk, because board members dismiss it due to their own lack of confidence, I think you probably touched on this in a really great way. And that it is their lack of confidence within their cyber attack mitigation efforts is what Harvard alluded to.
So, cybersecurity, I think that we've all just agreed it is not really a take it or toss it issue. Based on confidence, cybersecurity must be a discussion somewhere.
So, Larry, why do you think organizations maybe have a lack of confidence in their own security mitigation efforts? And where do you think the onus lies or the factors that contribute to that?
Larry Buffington: Some of it is related to the fact that things are growing so fast, moving so fast that tools are constantly changing. There is always a better tool coming out and companies are bouncing around trying to land on the right tool, and everything produces different results. Different results must be interpreted and it again, falls on companies that are not cyber-mature. And a lot of the people that are just starting into this, they have not adopted a framework, a methodology of dodgy of reporting the results to the board so they can understand it.
So, no matter what tool you use, you port that information into your framework so that the answers are understandable. You take the output of one tool and the output of another tool and send both those answers, they are going to look different people will understand them. So, the board, the executives all need to be able to understand the data that they are getting, they need a uniform message. And we do not have that across the board yet. Lots of good stuff coming out to do it but we are just not really 100% there yet. So, confidence happens when they do not understand first quarters report, the second quarters report because they changed the tools that they were using.
April Brown: I like that. Courtney, I am gonna post a question to you as well. What are your thoughts on this?
Courtney Bramlett: I would definitely agree with Larry, as a marketing professional and just doing some research on competitors, there are so many new products and software being developed every single day. Many organizations have multiple of these platforms across their security department so the more products that they are using, the less the visibility and ability to manage these projects.
And there is a lack of security experts in a lot of these organizations to manage and maintain these products. So again, there is that disconnect, just between your security talent, your CISO, and then your CTO. So again, they are trying to manage all of these products. There is way too many for them to get a grasp on and they are trying to report them to the board member when there is not really any proof of effectiveness for these platforms.
I think that is the biggest hole like Greg touched on earlier, you know? We are going to spend $200,000 here and it is going to increase revenue by this amount. And we can't do that in cybersecurity, it has to be, or we are not doing it in cybersecurity. I think it can be done. If you look at the average cost of a breach, the average budget that you should be spending on cybersecurity, and it's really not how much you're spending on your cybersecurity budget, it's just are you using effective tools? And you know, are you reaching out for help to assist you in creating these workflows and these frameworks like Larry spoke about inside your organization.
April Brown: Thank you. So, Larry and Courtney, you guys are both heavily talking about the tools that companies are using and how they are kind of bouncing around the tools. Greg, I am gonna pass the question off to you. Do you also think it is because of the tools that there is a lack of confidence in the mitigation efforts? Or is there something else that you think?
Greg Mosher: I mean, I think that could be a small part of it. I think really what it is, though, is it's as we alluded to earlier - it's the communication coming from the security team up to the executive management. The fact is, they're not speaking the same language. I mean, you know, executive management does not care about how many vulnerabilities were found during the last scan, right? What they want to know is does a security team have a good view of all of the risk that actually impact the business, you know? Is there a blind spot someplace there that they're missing? They need to know that are you covering all the risk? Do you then understand those risks related to the actual business impact to the business because not all risk are created equal? You can't focus on all of them, you can't deal with all of them. So, you need to prioritize and actually really focus on the risks that actually have the biggest impact. And then are they actually implementing the different mitigation strategies to basically reduce the overall risk to leave yourselves with hopefully no or even very small residuals on those risks.
And really, I think that's the challenge. I think the challenge is the way for the security professionals to be able to present that information to the board. And it is not output from tools, because as Larry said, they change all the time, right? I mean, there's new technologies, they actually have to change. And so that is really more than just the tool bag. It's kind of like whenever you're buying a house, you don't care what hammer the carpenter nailed all your studs together, you're more interested in “are they nailed correctly?”.
And so, I think that is the big challenge. So, tools can be a problem. And I think tools being presented up in their output being presented up to the C-suite, I think just is not is not going to get the job done. And I think it is going to cause further confusion.
April Brown: I love that. I love your point that cybersecurity is almost like a handyman and putting nails on something. So Tony, I am going to go ahead and ask you, do you agree with Greg? Or are you also on the camp of it is the tools.
Tony UcedaVélez: You know, definitely, I'm not on the tool camp, simply because just like with any type of practice or trade, the tool doesn't make the professional be effective at their job. I think that in the Western Hemisphere, in terms of security programs, they, especially United States, there is a lot of reliance on tools.
So, I am not as much, you know, the tools really are meant to help, but oftentimes are engineered without the proper context. I have come from tool manufacturers in the security market and can definitely attest to that. I want to focus on one thing that was in this question around confidence, because really, this this Harvard study talked about the lack of confidence from the board members in their own programs. And I would actually agree with that. I would actually agree that there is a lack of confidence because if you look at major breaches, security hacks have affected Fortune 50s and large organizations over the years. And then you have these SMBs [small businesses] and mid-caps, and maybe Fortune 500 and beyond that are thinking, well, if this major conglomerate with hundreds of security professionals and two of each tool can’t defend their castle, then we probably can't either.
So, there's definitely a fatigue there. And that's why cyber liability insurance has increase in terms of adoption tremendously. And it has been a good market for those insurance companies, for sure.
Now, I think that the reason that there's a lack of confidence does build upon some of the things that we talked about today, it does build upon the fact that there is a lot of information and many of us here today have already talked about, that there is these - I will touch upon the tool aspect - where tools are conditioning, a lot of security leaders to just simply go to that one well for information and then take it to manifest vertically up to a C suite. And that is the wrong approach. And if we just compare how controllers, you know, financial controllers, accountants’ CFOs do their work, right, they are having to do a lot of analysis.
And that is I think the main part that is missing by security leaders is the analysis. They want a tool to do the analysis for them versus them trying to take a step back and say, “what does this really mean in terms of business?”. And oftentimes security leaders get so caught up in their own vernacular that they lose the vernacular of business, you know, going back to things like business impact, market growth, cost cutting, ROI of different investments. And what businesses want to know is how is our liability going down? You know, what is we have invested X, how is our liability in terms of potential loss, how has that actually gone down? And I think that that one example, and there are many others, is foreign to a lot of security leaders, because they do not have the background.
I will also close with this, if you look at how most security leaders out there are trying to message security, they are having to lean on frameworks. And if you look at the preamble, or the dependencies of some of these frameworks, or who is involved in running a lot of these frameworks? It is security people. So, its security people building these frameworks for security people, but where is the voice of business? If you're going to have a framework to message to business individuals, right, there really should be a greater inclusion of the majority of the people that are involved in these frameworks should actually be more, you know, business people that say, “I want to understand how does the endpoint protection risk affect continuity service?” Or how does, from a monetary standpoint, how does it, you know, maybe making an analysis on reputational damage, maybe making an analysis on opportunity cost for lost market share, you know, things like that, which I just from observation is a little bit more is a lot more foreign to security leaders.
So, I think that is exactly why going back to the confidence word in that question, I think that is why there is a lot of board members that just simply are not confident in the messaging and the information that they are getting from their security leaders.
April Brown: Thank you. That is great insight. Brian, I am going to turn the same question over to you. What are your thoughts on this?
Brian Puster: So, I think the lack of confidence comes from a lack of understanding what is really being said. And it is easy to say that you know that these executives have lack of confidence but on the other hand, it's on the security professionals to translate those risks for executives, baselines, frameworks, technology, tooling, for security, that's all like technology, a moving target, it's always going to be. So, it's up to the security professionals in any organization that has a CISO, it's on the Cisco, to translate the outputs that the information from those tools and different frameworks and translate that into what the executives need to know what they need to act on and what they need to care about. And it is really important, especially in non-tech industry companies, to translate those out of tech speak into something that could not be more understood by just business leaders. Because if we are using tech speak, and assuming that people know what we are talking about, we are gonna miss the mark every time.
April Brown: Yeah, I have to completely agree with you, Brian. I definitely think that every industry has their own lingo and it is hard to understand a language you do not know.
So, I think everyone here in this panel has brought up some really great points. And while not everybody agrees on what the most defining factor is on the issue, I think that we can all agree that cybersecurity is a major risk for organizations and that every organization understands this, but they need to take their understanding into an actual resolution.
So, organizations need help understanding what the next steps are, or in some cases, even how to start taking cybersecurity seriously and start the discussions between their board members and different C-levels and management within the companies.
Tony, I am going to go ahead and start with you as our CEO for our last discussion question. I'm going to ask you about how people can take the things that we're saying in today's discussion, and how can organizations successfully either implement or actually create cybersecurity that is properly in place in a proper plan and execution plan for their companies?
How can we take everything being said today and turn it into actionable steps for organizations looking to strengthen their security posture in 2021?
Tony UcedaVélez: I'm going to say something that I've said many times in the past, it's good to look outward into frameworks and guidance and things like that for some sort of benchmarking, but now it is time to think inwardly about what the organization needs from security in order to thrive. You know, I do not think that question is talked about enough. What do we need from cybersecurity, let us look inwardly about our capabilities, our goals. Oftentimes, when you're doing security, governance, and you're building a security program, you start to look outward, let me align to this framework, you know? Let me get these tools in place to feed information that allows aligns of this framework and then you're back to just simply reporting what a lot of other security groups within organizations are doing. The fact is, it's not working. It is not working.
When I say it is not working, what is specifically not working is what is reflected by this Harvard study - the lack of confidence, right? You know, they admit that it is not a regular discussion, because a lot of it is just simply does not really align to some of the goals of what the board members are really talking about.
So, one recommendation is look inward. I think that there should be a good discussion that is both collaborative where C-levels basically say, what do we want to know about cybersecurity? What are the kind of the top things and they are gonna basically have pretty layman's terms, questions, are we protected? You know, what is our biggest threat? Things like that. And it is the security programs’ responsibility to make sure that they answer those questions and more. Like, what is our security debt? What is our security liability? How does it affect our business? How does it affect reputation? Do we have an outstanding reputational damage by our lack of security implementation? And these are more business focused questions that board members would be interested in knowing.
So, I also think that it is security leaders, and there is a lot out there that have stellar backgrounds and experiences but they need to start fresh, they need to have a fresh perspective and really being taking these high-level questions from some of their constituents in a board or C-suite level. And to be able to go back to their information sources, whether it be tools, whether it be the resources, or people that manage services and ask them “I have these questions, I want to provide these answers”. Let us do a focus group on how to actually provide the right answers. What are the activities that we do today in terms of our security disciplines, perimeter protection, endpoint protection, vulnerability, management, incident response, etc., etc., etc., that translates to answering these business-related questions so that then we can bolster the confidence?
So, in short, I think that they need to kind of flip the approach on its head, look and really understand the goals of your business, and then try to align security activities to reaching those goals.
April Brown: Thank you, Tony. So, Greg, I am gonna go ahead and pose the same question to you. What do you think organizations need in order to take actual steps from this discussion?
Greg Mosher: Okay, well, I mean, I definitely agree with what Tony was mentioning. I think the biggest part is the leadership, the C-suite and the board level, they do need to be very, very clear with their technology people, with their actual security people. Be very clear on what it is that they need. And quite frankly, that is probably an open discussion, because they don't necessarily know even that they need some outside help, they need to bring in some different SMEs [subject matter experts]. They need to understand, okay, what are the questions that we should be asking and how do we align these activities to our business goals? From an overall standpoint, I think that's kind of step number one.
Step number two, I really think it comes down to actually putting that investment in and making the focus of having an actual cybersecurity team. And that's actually what you need, whether you work with a preferred partner or whether you can do it inside.
Because of the same reason Courtney was talking about earlier, talking about the CISO and about the turnover on the CISO. So, if you have got a cybersecurity team in there that does not have the context, they do not really understand the business. They do not get time to work with those business leaders and understand how they are because all businesses are going to be unique, right? They are all going to have different challenges. If they are not, if they are only focused on the security side, and that is a lot because it changes so often, they have got to keep up with it. But they are not also well versed in the particular business itself. Basically the changing landscape of that business and the challenges of that business means they are never going to get on the same page. And so to me, I think it's not only asking those questions, but also really getting a nice stable security team in. It can actually help with that, they can actually partner - this has to be a partnership - because it is not like financial, where you can just simply throw a spreadsheet at all those guys and gals at the C suite, or at the board level, where they probably came from. They've been in business, they've been looking at models, financial models, reading spreadsheets, this entire time. They have not come from security so you have got to have that open trust. Then, once you've got a team, and it is a really a team from the C suite down to the security, working towards the same goals towards the business goals, making sure that the business is actually protected, and that you're dealing with all of the risks, then I think you actually make some headway.
April Brown: I like that. Thank you, Greg. Okay, so I am gonna go ahead and flip the question over to Larry. Larry, what do you think some actionable steps that people can take to try to either gain confidence or to take all the tips that we have given in this and start to actually execute?
Larry Buffington: I particularly like Greg's response. I think that the C-levels need to have better communication and they need to get an understanding. But they need an understanding in the language that they can grasp. The geekspeak is not going to work. Neither is moving the CISO out of the IT organization, separating that onto the under the C-levels. You know, that is the first step but you have got to have somebody in there that is going to speak a language that they understand. Once they understand, now the avoidance goes away, the lack of caring appearance goes away, communication starts, and you start having that real discussion about what does the company really need to have.
And I think Greg and Tony are both dead on that. We do not have the mash up between C-level and the security groups. The security groups are doing a great job protecting the company. But if they are protecting the company in a way that hurts business, that is not working out. You then suddenly have every 18 to 24 months a new CISO because it was not working for them. So, I really think that is, that is a very good analogy.
April Brown: I like that. Brian, I am gonna go ahead and pose the same question to you. What do you think organizations need to do in order to take this discussion and make actionable steps on their security plan?
Brian Puster: So, I am going to zoom back from that question just a little bit and talk about when organizations are building an information security program, when they're trying to get this started. The biggest indicator to me that an organization is going to be successful is whether or not they engage the security team and whether the security team engages them.
The security team has to understand the business context. They have to understand the business needs, the tools that are needed, the considerations that go into all these decisions. They cannot do that in a vacuum, they have to engage with the rest of the organization to understand what the organization needs. Likewise, leadership has to engage the security team. If leadership is making decisions about a new platform, or a new shift in business model or whatever and they're not engaging the security team, it cuts off the opportunity for the security team to be involved with the planning process, which means that you are giving the security team a bunch of nails to knock down with a hammer (to Greg's analogy earlier).
So, it is really important to be involved in the planning process and that can't happen without engagement. So just zooming back from, you know, what steps are needed. It goes back to communication and engagement; the security team has to be involved with what is going on with the business. Leadership needs to be involved in what security is doing and what the needs are there. And just to work together to accomplish this for an organization.
April Brown: I completely agree. All right. I am going to go ahead and pose the question to Courtney. Courtney, what do you think about what cybersecurity needs for next steps for these organizations from this discussion?
Courtney Bramlett: Yeah, I think it would be really interesting to go into an organization's security department, ask maybe someone kind of a lower-level or someone who's new, and really ask them, “Hey, do you know what your end goal is here?” or “why you are doing what you are doing?”. And as it relates to the business and you know, what are their goals? I highly doubt that they would be able to answer that question. Just because the nature, I feel like of security experts are so technical and they get so stuck into that kind of box of “we just need this done, we need you to filter through this information”. And I do not think it has been their fault for that.
Again, from what I stated before, I think the security department has always been looked at as its own unique department that needs to be handled differently, that it has different needs than you know, your finance firm, and your marketing department, your sales team, which those departments are working together in successful organizations, as different departments are working together every day. So, I love that point that Brian said that security needs to be right in there with them, understanding what the main goals are. I really think that has a lot to do with the CISOs and the directors of the IT departments. I think a lot of them might be too technical or working too inside the IT department instead of thinking, “Oh, how can I network with the C-levels?”. How can I get on their agendas? How can I talk with them? How can I meet with the CFO? How can I meet with the CMO, like getting the word out about the importance of our IT department? Like what do you need from us? Or what, you know, what do we need from you to really make sure that we're working together as a team. I think is that kind of middleman between that communicate between the department and the C suites or the board, the board members, I think that would be huge to increase in networking there.
And again, I think that goes back to just organizational workflows and hiring someone that's has both the personality, the teamwork, and the leadership. But also has the technical background to lead people in the IT department. But yeah, I think it is just really getting the IT department integrated with the rest of the organization.
April Brown: Okay, thank you. I'm seeing a trend between everyone who's talking, where you're all basically saying the same thing that the communication needs to be talking about what board members need to be asking and looking internally at what the company needs. And there needs to be a blending between the CISOs and the board members and the IT department and the security teams, and everything needs to come together to do an open discussion of what the company needs - what they really need to hear. Everyone has a different language. Board members are very interested in how the company is going to run and the overall profit margins, oftentimes, more so than the security team who is worried about the technology and protecting the employees in the company overall. So, I think that it is a great idea – and what every one of you guys are saying - is that the communication is the biggest disconnect here. To move forward, communication really needs to be top priority. To just start that discussion within your companies, even before maybe reaching out to a cybersecurity firm, like VerSprite, or anybody else. You need to understand what you either understand or don't understand, and what you need. So, I think this was a really great discussion.
Thank you, all.
I just really want to wrap up this conversation but before I wrap up, I want to make something really clear. That while we might be a cybersecurity firm, and we're all working in the industry, so we might be a little bit bias about how important and how much of a priority cybersecurity needs to be in the boardroom to different organizations. I think that everyone can agree that with the rise in technology, and how companies are both relying on it and using it and creating it, cybersecurity is a major issue that needs to be talked about throughout every single level and layer of an organization.
And whether you are looking at trends or you are looking internally within your own company, I think it is really important. It's something that, you know, several of us hit on today at VerSprite. We understand that your organization is very unique, you have unique risks, you have unique goals. Your organization is very different from your closest competitor, or even from the office next door. So, you need to be looking at what your goals are and what your risks are before you even start trying to make plans about that.
So, I hope that you took a lot of insights from this, I hope that you gained the confidence that you need in order to create a discussion within your company about cybersecurity. And I would love to invite everyone who is tuning into this, to please continue the discussion. Cybersecurity risks are ongoing to your company and to ours and everyone else's, so I think the discussion about it also needs to be ongoing.
So please put your input, we would love to hear what you are doing to try to open those communication gates, improve them or your own security plan within social media or our YouTube, where this video is going to be posted. Please let us know your own thoughts on what some of the issues are and what you are dealing with. We would love to hear from you.
Thank you for tuning in and I hope to see you on our next roundtable discussion.
Bye, everyone. Thank you.
Partner with VerSprite to Close Security Gaps Before They're Found
VerSprite is an Inc 5000 leader in cybersecurity that helps over 200 organizations prevent, stop, and navigate past threats. Contact our trusted security advisors for help developing your 2021 security plan, learn more about real-world attack simulation engagements, or to increase visibility into your Cloud. Contact VerSprite →
Subscribe for Our Updates
Please enter your email address and receive the latest updates.