Jerry 🦙💝🦙3d ago
I get to speak to a masters in cyber security class at a major university on Monday. They are learning about interacting with senior leadership/BoD on topics of cyber risk. I have many stories to share with them, but curious if y’all have any ideas on what you thank that group should know
Show threadda_667
@jerry relating any recommendations to financial impact is all they care about. How much it will cost to implement, vs. how much it'll cost if we don't implement it.
Mar 21 at 7:58pmWeb
Show threadDamonHD3d ago

@da_667 @jerry Yes, indeed. Especially the bean counters need to have an NPV waved at them!

But the rest of the board should also care about reputational risk.

So the lesson is that while CxO should care about data security and operational integrity - and the tech and training that that implies - it may need to be translated into money and shame to be salient...

Show threadViss3d ago
@DamonHD @da_667 @jerry i dare you to ask them how many have any technical background whatsoever
Show threadda_6673d ago

@Viss @DamonHD @jerry I had a music major as my datacenter ops manager.

I want you to understand, I know that sometimes, someone changing majors and/or professions sometimes happens and that these people can be quite good in a totally difference space (edit:clarification), but this dude paid for a cleaning service that does datacenters to come and clean the datacenter. It didn't really need it, and was genuinely a waste.

Now, us replacing all of our network fabric, and re-doing our cable management, which was another huge endeavor, was a big win.

Show threadBill3d ago
@da_667 @Viss @DamonHD @jerry I have 7/8 of a music degree.
Show threadViss3d ago
@Sempf @da_667 @DamonHD @jerry sure, its totally possible for people to be nerds and that not match their major. ive just encountered so many people with a 'masters in cybercyber' that dont have even basic experience, like installing an os or configuring a linksys its tainted the whole degree for me
Show threadBradalot “3d ago

@Sempf @da_667 @Viss @DamonHD @jerry

3+4? 4+3? 2+2+3?

jaunty meters no frighten the stakeholders?

Show threadda_6673d ago
@jerry this also relates to budgeting for new tools, and head count. Learn to create proposals for head count and/or tooling. Including cost figures in those figures. I worked tech support at Sourcefire for a number of years, and had team leads who were bitching that we didn't have all the tools we need to do the job. One of them would put a draft together, submit it, the boss would ask "where are the costs?" and it would NEVER progress. It all comes down to cost. If you don't mention cost, they don't care.
Show threadBongoknight1d ago

@da_667

@jerry

That's what I'm trying to do, but I generally have doubts about my estimates. When it comes to cybersecurity trends or estimated losses if security features remain unimplemented, I always feel that the figures I have are pretty random and not sufficiently backed up by facts.

Show threadaburtch1d ago
@bongoknight @da_667 @jerry In my experience, that doesn’t matter as much. Just cite known examples of breached companies who had to pay damages, spend huge amounts to fix any damage, added costs for additional crisis PR management or the money spent on lawyers. Even just ballpark averages for those costs are usually enough to wake them up to the costs of disaster if things go unimplemented.
Show threadJan Eden3d ago
@da_667 @jerry Walk the fine line between fearmongering and allowing the BoD to snooze.