How to present cyber security issues to the board
- 06 May, 2014 11:34
ANZ Banking Group's global head of technology risk & information security, David Fisher (left) with GPT Group CIO Greg Baster (centre) and Australia Post CISO Troy Braban (right). Photo credit: Neil Duncan, Hanover Fairs.
CIOs and CSOs who need to present security issues to their board need to “leave acronyms at the door”, use PowerPoint presentations and tell stories, according to GPT Group CIO Greg Baster.
Speaking on a cyber security panel at the CeBIT Australia conference – which included Australia Post's CISO, Troy Braban, and ANZ Banking Group's global head of technology risk & information security – David Fisher, Baster said that he tries to summarise cyber security issues for his board who have business backgrounds.
GPT Group is an ASX listed property group.
“I make sure it is simplified and accurate in terms of assessing where GPT is on the cyber security scale,” he told delegates. “I generally leave [security] acronyms at the door. The more we can visualise security the better.”
For example, Baster suggested that CIOs could use PowerPoint slides to simplify and break down cyber security concepts, rather than just talking in technical terms.
“[Financial] numbers talk. The cost of improving security versus the risk is a good way of justifying investments,” he said.
In addition, events such as the Heartbleed bug which hit mainstream media in April 2014 has also “helped the conversation” with his board.
For example, the Sydney Morning Herald reported that financial websites run by GE Money, including the Myer Visa Card, Myer Card portals, and Coles MasterCard were vulnerable to the Heartbleed security bug.
“We have moved from a compliance focus to a much more proactive view [of security] going forward,” Baster said.
Braban was appointed by Australia Post two years ago as the postal service recognised that its digital/online services could be under threat from cyber criminals.
He told delegates that he has regular contact with the board and presents monthly cyber security reports to them.
“There are also a range of forums where we get to discuss cyber security issues and how we manage risk perspective,” he said.
Braban said CISOs should avoid playing the “fear, uncertainty and doubt [FUD] card” when it comes to cyber security.
“We focus on how we are enabling the business because the board is interested in the business strategy and security’s role in that.”
He agreed with Baster that real life security stories such as Heartbleed work with board members.
ANZ Banking Group
The rise of cyber criminals who attack banks online means that the board at ANZ Banking Group is “acutely aware” of cyber security, said Fisher.
“We are digitising many of our services like online banking and this is the technology that poses the largest threat,” he said.
He agreed with Baster and Braban that security professionals should avoid technical talk when presenting to a board.
“When you have a technical topic, it’s much easier to boil it down to into something visual. Stories are better but analogies work too. If you can make the analogy relevant to the audience and more personal you’ve got their attention.”
For example, using the analogy of a castle not being defended as a way of explaining why companies need to invest in firewalls and other perimeter defence networks may help.
Follow Hamish Barwick on Twitter: @HamishBarwick