It was one of the most closely listened-to panel discussions of the recent 2019 FAIR Conference: “Pen-Testing Your Board Pitch,” starring two veteran board members, James Lam (E*TRADE) and Chris Inglis (FedEx) [photo, right], presenting attendees with a rare opportunity to hear directly from the source what board directors want to know before bestowing their support – or throwing you out of the room.
Watch the complete video of Pen Testing Your Board Pitch: An Interactive Exercise, with James Lam, Chris Inglis and moderator Kim Jones Professor of Practice, Arizona State University.
Note: FAIR Institute membership and LINK community site membership required. Join the FAIR Institute now (it's free).
The session began with two skits – one cringe-inducing, one applause-generating. In the first dramatization, two self-confident but old-school and still using qualitative reporting infosec executives played by Jeff Welgan of CyberVista and Steve Reznik of ADP [photo left] brief the board (played by James and Chris) of an imaginary bank on their security posture after a data breach at a competitor bank, complete with a colorful heat map presentation.
James’ reaction: “Could you imagine a CFO coming into a board meeting and saying ‘the last quarter, our revenue was green, and our expenses were yellow, so our profitability was orange. That CFO would be fired.”
Chris’ comment on the qualitative approach to risk reporting: “It not only leaves the board members vulnerable it leaves them powerless. They don’t know what to invest in, they just know they should be uncomfortable. We’ve succeeded beyond our wildest expectations in that regard.”
In Act Two, Jeff and Steve have undergone a FAIR makeover and are now able to articulate both risk and security investment strategy in financial terms. And they can answer with accuracy the board members’ concerns about a data breach at their bank. Instead of the heat map, briefers can point to a loss exceedance curve and report that “we have only a five percent chance of experiencing the same kind of losses our competitor experienced.”
James’ reaction: “Much better. You guys can keep your jobs.”
In the rest of the session, James and Chris went on to give some pointed and thought-provoking advice from the board point of view. For example, Chris made the point that too often CISOs give the impression that “the thing being defended is the digital infrastructure itself. That is literally true but not actually practically what we are trying to do. We are trying to defend the business. We need to need to put this risk in the context of what business outcomes might be at risk.”
Watch the complete video of Pen Testing Your Board Pitch: An Interactive Exercise.
Note: FAIR Institute membership and LINK community site membership required. Join the FAIR Institute now (it's free).
See more coverage of the 2019 FAIR Conference
Related Posts:
