Stop Doing Four Things—and Convince Your Execs and Board to Properly Fund Cybersecurity
If you want to convince your execs and board to properly fund cybersecurity, you can start with this: Stop telling them scary stories and using Hollywood clichés to make your case.
Hackers . . . hackers . . . hackers . . . they are everywhere. Stealing millions from a bank. Using ransomware to force grandma to pay up or never see the pictures of her grandkids again. Taking and selling millions of logins and passwords on the darknet.
But why keep calling them hackers? Why not start calling them what they really are: criminals.
To many, a hacker has become a Hollywood caricature, striking fear and awe into minds as it conjures images of Neo from The Matrix. An unstoppable technical adversary and Kung-Fu Master who can fly, stop bullets with his mind, and gain instant access into any system in the world—no matter how well secured—by simply mashing a keyboard.
It all started back in 1983 with War Games, when Matthew Broderick’s character David accidently hacked NORAD, thinking he’d broken into a computer game company. Why couldn’t he just play a nice game of chess instead of starting a Global Thermonuclear War? The movie reputedly freaked out President Ronald Reagan enough for him to ask Gen. John W. Vessey, Jr., the chairman of the Joint Chiefs of Staff, if something similar could really happen.
The answer that came back, of course, was “yes” and resulted in a classified national security decision directive, NSDD-145, titled “National Policy on Telecommunications and Automated Information Systems Security.” We can only hope that the next thing they did was change the admin password on the W.O.P.R. to something other than “Joshua” or, at the very least, enable two-factor authentication.
While this was certainly a case study where Hollywood helped instill some highly productive and motivating fear, uncertainty, and doubt into the President to take action on developing and implementing cyber security policy, it unfortunately became the model for how IT communicates risk to executives.
For years to come, pocket-protected nerds with taped-up glasses would continue to build super complex systems that only they and angst-ridden teenage boys seemed to be able to understand how to operate while corporate executives and government officials would increasingly distance themselves from the ability to understand what these geeks were talking about.
Subsequent hacker movies such as Sneakers, Sword Fish, Hackers, and The Net have only continued to add to the ridiculous fictional creation that is the Hollywood hacker, making it harder for non-technical executives to take any of this computer and Internet stuff seriously.
And that, in my opinion, is exactly how we landed in the mess we’re in now—where we aren’t looking at the real threats posed by today’s real hackers.
So What Else Can You Stop Doing?
#1 Stop using sensational news headlines in your presentations.
The torn-from-the-headlines slides have become so cliché that no one really cares about them anymore. In fact, over the past few years, they’ve progressed from shocking to mildly unnerving to boring to annoying.
A much better use for sensationalized headlines is for scenario-thinking exercises. As part of your board meeting, executive retreat, or security team training, take a few of these real-life stories and deconstruct them. Imagine that the exact scenario in the news article has happened to your organization and then role-play through exactly how you would address the situation.
At each level of the organization, there are many lessons to be learned from this approach. It not only helps to ground the discussion of the problem in reality, it also engages participants in helping find solutions and trains your teams on a process that can be used for dealing with a real breach.
This way, the next time you need to upgrade those firewalls, the executive leadership team and board will have a much more relevant understanding and context of the situation and will likely be able to apply more effective governance to the decision-making process.
#2 Stop using hacker-themed stock clipart.
There are basically only five pieces of crappy stock clipart that accompany every presentation and article about hacking. The one with the sinister-looking guy in the hoody, the one with the white-and-black-striped bandit running away with the laptop, the one with the skull floating in the Matrix-esque 1s and 0s, the one with the padlock, and a picture of anything with HACKED in big red letters written across it.
Instead of stealing bad clipart off the Internet, you’re much better off getting to the point and using real data specific to your organization that supports your business case or policy-change request in infographic-like representations. Fewer words on each page that let the visuals help tell the story.
#3 Stop using industry jargon.
The CPA on the board can’t relate to an APT that has exploited privileged user credentials to install root kits on multiple endpoints and has bypassed our IPS by encrypting command and control messaging. He can, however, relate to the message that we need to spend $100k on a thing called a firewall because criminals just tried to steal $20 million worth of customer credit card data that would also expose the company to the risk of PCI-compliance violation fines and potential class-action suits in the tens of millions.
#4 Stop using fear. Start using reason.
If a CFO were proposing a new program to deter fraud and identity theft that is costing the company millions of dollars in lost revenue and eroding the trust of customers, he wouldn’t toss in a bunch of pictures and quotes from Ocean’s Eleven or The Italian Job to spice up his board presentation. So again, why should we in IT try to characterize our challenges in the context of fictitious movie plots and characters?
When you present scary stories and Hollywood clichés to an executive, they become a consumer of information much like watching a movie. An executive can’t take action on fear or fictional references. Nor will them. They can, however, act on a clearly articulated risk analysis accompanied by well-conceived strategies to manage that risk.
Originally published in Infosec Island