But how many directors get lost in the technicalities of technology? The challenge for a chief information security officer (CISO) is talking to the board of directors in a way they can understand and support the company.

It’s drilled into the heads of board directors and the C-suite by scary data-breach headlines, lawyers, lawsuits, and risk managers: cybersecurity is high-risk. It’s got to be on the list of a company’s top priorities.

Niall Browne, senior vice president and chief information security officer at Palo Alto Networks, says that you can look at the CISO-board discussion as being a classic sales pitch: successful CISOs will know how to close the deal just like the best salespeople do. “That’s what makes a really good salesperson: the person that has the pitch to close” he says. “They have the ability to close the deal. So they ask for something.”

“For ages,” Browne says, CISOs have had two big problems with boards. First, they haven’t been able speak the same language so that the board could understand what the issues were. The second problem: “There was no ask.” You can go in front of a board and give your presentation, and the directors can look like they’re in agreement, nodding or shaking their heads, and you can think to yourself, “Job done. They’re updated.” But that doesn’t necessarily mean that the business’s security posture is any better.

That’s why it’s important for CISOs to raise the board’s understanding to the level where they know what’s needed and why. Especially when it comes to new advances in cybersecurity, like attack surface management, which is “probably one of the areas that CISOs focus least on and yet is the most important,” Browne says. For example, “many times the CISO and the security team may not be able to see the wood from the trees because they’re so involved in it.” And to do that, CISOs need a set of metrics so that anybody can read a board deck and within minutes understand what the CISO is trying to get across, Browne says. “Because for the most part, the data is there, but there’s no context behind it.”

This episode of Business Lab is produced in association with Palo Alto Networks.

Full transcript:

Laurel Ruma: From MIT Technology Review, I’m Laurel Ruma, and this is Business Lab, the show that helps business leaders make sense of new technologies coming out of the lab and into the marketplace.

Our topic today is cybersecurity and corporate accountability. In recent years, cybersecurity has become a board level concern with damaged reputation, lost revenue and enormous amounts of data stolen. As the attack surface grows, chief information security officers will have increasing accountability for knowing where to expect the next attack and how to explain how it happened.

Two words for you: outside-in visibility.

My guest is Niall Browne, who’s the senior vice president and chief information security officer at Palo Alto Networks. Niall has decades of experience in managing global security, compliance and risk management programs for financial institutions, cloud providers and technology services companies. He’s on Google’s CISO advisory board.

This episode of Business Lab is produced in association with Palo Alto Networks.

Welcome, Niall.

Niall Browne: Excellent. Thank you, Laurel, for having me.

Laurel: So as a chief information security officer, or a CISO, you’re responsible for securing both Palo Alto Networks’ products and the company itself. But you’re not securing just any old company; you’re securing a security company that secures other companies. How is that different?

Niall: Yes, so I think, the beautiful thing about Palo Alto Networks is that we’re the largest cybersecurity company in the world. So we really get to see what an awful lot of companies never get to see. And if you think about it, one of the key things is, knowledge is power. So the more you know about your adversaries, what are they doing, what methods they’re attempting on the network, what are the controls that work and what are the controls that don’t work, the better you are to create your own internal strategy to help protect against those continuous attacks. And you’re in a much better

Read More


By: MIT Technology Review Insights
Title: As cybersecurity evolves, so should your board
Sourced From: www.technologyreview.com/2021/06/02/1025571/as-cybersecurity-evolves-so-should-your-board/
Published Date: Wed, 02 Jun 2021 17:09:29 +0000