A CISO’s Guide to Communicating Risk
Webinar Transcript | Air Date April 26, 2022
Watch the Webinar | Read the Blog Post
Mike Moreno:
Hi, this is Mike Moreno. Let’s give it a minute before… To let more people join. So hold on one second and we’ll get things started.
Mike Moreno:
(Silence)
Mike Moreno: All right. I think we have a good number of people on the line. Well, I want to thank everybody for joining us today. Hopefully everybody’s having a great day. We’re going to kick things off. My name is Michael Moreno. I’m a senior product marketing manager here at Exabeam focused on our alliances relationships. A lot of our tech alliance partnerships like Google Cloud and many others. And I’ve been here since July of last year. Have over 15 years of experience in technology and have worked at a variety of companies, including CloudFlare, Cloudera, and Intel. Today, I’d like to introduce you to our CISO Tyler Farrar. Tyler, would you like to introduce yourself?
Tyler Farrar:
Yeah. Good morning, Mike. My name’s Tyler Farrar I’m the CISO here at Exabeam. I focus both on enterprise cybersecurity, so protection of our enterprise infrastructure and our people, our team members, as well as product security and ensuring the security is delivered to the products that our customers purchase. Before that…. And I’ve only been here since about August now. Before that I worked at Maxar Technologies, ran security operations, infrastructure governance, cyber assurance, USG program protection, did a brief stint prior to Maxar at KPMG. I’ve consulted on various engagements like FedRAMP Atos and NextGen security operations, vulnerability management programs. And then before that, 12 years of experience in the US Navy as a cryptologic warfare officer. Managed many projects and cyber operations within the US cyber command.
Mike Moreno:
Excellent. Excellent. So today’s theme… Just to make sure everybody’s here on the right webinar is CISO’s guide to executive communication. And I know you have plenty of years of experience. Maybe to kick things off, you could highlight maybe some anecdotals that you have on having to communicate with executive leadership about cybersecurity.
Tyler Farrar:
Yeah. I’ve used a couple of different methodologies in my career and you can apply these methodologies really based on what type of organization you work for. One type is tied to a security framework, NIST, ISO, et cetera, that works pretty well. Or I should say very well for more compliance focused organizations. Certainly, doesn’t work as well for organizations that maybe have a little bit more of a mature enterprise risk management program. They think more of risk based data-centric security. And when you’re working at a company like that or evolving your risk management program to be more risk based, data-centric it’s better to focus… And what we’ve focused on is data classification, sensitivity. That is really helpful to define true risk impact and likelihood levels. And then you can also provide like very specific data type examples that are relatable and understandable to folks across the business within each data classification.
Tyler Farrar:
And what that leads to is the ability to create what we’ve titled here at Exabeam, an adverse impact table. And essentially what it is a common language. It ensures that you and every other executive are speaking the same language about risk impact to your business. And there’s various items that we consider when determining that adverse impact level. Example being financial costs, direct or indirect. Another one would be reputational damage, safety of employees, and then lastly any kind of legal or regulatory compliance action them. And so if you take that type of approach… Or how I’ve taken that type of approach, it’s allowed me to focus much more strategically and really look into transformational risk reduction. And it’s focused on critical infrastructure and the data services that the company provides or uses. And then you do just can execute more of that tactical risk remediation, where required, where you discover something through an enterprise risk assessment, or just in your day to day job, in your day to day operations.
Tyler Farrar:
And that’s what we’ve done. And what I just said is it’s telling others, it’s telling my peers that we’re all working on the right things and we’re reducing risk where the impact and likelihood are the greatest. So I guess, to kind of close on that personal experience, if you’re using methodology number two, risk based data centric, you’re able to translate and convey risk much more in terms of core critical infrastructure that actually runs, or maybe supports the core products or services that your business actually provides to its customers. So essentially, how it makes money, how it grows and how it survives as a company. That’s how I’ve communicated with leaders about security risks, and it’s with that common language that’s centered around what matters most to the company.
Mike Moreno:
That’s great. That’s great. Thanks Tyler. So part of the title that we’re pulling here for this webinar is coming from a white paper that we did a few months ago, titled the same thing. In the CISO’s guide to communicating risk, we talk about implementing an assumed breach mentality with other executives and the critical ramifications of that happening with that in mind, what are your suggestions to getting executive leadership on board with taking proactive approaches to security?
Tyler Farrar:
Yeah, there’s… It’s such a complex question and a complex answer. I want to walk through a few things here. Number one, metrics. Metrics, numbers… Numbers, don’t lie, and your ability to translate those metrics to tell a story is really an important. That story does change or it’s word it’s told differently, I should say, based on who you’re talking to, if you’re talking the CEO, the CIO, the CFO, et cetera. But you do have to tie your story to the risk. The risks that we just talked about in my personal experience. That risk based data-centric approach, you should be talking about the risks to the most critical areas of the business. And these are the highest risks, right? And a good way to do that is to also tie those risks and tie your story to some of the major root causes of breaches.
Tyler Farrar:
If you can say, “I have found software vulnerabilities, malware, there’s potential for inadvertent employee mistakes, a third party compromise unencrypted data or phishing.” Those are the top six major root causes of breaches. If you’re able to tie those root causes of cyber breaches to the risks in the story that you’re telling your executive peers alongside those numbers, those metrics, it certainly helps make your case if you will. And so how you do that… There’s a couple of different vehicles that I’ve used in the past and I’m using now. One would be just a monthly security review. What are your operational metrics that you can easily pull together and create some dashboards and where possible… Especially… I’ll give you one example, security training. We measure security training completion across various functional areas, and it rolls up to an executive level.
Tyler Farrar:
There’s nothing better in moving your program forward and in increasing and improving your metrics, then a little friendly competition. Another vehicle would be quarterly security updates. So we’ve talked a lot about the CISO should be getting in front of the board should be getting in front of executive leadership and briefing out the state of their program. And so having those quarterly security updates rolling up those metrics, I just mentioned to the board CEO level is very critical. And for risk acceptance, I think you’re going to get more traction gain when you’re actually providing correspondence that’s been… I call it previously vetted and calibrated by other folks in the business, more of your SMEs right? So example would be, if you have a governance risk compliance team, if you’re leveraging a security champions network, using some security champion that resides within the functional area of the executive that you are attempting to talk about cyber risk with. It kind of shows that you’ve done your homework. There’s data that actually supports what you’re talking about from a risk perspective. And there’s people that will back up those risk statements as well.
Mike Moreno:
Have you ever had any pushback in the sense that they’re not taking it serious enough?
Tyler Farrar:
I wouldn’t say pushback. I would say that everyone comes from their own mindset or from their own area of expertise. And so it’s possible and it does happen where you may not understand full context of either something that’s occurring in the business, something that’s on their roadmap, that’s high priority, et cetera. So it is a… For lack of a better word, a negotiation at times. And sometimes it does deserve that additional calibration of risk and prioritization of, “Yeah, we can’t do all of these things. So what is most important? How can we plan for this?” And where there is a little bit more pushback, if you will, it’s a risk acceptance decision at the end of the day, and we have more define processes to handle something like that.
Mike Moreno:
Makes sense. So what are your suggestions for handling the CEO or the board of directors in questions like, “How secure are we”?
Tyler Farrar:
That’s the million dollar question, right?
Mike Moreno:
Yeah.
Tyler Farrar:
I’m going to continue to hit on that, taking that risk based data-centric approach. It’s really important to be able to at least start by answering the question of how secure are we. So if you’re taking that approach, you’re focusing on the critical infrastructure or the critical data services, again, that are supporting, or they’re running your companies core products and services. It’s what’s making your company money. It’s what’s allowing your company to grow. It’s what’s allowing your company to exist in the first place. So now you’re at least focused on what I’ve… I’ll say again, the right things. From there, you have to start to define what’s the overall risk posture of those critical services… Of those critical data services and infrastructure. What risks are driving the overall posture of those systems.
Tyler Farrar:
And it’s also good to highlight to the CEO before you start talking just about risk which are normally… Not always, but normally bad. What are the good things? What kind of risk reductions have occurred? Show that there has been improvement. Talk about what is work in progress. What is the longer term journey to turn that platform or that environment or that product to what I put in air quotes as green. Or within those acceptable risk tolerance boundaries that you’ve set, which would include back to that adverse impact table. What am I willing to accept from a risk perspective and impact level? Should I have something happen to this environment? Should a cyber breach occur, as an example. So to kind of summarize here, risk-based data-centric approach. Focus on your critical infrastructure. Definitely talk about the overall risk posture of those systems. Talk about what’s driving that posture to if you want to use traffic lights, go for it. What are the good things that occurred? What’s in progress? What’s the journey? What’s the roadmap for turning that to an acceptable risk tolerance.
Mike Moreno:
Great. Great answer. Another… Probably… This is a bit of a thorn for your organization but many CISO organizations are known for not getting the resources, specifically the financial resources, requested. How do you explain the value of cybersecurity to the office of the CFO?
Tyler Farrar:
Yeah. Another great question. So I would still focus on the metrics. They do tell that story. It does provide visibility to the CFO on why investments are needed. I would tie those across those root causes of breaches that I mentioned earlier, those six causes. You asked me earlier, where’s pushback? If there’s intense pushback or push backs are saying, “We don’t have the money to be able to pay for this, to invest in this.” That should be part of your formal risk acceptance program as part of your larger enterprise risk management program. You have to gain risk acceptance for the no’s. And so if you’re walking through this and it’s not just saying, “I need this money, or there’s a risk here.” But you have to show you walk through that whole process that, again, risk-based data-centric approach.
Tyler Farrar:
So where are you at with that is, you’re you’re telling the CFO ,”I’ve calibrated this risk. I have security champions. I have my GRC team. I have all these technical SME saying, ‘this is a big deal.’ I’ve communicated what the likelihood and impact of this risk occurring…” Which in this case is most likely going to be high. You’ve now requested funding to remediate the risk. And you’re telling your story and telling them exactly how you’re going to do it. “I need this to money to invest in, X, Y, Z in order to remediate this risk, and this is how I’m going to do it.” And if those financial resources still aren’t available, then the CFO or CEO in some cases, needs to formally sign off on that risk. It’s no longer within the CISO’s control if there’s legitimately no funding available or if it’s a hard no.
Tyler Farrar:
So that’s kind of the no piece, but more positively, other than metrics and other than gaining the ability to tell that story around those high risks that are discovered through that risk based data centric approach, there’s a couple of other kind of tricks, I’d call it. Asset inventory, as an example, it’s one of the hardest things. It’s the top of the CIS benchmarks. If you have an inventory, it’s some of potential accounting strategy to be able to drive cost savings through capitalization of assets.
Tyler Farrar:
And then a last comment I’ll make is, your enterprise risk assessments, your security incident investigations. By conducting those on a regular basis, you should be finding risks. I mentioned you’re on the highest risk items that are strategic in nature to reduce risk to critical infrastructure and data services. However, you’re going to have to conduct normal risk assessments. You will have those security incident investigations, breaches will happen. So when you do, are you finding tactical risk remediation opportunities, particularly when you can shut things down. Shutting things down, saves money. If you’re able to show the CFO that you’ve saved $100,000 over the quarter or over the month, because you shut down seven systems that were running 24/7 in perpetuity, that’s a great story to tell as well.
Mike Moreno:
Yeah, it’s kind of… Takes me back to my personal life. You check your monthly budget and then you see, “Oh, I have a subscription for on Netflix.” Or whatever. “Did I watch any Netflix this month?” And you’re like, “You want to cut that out?” You know what I mean? So it’s definitely cost savings. Yep.
Tyler Farrar:
Exactly.
Mike Moreno:
So the other very interesting organization where I think there’s lots of synergy is the office of CHRO human resources and in our documentation on the white paper that we wrote, they can be a critical ally in managing insider risk and training. What should CISOs do to build and manage that relationship?
Tyler Farrar:
It’s really a two way street. Insider threats going to happen, unfortunately, and when it does, you don’t want to be caught sitting on your hands. And so from a, I guess, a CISO to CHRO direction, being able to introduce a more formal investigations process for insider thread is pretty important and it’s certainly helpful and for them as well. And it’s not just, “Here’s the process.” It’s tight collaboration to develop that process of when can the security operations team or the insider threat investigations team have a little bit more autonomy to conduct an investigation into a potential insider threat. And then when is that trigger made to escalate more to your human resources department? And then what does the actual investigation look like as well as the obvious sit down with the individual?
Tyler Farrar:
And so it’s really nice and it’s really good idea to develop that initial process and sit down with the CHRO and HR team to walk through that. Obviously, education’s important as well. And then lastly, the other direction going from CHRO to CISO, there are times where a manager within the business or HR themselves says, “Hey, we have a last minute termination.” And in those cases, there are both compliance requirements, as well as security related risks that need to be taken into an account. And one of those is, through quick termination of disabling of an account, or maybe it is a longer termination. Let’s say two weeks. And they’re just interested… Or the manager’s interested in overall monitoring of an individual. And so those types of requests come directly from HR, but empowering and educating on that overall process is really important.
Mike Moreno:
Very good, very good. We’ve hit a few different C-level departments. There’s many others like CRO, the CTO, CPO general counsel. Maybe as the final question, anything in those other C-level departments that you think about how you’re going to communicate to them and what is important? Anything stand out… Any other organizations stand out to you?
Tyler Farrar:
Yeah. Communications is a big one. The CIO is a big one. General counsel is a big one. And if you have a more of a chief product officer, that’s a big one as well. Those are some of the core roles. I probably would add your COO, essentially your executive team. Everybody has an opportunity and or a responsibility specifically when there’s a major crisis or breach to execute what I call the executive security instant response plan. So outside of the roles, it’s really critical to develop one if you don’t have one. And how I’ve broken that down is by role. And it’s a checklist for each critical executive role to ensure that number one, they understand their role within a cyber breach or a major security incident. And then number two… The checklist isn’t for them to obviously hit every box, but it is to remind them, “Oh, yeah. I need to go check on this as well or ask a question to my functional area here.”
Tyler Farrar:
And what that ties overall into is your crisis management capability and if you’ve seen and heard about or read about just over the last several years now, I think, it really started or really came to light maybe in 2017. But over the last several years now, how there’s been so much crisis mismanagement. And with that, it’s really important, again, to have an overall crisis management team or a crisis management function and have processes defined for how do I activate? how do I deactivate that team? Who is part of that core team? How often are meeting? How often are we exercising? Of course, it’s not just about security incidents or breaches. There’s other types of incidents that can occur as well, like a geopolitical crisis or an earthquake or hurricane, a natural disaster. So those are really critical pieces to consider. And it’s very, very critical to… Back to your question, to involve all those critical executive roles.
Mike Moreno:
Yeah. Yeah. Well, Tyler, thank you so much for your time today. Did you have any closing thoughts? We’re up on time. Anything you want to conclude with?
Tyler Farrar:
I’ll conclude with just a high level summer of some of the things I talked about. So there’s certainly for some organizations, security frameworks to utilize, to talk about risk. I’ve implemented, or I haven’t implemented, I’m partial implemented in these controls. It works well for compliance, doesn’t necessarily work well for overall true risk management. So a really big key there is that risk based data centric approach focused on your critical infrastructure, data services, metrics definitely tells story. Your story changes based on who you’re talking to and you have to come back with the data. Don’t just throw a risk over the fence. Make sure you’ve properly calibrated it within your organization and then leverage all of those executive partnerships to exercise your security incident response plan. Ensure everyone understands what their roles and responsibilities are when a breach occurs.
Mike Moreno:
Okay. Thank you very much. And just for those attending, if you want more information, please go to exabeam.com. Look for CISO’s guide to executive communications. Feel free to reach out to us. We’d love to talk to you about cyber security, security operations teams, how we can help them. So thank you very much for all those who attended and look forward to talking to you.