Boardroom Conversations on Security: Part 4

by

Boardroom Conversations on Security is an ongoing series on how to discuss and present cyber security concerns to your board. It comes from an extended conversation between Enrique Salem, Investor at Bain Capital, and Erkang Zheng, CEO of JupiterOne. For your convenience, the entire series is available as a single download.

"Enrique, when preparing for a board meeting, what are the things the board would like to hear from the CEO? Are there specific metrics or measurements you look for?"

Enrique Salem

The first place I would start with is to give a view of, "Where are we from a security risk perspective?" I look at it in two dimensions, starting with our own security maturity. Give me a point of view of are we just building a security program; Have we developed it? Is it something that's repeatable? How do we think about our security program and the maturity of the security program?

To me, what I would want to them to show me is, "Here are the functions we have, the roles of people in security, and here are the processes that we use." I'd want to see that. That's not a metric, that's more of a discussion.

Erkang Zheng

Sometimes that can be challenging. It depends on the company and the actual security team's maturity. An immature security team can come to you and say, "We have a mature security program," without knowing what they don't know. It goes back to your point that this is not a metric, but a discussion. Otherwise, if you're just asking to see a chart of security maturity based on the red, yellow, green type of thing, it doesn't really uncovered the actual details of the maturity itself.

Enrique Salem

I look at it from the capability maturity.  As an example, look at the work that was done on the old Carnegie Mellon Capability Maturity Model. There's lots of frameworks you can use to try and articulate the maturity of an organization. I'd want to have that discussion.

The other thing I would want to do is talk about a set of areas that really matter, that need to be reported on around compliance issues, specific regulatory compliance issues. I would like you to show me and have a way of communicating to me that if we're taking credit card data, are we PCI compliant? If you're in a healthcare business, are we HIPAA compliant?

I want to make sure there is a way to understand there are regulations that govern our business, and here's why I believe we are compliant with those regulations. Then there's a set of certifications that we care about. For example, a lot of my companies are cloud-based, so where are you on things like SOC 2 and other certifications that we need to have to be able to be in business. There's some very specific things that you should just be able to go through and show the board clearly that you're doing and have done and have taken good care of.

Erkang Zheng

I would go a step further beyond what you said about compliance, Enrique. A lot of times the board asks, "Do we have SOC 2? Do we have HIPAA? Do we have PCI?" I would challenge the team to think about, "Do we have this continuously." It is not just, "Yes, the auditor gave me this report and stamped it yesterday."

What the board needs to ask and what the executive team and the CISO team needs to be able to present is, "At any given time, if the auditor walks in the door today, I can show you the same compliance status within moment's notice."

Continue reading with Boardroom Conversations on Security: Part 5, or download the entire series for easy distribution to your board and security team. 

Read the full Boardroom Conversations series:

About Enrique Salem

Enrique Salem - 300 x 300

Enrique Salem was the president and CEO of software company Symantec from 2009 until 2012, and was a member of Barack Obama's U.S. President's Management Advisory Board.  Enrique joined Bain Capital Ventures in 2014, where he focuses on infrastructure software and services with a specialization in cybersecurity.

 

About Erkang Zheng

Erkang Zhang

Erkang Zheng is a hands-on leader in cybersecurity. He is an engineer by trade and an entrepreneur at heart. Before starting JupiterOne, Erkang was CISO, Privacy Officer, at GM LifeOmic Security. In August of 2021, Erkang was selected as one of The Top 25 Cybersecurity CEOs of 2021 by The Software Report

 

Mark Miller
Mark Miller

Mark Miller speaks and writes extensively on DevSecOps and Cybersecurity. He has published 9 books, including "Modern Cybersecurity: Tales from the Near-Distant Future"

Keep Reading

Proactive IAM Security: Transforming Identity Security with Actionable Insights | Okta Integration with JupiterOne
December 19, 2024
Blog
Unlocking Proactive Security: How Okta and JupiterOne Elevate IAM Insights

Unlock proactive IAM security with Okta and JupiterOne, gaining real-time insights, enforcing least privilege, and reducing risks in dynamic cloud environments.

Transitioning from Vulnerability Management to Exposure Management | JupiterOne
December 13, 2024
Blog
Transitioning from Vulnerability Management to Exposure Management with JupiterOne

Explore Gartner's latest report on Exposure Management and learn how your organization can prioritize vulnerabilities and minimize exposures.

The Ultimate CAASM Guide for 2025 | JupiterOne
November 20, 2024
Blog
The Ultimate CAASM Guide for 2025

Discover how Cyber Asset Attack Surface Management (CAASM) is providing enhanced visibility of internal and external assets in 2025.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.