How Hearst's CISO Talks Security With the BoardDavid Hahn Offers Tips for Making Tough Conversations Easier
Boards of directors these days have a clearer perspective of just how damaging an information security incident can be. If there is a positive lesson in the devastating attacks against Sony Pictures Entertainment in November 2014, it's that cyberattacks are embarrassing, expensive and difficult to recover from (see ISMG's Guide to the Sony Breach).
But while security experts have long advocated making cybersecurity a front-and-center topic as part of all business continuity discussions, having that conversation still isn't always as easy as it should be. For starters, information security is an arcane topic that can quickly go down the rabbit's hole, with graphs showing the number of vulnerabilities that have been patched in a given timeframe and presentations devolving into little more than exchanging thick compliance reports. Box-ticking or patching exercises do not guarantee that an organization is completely secure, but it's difficult for executives to wrap their heads around related technical minutiae, or its business implications.
"I don't go into a lot of complicated statistics, such as how many vulnerabilities do we have, how many breaches have we had, how many attacks have we had. It doesn't really make any sense to them."
David Hahn, a vice president and CISO at Hearst Corporation, the broadcasting and print media company that own magazines such as Esquire, Elle and Cosmopolitan, has found approaches that do not cause board members' eyes to glaze over when he speaks. He shared some of his board communication tips during a Sept. 13 panel discussion at the Security Innovation Network conference in Sydney.
"I have to explain it in a story," Hahn says. "I have to explain to them what is going on, what is not going on. I don't go into a lot of complicated statistics, such as how many vulnerabilities do we have, how many breaches have we had, how many attacks have we had. It doesn't really make any sense to them."
A Campaign, Not a Battle
What the board wants to hear is how Hahn runs the information security program and how that work is reducing the company's risk profile. Boards want to see some numbers and hear of progress. But because it's a long-term, continual campaign, Hahn advises that it's a year-over-year program and no silver bullet. And that message is getting through, he says.
The No. 1 follow-up question Hahn hears is whether he has enough budget. But it's not exactly the right question, he contends. Organizations can spend as much as they want on technology, but it's not necessarily going to solve security problems because people and processes are huge components, he says.
"It's about getting education, awareness - all those pieces," Hahn says.
Hearst is pursuing a digital strategy, and with that, more risk is incurred, Hahn says. The Sony Pictures Entertainment attacks were a turning point for Hearst's board in recognizing the dangers. The payment card attacks against Target and Home Depot didn't resonate nearly as strongly, because those businesses are very different from Hearst's, Hahn says.
"Sony was a representation of disrupting your business at a level that no one had seen before," Hahn says. The Sony breaches brought on hard questions about how a company recovers after an attack, which is an immediate ROI issue. And companies in Hearst's line of work also have been hit. In April 2015, cyberattackers struck broadcaster TV5Monde, which took 12 of the French broadcaster's channels offline for 18 hours. The attack may have been conducted by ATP28, also known as Sofacy or Fancy Bear, a suspected Russia-based group.
"If our televisions go dark, we lose money immediately," Hahn says. "There's no ripple effect. You don't sit there and worry about the regulators. We're not making money."
Another successful approach: Hahn takes executives aside to have one-on-one conversations outside of the twice-yearly meetings. Board members often don't want to ask technical questions publicly for fear of embarrassing themselves, so Hahn says the personal chats can allow them to speak more freely, such as asking what an APT is.
"Most of the time they tend to ask me about the latest phishing email that they got," Hahn says. "You start with that. I tell them: 'Don't click on the link, but even if you do, I'm going to cover you either way.' You tend to start with the small things, but you want them to understand the overarching strategy. You want to tell them that this is an ongoing conversation. It doesn't end with one purchase or one installation because the risks continue to evolve as well."