Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Talking to the Board About Cybersecurity’s New Realities
April 6, 2021
I’ve interviewed dozens of CISOs and IT security executives in the past few months, and from those conversations emerged some useful advice on how to talk to your board of directors about the new realities of IT security.
The first key to success: listen before you talk. Understanding the board’s key goals and priorities will allow you to frame your own security goals and metrics in a way that will resonate.
It helps to identify a sponsor on the board – one person who can help you understand the board’s mindset and who can be an advocate for you. Invest time in your relationship with that one person and he/she can help steer key security-relevant decisions.
Keep your discussion with the board short, sweet and focused. It helps to keep it high level – don’t get too technical. Prepare for your board meeting by practicing with a non-technical audience who can flag anything they didn’t understand.
Send the board your materials before the meeting and address any questions beforehand, keeping the discussion fast and focused during the meeting, which should be used to drive key decisions, not clarify points of confusion.
Begin with the end in mind: consider upfront how you want them to feel when they leave. Thinking about the emotional outcome is key.
Go through the topics on the agenda and flag anything likely to be a sticking point. Then run a mock exercise before the board meeting to prepare for the hard questions you may have to answer.
Reactivity versus resiliency is one difficult discussion that may come up. With significant attacks taking over headlines, it’s natural for the board to ask, “What are we doing to make sure this doesn’t happen to us?”
In these instances, it’s important to lead with resilience. Avoid tipping the balance too far into reactivity. If the last big breach happened due to a cloud misconfiguration, it makes sense to ensure you don’t have the same misconfiguration. But fixing one high-profile problem shouldn’t limit what needs to be a broader and more forward-looking perspective.
It’s inevitable that eventually something will go wrong, and it’s critical to have a plan in place to survive it.
Resilience means that if a building catches fire, you know where the nearest fire station is, how to call them and what to do until they arrive instead of standing there saying, “But we thought we couldn’t catch fire.”
Frameworks like MITRE ATT&CK and NIST can help you explain your security maturity. Back that up with data – external audits, penetration testing and any available internal data. Frameworks are a credible independent source of information and provide standardized ways to measure security maturity.
Then bring it all together to establish a roadmap (e.g. layering your security via defense in depth) for investments to earn the board’s support.
Be proactive in establishing a baseline that explains where you are now, and then talk about your priorities – pick your top ten. Provide gap analysis, demonstrating how to get from your current baseline to your goal state.
Use recent high-risk vulnerabilities (like those with a common vulnerabilities and exposures [CVE] rating of 10) as illustrative examples to help demonstrate how your identified investment priorities can close the gap between your current security and your goals. Then tie them in with the priorities you know are important to the board.
KPIs indicate tangible progress in your security program. They help establish a risk-based dashboard that can demonstrate progress as well as gaps. Benchmark your KPIs versus your industry when possible, and consider criteria such as risk, regulatory requirements, liability, compliance and expenses.
Align with different business units to support digital transformation activities and leverage those initiatives to gain funding from the board for the security program. If your plans will boost important initiatives, like accelerating new application deployment, then they’ll get more traction with the board. Also look at how you can link security program KPIs to goals like improving the company's brand and trust – especially important for B2C companies – to strengthen the board's support.
A few final strategy notes:
May 28, 2020
Recent research from Gartner and others indicates the COVID Work From Home spike is here to stay.
December 04, 2019
CISOs and their teams face a daunting task fending off cybersecurity threats, which at present number in the hundreds of millions. But security leads....
Let us know what you need, and we will have an Optiv professional contact you shortly.