Black Hat: How Hackers Brief the Board to Improve Security Outcomes

Accenture Security details what to do and what not to do when explaining security issues to corporate management.

Accenture Hack Happens square box

LAS VEGAS—Briefing executive management on security issues isn't always an easy task, but it's one that Matt Devost, managing director at Accenture, has 20 years of experience doing.

Devost is planning on sharing his lessons learned in a session at the Black Hat USA conference here on July 26. In an interview in advance of his session, Devost provided eWEEK with some insights on things that security professionals can do to improve executive management security briefings.

There are several things that can lead to a bad experience when briefing executive management, according to Devost. One of them is when the security person presents metrics that don't make sense to the business. "So if you're bringing things like the number of vulnerabilities, when they have no way to actually understand what the impact is," he said.

"Another thing that will lead to a bad experience is when the engagement is adversarial," Devost added. An example of taking an adversarial approach is if security testing is a pass/fail answer and the security staff tells executive management that the organization has failed. Devost said that instead of presenting the result of security testing in a pass/fail scenario to use it as a tool to help improve the organization's security posture.

Devost suggests that a better approach is to tell the board about the security exercise that was conducted and assure them that the exercise will result in specific improvements.

Sometimes security issues are revealed by way of a breach, as opposed to vulnerabilities being disclosed during a testing process. Devost recommends that organizations have a plan in place for breach readiness, so in the event one does happen, there are communications and technical plans that can be enacted.

In terms of metrics, Devost said it's important for organizations to have a risk scale that the board of directors can understand from a business perspective. Instead of a high/medium/low severity score, he suggests using words such as "diligent," "acceptable," "at risk" or "negligent" to define security status.

There also needs to be metrics that help drive security posture improvements. For example, Devost said that if he told a board that in one quarter there were 150 critical vulnerabilities and in the next quarter there were 145, the initial interpretation would be that things have improved. However, a simple reduction in the number of vulnerabilities doesn't always provide an accurate representation of improvement, since there are other factors in play, he said.

A more meaningful metric is time to detection, according to Devost.

"If you can reduce the time to detection and how quickly you are able to determine a compromise on your network, that will have much more impact on your security posture than just reducing the number of high-level vulnerabilities by five," he said.

According to Devost, security personnel need to find the right balance with metrics that make sense to the business and that actually matter.

"I often repeat the Jack Welch [CEO of General Electric] saying that you get the behavior that you measure and reward," Devost said. "So we need to make sure that the board understands that the right things are being measured that actually reduce risks to the business."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.