Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Black Hat: How Hackers Brief the Board to Improve Security Outcomes

    By
    SEAN MICHAEL KERNER
    -
    July 26, 2017
    Share
    Facebook
    Twitter
    Linkedin
      Accenture Hack Happens square box

      LAS VEGAS—Briefing executive management on security issues isn’t always an easy task, but it’s one that Matt Devost, managing director at Accenture, has 20 years of experience doing.

      Devost is planning on sharing his lessons learned in a session at the Black Hat USA conference here on July 26. In an interview in advance of his session, Devost provided eWEEK with some insights on things that security professionals can do to improve executive management security briefings.

      There are several things that can lead to a bad experience when briefing executive management, according to Devost. One of them is when the security person presents metrics that don’t make sense to the business. “So if you’re bringing things like the number of vulnerabilities, when they have no way to actually understand what the impact is,” he said.

      “Another thing that will lead to a bad experience is when the engagement is adversarial,” Devost added. An example of taking an adversarial approach is if security testing is a pass/fail answer and the security staff tells executive management that the organization has failed. Devost said that instead of presenting the result of security testing in a pass/fail scenario to use it as a tool to help improve the organization’s security posture.

      Devost suggests that a better approach is to tell the board about the security exercise that was conducted and assure them that the exercise will result in specific improvements.

      Sometimes security issues are revealed by way of a breach, as opposed to vulnerabilities being disclosed during a testing process. Devost recommends that organizations have a plan in place for breach readiness, so in the event one does happen, there are communications and technical plans that can be enacted.

      In terms of metrics, Devost said it’s important for organizations to have a risk scale that the board of directors can understand from a business perspective. Instead of a high/medium/low severity score, he suggests using words such as “diligent,” “acceptable,” “at risk” or “negligent” to define security status.

      There also needs to be metrics that help drive security posture improvements. For example, Devost said that if he told a board that in one quarter there were 150 critical vulnerabilities and in the next quarter there were 145, the initial interpretation would be that things have improved. However, a simple reduction in the number of vulnerabilities doesn’t always provide an accurate representation of improvement, since there are other factors in play, he said.

      A more meaningful metric is time to detection, according to Devost.

      “If you can reduce the time to detection and how quickly you are able to determine a compromise on your network, that will have much more impact on your security posture than just reducing the number of high-level vulnerabilities by five,” he said.

      According to Devost, security personnel need to find the right balance with metrics that make sense to the business and that actually matter.

      “I often repeat the Jack Welch [CEO of General Electric] saying that you get the behavior that you measure and reward,” Devost said. “So we need to make sure that the board understands that the right things are being measured that actually reduce risks to the business.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×