2. 2
Hackers Are from Mars;
CxOs Are from Jupiter
Rob Havelt
Director of information Governance, Risk and Compliance (iGRC)
infoedge LLC
3. 3
• A background as a packet monkey,
wireless geek and leader of a
pretty big pen test team
• A hacker and technologist who
bleeds ink from all those tested pens
• A director of iGRC for a management
consulting firm called infoedge LLC
Rob is decidedly from Mars
4. 4
Denizens of the boardroom and the SOC
A rift often exists between the denizens of the boardroom and the SOC,
who each inhabit different worlds.
5. 5
Denizens of the boardroom and the SOC
They don’t think, communicate or process information the same.
6. 6
The title of this talk isn’t arbitrary; the
planet names are significant.
Beyond simple lexicon
7. 7
• God of war
• Protector of agriculture
• Guardian of populace
M
ARS
10. 10
Why bother knowing this?
Fair question.
I’d rather be taking apart an ATM,
developing exploits or getting root.
11. 11
As a director at
a technical firm
for many years,
I thought I knew
a decent amount
about the business
layer until I left
that bubble and
entered theirs.
13. 13
I realized that words
and concepts meant
completely different
things to a CPA
than an engineer.
14. 14
Like any hacker,
I wanted to pull
things apart, see
exactly how it
worked and know
the rules.
15. 15
What’s in it for hackers?
• Leave “the bubble”
• Communicate clearly to get your funding
• Hack “the rules” to get your way
16. 16
Disregarding bold ideas
• Ideas for solving non-technology
problems are often non-starters
• They aren’t bad ideas but lack business
context (metrics, operationalization,
optimization, planning)
• They also lack visualization of how
they contribute to the company
(mission, vision, goals, objectives)
18. 18
All Other Business Levels
Board of Directors
Jupiter Players
Other Players
(CIO|CMO|CCO|CTO)
Company Management
(CEO|COO|CFO)
19. 19
What about the CISO?
• Chief Information Security Officer (CISO)
or Chief Security Officer (CSO)
• Has the least secure position
in the organization
• Is the person who takes the fall
for the inevitable breach
• Knows heshe will take the fall
• Accepts impermanence as part
of the job description
CISO?
21. 21
Executives have unique
expectations and priorities
• Do some homework to find out what those priorities are
• Prepare to cycle through a few
contexts to see what resonates
22. 22
Executives have limited time
and demand clarity
• Deliver key messages up front
• Have a plan A, B, C and D in your pocket
25. 25
Align your message with
business risk strategy
• Understand the risk appetite of the organization
• Make a proposal that enables business decision-making
26. 26
Satisfy cyber security
risk concerns
• Cyber risk is one of the top three boardroom
concerns, and therefore an executive concern
• Other concerns include current risks,
emerging trends and strategy
27. 27
Use effective storytelling
• Know what impression you want to leave
behind/story you want to tell
• What outcome do you want?
29. 29
Tell a story that aligns
with your objective
• Facts and data are great, so use them
• Ensure your data can stand on its own
• Connect the dots to tell a compelling story
• Socialize your story ahead of time
30. 30
Paint a complete picture
without raising alarms
• Risk management is about both opportunities and threats
• Don’t exaggerate and negatively impact your
credibility; expect counter information to exist
• Any counter information can destroy your credibility
31. 31
Communicate risk and
provide clear parameters
• Terms like “high risk” are open to interpretation
• Use frequencies rather than percentages
• People respond differently when you allow a
comparison of how often an activity is undertaken
34. 34
Learn your corporate dialogue
• Technological talk actually makes sense to the initiated
• Terms have definitions, acronyms all stand
for something and they are defensible
• “Corpspeak” has to be made up; what do
words like “operationalization” even mean?
35. 35
Analytics
• Measure everything...even if your approach
to measurement is unique
• Gather real, obtainable measurements
• If you can’t directly measure something on its own
scale, compare it to something similar, e.g. BSIMM
• Look to someone with “Auditor” in their title to
learn how to do this in your organization
36. 36
Process flows
• Arrange into corresponding swim lanes
• Number all steps
• Have descriptions for all artifacts
• Include an input and output for each block
37. 37
Value propositions
• Straightforward yet hard to do
• Must start with business issues
• Focus on threats and opportunities in a risk context
• Define what you want and the impact it will have
• End with what people will get out of it
38. 38
Tying it all together
• Both sides have different concerns, focus and drivers
• People working towards the same objective
can approach it in vastly different ways
• Bridge the gap by taking an objective look
at your players and their risk drivers
• Frame the issues that are most critical
for the C-suite to understand
40. 40
Rob Havelt
Director
information Governance, Risk and Compliance (iGRC)
infoedge LLC
rob.havelt@infoedgellc.com
@dasfiregod
About infoedge LLC
infoedge helps you improve business strategy, accelerate innovation and manage
risk, so you can succeed in the information economy.