The CISO of global media giant Hearst Corporation has heralded a cup of coffee as the best tool for getting boards on board with cyber security efforts.
Speaking yesterday at the SINET61 security conference in Sydney, David Hahn said conversations with executives around security should be framed in terms of business continuity, and shouldn’t end when the meeting is over.
“I talk to them beyond the board meeting. I talk to them one on one – over coffee,” said Hahn. “They want to have that ‘this is a really dumb question but what the heck is an APT?’ They want to ask that without being embarrassed in front of the board.”
Hearst is made up of 360 businesses including cable channels, television stations and newspapers. It also runs magazine brands like Cosmopolitan, ELLE and Harper’s Bazaar and has investments in Buzzfeed and Vice.
Hahn said there had been a shift in the company’s attitude towards cyber security following the Sony hack in 2014.
“I think Sony really resonated: can that happen?!” explains Hahn, who has held senior information security roles at Wells Fargo and Intuit. “Sony was a representation of disrupting your business at a level that no one had seen before. It’s not just about data theft in terms of lost credit card numbers and you got fined. Even with Target and Home Depot, it didn’t resonate with the board to the same level.
“What they’re interested in now is how do you resume your business? How do you maintain it? If televisions go dark we lose money immediately. There’s no ripple effect. We don’t sit there worried about regulators.”
It was important to tell boards a story when explaining cyber security, Hahn said, rather than overloading them with statistics.
“My job is to not throw a lot of technical mumbo jumbo at them,” he explained. “They’re not going to understand that. It’s really not my job to explain to them if having 1000 vulnerabilities is good or bad. They don’t want to hear that.
“My approach is: I have to explain it in a story. I have to explain to them what is going on what is not going on. I don’t go into a lot of complicated statistics like how many vulnerabilities do you have, how many breaches have you had, how many attacks have you had. It doesn’t really make any sense to them. They want to bring you back to: how is it protecting our business and our ability to sustain our digital strategy.”
The Hearst board’s response was often “do you need more money?”, Hahn said, but they needed to know security was a “sustainable piece”. The coffee follow-ups were a good way of maintaining the dialogue.
“They ask me about the latest phishing email they got,” Hahn said. “So you start with that, you help them. Why are they getting this phishing email? And is everything going to go terrible if they click on it? I tell them – don’t click on the link but even if you do I still have you protected because I’m going to cover you either way.
“You want them to tell them this is an ongoing conversation. It doesn’t end in one purchase or one installation of something. It’s an ongoing thing because the risk continues to evolve as well. They leave with a sense not of getting a full answer, because there is no such thing, but of a dialogue that I continue with them.”