We all know that breaches and cybersecurity are topics of boardroom discussion. But how should security leaders present them to their boards? Jim Anderson of BAE Systems Applied Intelligence offers tips.
The dialogue starts by understanding the board's fundamental needs, says Anderson, who is the BAE business unit's president of the Americas region.
"Boards really want to understand the operational risk to their company, along with the plans for how one wants to handle that risk and reduce the impact," Anderson says. "A dialogue showcasing how you're prepared, the current protections in place, how threats are detected and how the organization will respond is crucial when you're talking at the board level."
What it boils down to, he says, is: 'How much do we want to spend versus how much risk is associated with that decision?'
The key to responding to today's threats and threat-actors, Anderson says, is to understand that the end-game is not just about keeping the bad guys out of your network. "You certainly shouldn't built a fence and say 'OK, I'm worried about keeping the bad actors from getting in,'" Anderson says. "What you do is prepare an environment for what happens once they do get in, and be able to respond to that to minimize the risk.
"It's not that they got in your environment," he says. "It's how much [data] they leave your environment with that the focus should be on."
Breach response and board discussions will be key topics of debate at RSA Conference 2015. In an exclusive interview conducted in advance of the event, Anderson discusses:
- Characteristics of the new threats and threat-actors;
- How we must adjust our cybersecurity posture;
- Best practices for talking about security with the board.
Anderson is responsible for the design and execution of BAE System's cyber and financial crime business across the Americas. Before joining BAE last year, he held senior sales positions at Cisco, Dell and Hewlett-Packard. Anderson holds an MBA in marketing from the University of Pennsylvania's Wharton School of Business and a bachelor of science degree in electrical engineering and computer science from Princeton University. He also completed Northwestern University's Kellogg School of Management Global Executive Management program.