Sleepless in Cyber
Sometimes its difficult to get all the parts done during the day, so many CISO's work through the night to keep people safe and secure. If you are having a sleepless night, and are worrying about cyber and privacy, download an episode and enjoy!
Sleepless in Cyber
A CISO's one pager to the board of directors
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Providing information to the board is a key skill for a CISO. Tonight we will be talking about creating a 'One-Pager', that can help get relevant and important information to the board, and otherwise show the value of cybersecurity to the leadership.
Welcome everybody. Hope everyone's having a wonderful evening. Um, I've got a topic tonight about uh presenting to the board, and we've been talking recently about metrics and talking to the business leaders in terms of risk. And one of the things that I do that I've done for a very long time that I encourage my clients to do is to provide regular updates to the board. Now, sometimes this can be difficult, uh, just getting in front of the board. Um, so we're gonna cover that sort of topic a little bit later, but tonight I wanted to cover the the actual document, the the piece of paper that you provide to the board uh for the board agenda, and otherwise present if you're you're sitting in front of the board. Uh I call it a one-pager, sometimes it's one page to two pages. But this one pager really is about the cybersecurity program. And I've got a kind of a standard one that I've used in the past that we're going to cover today, and specifically, you know, what pieces do you want in there and why. So when you when you are talking in front of the board, you want to number one reaffirm them that the security posture of your organization is doing well. And that you are looking at the metrics, um, you're looking at detections, you're looking at response times, uh, and most importantly, that you haven't had any incidents or breaches in the previous period. Um those are the things that you really should be top of your mind when you're when you're talking to the board, and uh really reaffirming that security program is being successful. Now you also cover things like uh projects uh if you're deploying new technologies or new controls, you want to make sure that those pieces are out there so that they know what's going on, um and you otherwise answer questions. Um at times for certain boards, you also want to talk about what you are moving forward with and any asks. So uh maybe you have a pen test coming up or an IT audit or uh you're deploying you're trying to deploy a new product and you're needing money, um, then if that's the appropriate time to present that information, uh, depending on how that works in your organization, then this board report is that perfect time. Um now let's talk a little bit about uh boards and how CISOs or security professionals interact with the board. I was very fortunate that I had direct access to the board. Um it took a few years to get to that point, but I had a dotted line uh to the audit risk committee. Uh I also have a dot I had a dotted line to the president. Um so I was very fortunate I had fantastic support from our leadership, um much to some of my CIOs' dismay, um, because they didn't have that sort of access uh at the time. Uh then we got new CIOs and and things changed and and whatever, but you know, the um boards are generally very interested in what's going on with cybersecurity. So it's normally not hard to get in front of your boards. It depends on the board makeup and and what you are. But the audit and risk committee is very common for cybersecurity to present to because it is a significant risk within the organization, and they want to know what is happening with that and what we need to do different in the organization. Um so anyway, uh that's very common the audit and risk committee. Uh sometimes it goes uh there are other committees um and and subcommittees that you would present to. Sometimes you present, and sometimes your CIO presents. Um it's very common for the CIO to present both sides, uh, and you usually don't have a whole lot of time. Uh boards get very busy. And when they're when they're meeting once a quarter or once a semester or even once a month, they have a lot of things they have to go through. So you want to keep your your presentation very quick. Uh you will get questions, and we'll talk about some of those questions a little bit later, but you will get questions about this, and you want to be able to explain it. But the the document, and that's really what we're talking about tonight, is the document, that one pager that's you're going to provide to the board. That is it's really critical. You want to make sure that you get the right information in a digestible way for them to read, for them to look from one meeting to the next, to the next, to the next, to see how progression is happening, and otherwise get them the information they need to help them make decisions. So, some of the things that I always do, that you know, of course, you always do your executive summary. Uh, and this does not have to be very long, you're talking about a couple of senses. Um, and and I kind of talked about it earlier where you're talking about you know, your security posture is is good, it's stable, you have you've got uh good detections and response times, and then be prepared to explain that. We'll talk about that in matrix in in the next section. Um and and Neo's other things. I mean, you're talking a 30-second paragraph to if you were going to read it. Now, I would advise you not to read it. You should have this one pager almost completely memorized. You need to be able to not have to look at the paper to be able to recite what is on there to the board. You want to engage the board members, you want to look them in the eye, you want to engage them, you want to get their nonverbals, you want to see how much they are invested in you talking. Um, and now we will have an episode just on that, doing understanding those nonverbals and understanding how to socially interact with the board. This is just about this piece of paper. So while you have it, you don't really want to read from it. You want to know everything that's on it, though, so you can talk to the board about it. So, executive summary, a few sentences. Pretty simple. The next section is going to be key metrics. Now, these metrics, uh, we talked about some of the metrics in a previous episode. Um, those are very, very common to put in this. I have a list here. So threats detected, uh, 1842, threats prevented, 1615, time to detect, less than five minutes, time to respond, less than twenty, endpoint coverage, ninety-six percent. These are very simple metrics. It's easy to get. You can get this from your SIM, your SOC, uh, we can get it from your firewall, you can get it from your call tracking system, you can get it from your configuration management system or your your MDR. These are simple, and you can put them on every time, and they mean something. Okay, we had this many threats, we stopped this many of them, and then be ready to explain why you didn't stop them all. Uh, time to detect less than five minutes. That means you're very responsive. Time to respond, that again, you're being very responsive to security threats. This puts confidence in whoever you're talking to that you're quick to respond, you're quick to deal with these issues, these issues that come up within the organization. Uh, endpoint coverage, well, that's visibility. You know, how much visibility do you have? If you don't have all of your machines uh uh completely covered with MDR, well, then you don't have visibility. So having those numbers out there can be extremely helpful. Now, these metrics may change over time. Uh when you get new technologies and you can provide new metrics out, that's fine. But you really want to have, you know, a uh uh a quarter or a month, a month to month, or quarter to quarter, whatever comparison. They want you want them to be able to go back and see, well, how many threats did we detect last month or last quarter? Um, or threats prevented, or what was our our time to detect this month? Uh oh, it was it was more. It was ten plus minutes before we detected it. Why? Time to respond, if it was really high, why? And maybe it has a legitimate reason. Maybe you lost your s you awesome staff members, so it took longer for you to respond to things. So those are all legitimate things, and these are things they need to understand. Now, what their job is to understand the risk and make decisions about that, but they can't do that if you don't give them something they can evaluate and they can compare. Now, we're talking about qualitative um things and quantitative things. You really want to show in your metrics the quantitative, you want to have numbers there. Um, I I wouldn't put qualitative, um, that's in a different section that might be in the executive summary, but in your metrics, you want to say to quantitative, you want to have numbers, real numbers, so they can compare these numbers over time. Now, the next section of the report is really going to be um you can call a couple of different things, but notable activity. You know, what is something that happened, or what are an increase things that happened. They want to be aware of what kind of attacks you're going in. If you walk in there and say, Yep, well, we're fine. Yep, yep, don't worry about us. We're we're you know, we're we're we're fine. Nothing, nothing happening. That that doesn't really give them confidence. You want to tell them what has happened, uh, give them some examples, such as you detected and you found you you detected a misuse of uh user accounts, uh compromised user accounts. You found it on dehashed or whatever. Um that's a problem, and that would be a risk. So tell them we found it, we saw it, we blocked it, the endpoint was isolated, we found it, they clicked on a link, whatever it is. So you give them real examples of things that you're dealing with. You don't want to go into a whole lot of detail unless they ask you questions, but you do want to give them something so they have a realistic idea of what you're dealing with day to day. So that's under that notable activity, that that section of what's actually happening. Now, once you kind of give them that that basics, you give them the metrics and then what's kind of happening, now you got to give them risks. Now, understand that their job is risk-based. Now, we talked about why they think about risk differently than we do in cybersecurity, but you need to present cybersecurity risks to them. And uh and here's some examples. Number one, you can talk about well earlier we talked about some of your machines don't have EDR on them. Okay, say that. You can say remaining endpoints on onboarding or remaining endpoints do not have EDR, um, which means we have reduced visibility uh in our systems, in our network. That's the risk. Now you want to provide the mitigation. What are you doing because of this risk? And you say we are continuing to deploy uh EDR across the network. We are looking for full endpoint coverage uh to eliminate the visibility blind spots. Pretty simple. Here's another one. Uh, let's say you have limited MFA. Let's say you don't have MFA on legacy systems. Put that in there. But say uh lack of MFA on legacy uh systems, mitigation. Number one, you're expanding your MFA to include legacy systems, and or you're replacing those legacy systems with something that can is capable of dealing with MFA. Uh give me another one. We're seeing an increased phishing attacks against the employees. Mitigation. We are we're doing um more email filtering, we're doing more user training, uh, and we're monitoring um the systems to reduce the successful credential compromises. Again, going back to the misuse of credentials. So, you want to provide those risks, you want to be realistic, you want them to be legitimate in terms of what you're dealing with, but you also want to make sure you provide those mitigations. Um let's say you don't have the mitigations, okay, then you need to provide what you're doing or what you're needing to do. Let's say you need to buy a product or you're looking for something, those are things that you want to you can mention here. Now we have another section that we're going to talk about on that, but that could be if you're seeing a major risk uh pop up, let's say it's a new risk, and you've got to figure out a new mitigation or purchase a new mitigation or implement a new mitigation, whatever. This is where you talk about that. Talk about the risk and what you intend to be doing with that. Um let's say um you are dealing with uh sensitive data. So here's one. It's it's a risk that everyone has to deal with, but you you the way you have to fix it is data loss prevention. So you gotta have a tool or have some other data loss prevention. So the risk is you have lack of visibility uh over sensitive data and it's movement of the data movement. So your mitigation is you're going to evaluate uh DLP uh softwares, and you're otherwise going to figure out how to monitor and control data access back and forth. Now, you're not saying you need money yet, you're just saying this is the mitigation for the risk. That's where you put all that stuff, is right there. Now, we're going to expand the you need products a little bit later when you're talking about needs and wants and things. Now, uh the next section in the one pager would be project progress. Uh, we are always running projects. Sometimes it feels like all we do is projects, but we're always running major projects for um the organization for security. So this is the opportunity to tell them what's going on. Uh and you would include a list like the Simmons Lock expansion. Uh again, talking about the EDR deployment, what we talked about above. You know, expansion, the progress is uh 85%, 90%, whatever. And be prepared to talk about well, what do you need to get to that last 10%, you know, to get it to 100%. Maybe another one is MFA rollout, faculty and staff is in progress, um, or servers or whatever. You know, it's going to be at 70%. Uh, endpoint coverage improvement. We talked about that earlier, in progress 96%. Um, now this really goes into making sure you have good project management, you have good Gantt charts, you're tracking your projects, you have um good information in terms of where you're at and what is the expectation of completing those projects. And I'll tell you, cybersecurity people, IT people in general are terrible at project management. You have to get good at it. You have to make sure you are tracking your projects correctly and accurately. Uh, if you don't do that, you can't get in there and talk to people about how long a project is going to take. And that is one of the frustrations a lot of boards have with IT and IT security, is they don't have any accurate information. Now, I'll tell you, a lot of IT people will say, well, I'll just get it done when I get it done. That's that's not the way that works. You know, the business can't run like that. They can't, they are looking at time and resources, and they don't know if a project's going to take six months or six weeks. So they trust us to be able to understand that and be able to communicate that correctly. Okay, so that's the project progress. Um, and and again, we're talking about three or four or five things. Now, if you've got 25 projects, you have too many. You're not getting them all done. You might have things in the queue and you can keep that somewhere. You might put that somewhere for them to see that you have all these projects ready to go, um, but they have not been started yet. Um, I wouldn't put it on this one page here because you're just going to fill it up. I know a lot of people like putting lots of projects. They like to start lots of projects, but don't ever finish them, and they like to put them a lot of them to show how busy they are. Well, that's just really not appropriate or even realistic. So make sure you have a legitimate number of projects that you're tracking and make it worthwhile. So the things that I said here, the SIM, the MFA, the endpoint protection, those are all projects that have a start and an end, an end of deployment. It may not be an end of monitoring, but at least it's an end of deployment. Um and you you need to make sure you have that in some sort of tracking management. Now, if you're not tracking those, there is no way you're going to be managing those projects correctly. There's no way you're going to be managing the pieces of the project and your resources to be able to communicate that. So project management is super critical. Alright, the next section of the one pager. Uh, you this would be any upcoming things, uh, audits, pen tests, whatever. A lot of organizations they have to have uh regular pen tests, regular IT audits, regular controls audits, uh, regular data inventories, whatever, and this is an opportunity to talk about that. Say you've got an external pen test coming up in a month or scheduled for May 2026, you've got GLBA and IT controls audit scheduled for June 2026, uh, you've got internal vulnerability assessment ongoing, but the quarterly report should be available in uh in May. Whatever those pieces are, you need to put a list together so they know what to ask you about in a month or two. Uh, if you are supposed to get a pen test every month, you need or uh every year, you need to be um have that on your schedule. Hey, you need to make sure you're working through the process, you're getting a pen test company, you're getting the budget, you're getting it scheduled, you're getting it done, you're getting the report, and you're ready to present that report to the board. So this upcoming audits and testings is really to let them know when they can be um when they can expect to have these things. And and and I'll tell you, when you're doing an audit or a pen test, that's usually a special presentation to the board. You do your one pager, but then you're also going to present the results of the audit or the results of the pen test. Now, I will say this. Um now I'm on this side where I'm working with the clients, when I am talking to people, they will at times want me to present their pen tests or their IT audit or their IT controls audit to their board. So it's an outside opinion to coming in, and the board can ask us questions. So it's a third party at checks and balances type type thing. And so you have to prepare for that. You got to make sure that you have a company that can do that or will do that, and you want to make sure that they have you on the schedule to be able to present that stuff. So that is one way to get onto the board is make sure that they know that you've got a pen test coming up and that you're prepared to present the results of that pen test, not only the results of what happened to the pen test, but how are you fixing it? You know, that's going to be what they're really worried about is how are you fixing those problems? All right. Um, the next section um can be actions taken. So these are the successes that you've had, um, the things that you've done. Um and this could be a short list, it could be uh very simple expanded EDR, improved alert triage and response workflows, uh, implemented additional phishing protections and updated incident response procedures. So they're gonna want to know what you've been doing over the last quarter or over the last month. So you want to make sure that they know. Now, everything that we talked about on that, everything you put on there, make sure you can actually describe to them in case they have questions. They might ask you, you know, what did you do to improve alert triage and response workflows? Well, we implemented training for all of our people. We have very specific thresholds and checklists for them so that when they an alert comes in, then we can uh evaluate it quickly and then we can get it to the correct workflow to get it resolved quicker. So we dropped our times down, you know, 20% or whatever it is. I mean, you don't want to make stuff up, but you want it legitimate, but that's how you would otherwise describe what did you do in the last quarter? And you want to try to keep this, you know, maybe five or six or seven things, depending on how often you meet with the board. You don't want to go overboard. Um, just like with risks, you don't want to go overboard with the risks, you want to hit those high points. And again, be prepared to talk to them. Uh, so after you talk about the things you did complete, now it's going to be talking about the things that you're going to complete. So this is going to be uh uh some of the stuff that we talked about up in the in the top, where we're talking about um the uh uh maybe the risks and issues, and this is going to be your mitigation mitigation steps. But these are going to be those next steps that you implement. So things like we're going to complete MFA rollout, we are uh we're going to close the endpoint visibility gate. We're going to prepare for the audits. We're going to continue detection and response. We're going to evaluate and select a DLP solution. These are the things that you are going to complete before the next meeting. So that when you talk to them in the next meeting, all these next steps are now under the actions taken. Now, the reason why this is important, and this is something that people don't really think about all that often, is you need to show them you're doing your job. And I hate saying it like that, but that is the absolute truth. You need to show them that you're capable at your job, that you're being successful, you are working on problems. Sometimes security people think we just have to exist, and that's not the case. We have to be successful in our jobs, and you have to work at it, and you have to think of this as how am I going to describe to someone that is not in security that we're being successful. That's what this report is about. But that's also what we need to do every day in our jobs. You should be keeping track of the six the successes you have. I had a document that I had, it was an ongoing document that I maintained for next steps and actions taken so that as I check stuff off, well, I I had that that I could go back in and pull it and put it into this report. I've got uh I do this with my team right now where we have a section called Morning Goals, and we have our weekly notes that we put into the weekly newsletter effectively, but I have uh morning goals, so they come in and I want them to think about what are the things I'm going to get done today and put them down and then get them done. Actually mark them out, go back into the thing and mark them out when you get them done. So I can watch and make sure everyone is getting what they need. If they need help with something, I can help them, or I can get other people to help them. But having that checklist is really, really, really important. I cannot stress that enough. Now, a lot of people say, well, that's just busy work, that's just this. It's not, it's management. You're managing your time, you're managing your resources, you're managing your effort, and that is critically important, but it's also really important to show that to the board and to those other individuals in leadership. So a lot of people don't like it, they hate call tracking. Uh, and I understand why, but I I think they need to get over that, honestly. But this is really important, and you make sure you provide this to the board in your one pager. Now, the last part of the the one pager is going to be those decisions needed. Now, this is important because this is the last thing that they see, this is the last thing they talk about, this is the last thing that's going to be on their mind when you leave that board meeting. And here's what it's going to be. So, decisions needed. So, maybe you need approval to enforce MFA on remaining legacy systems. Maybe you've got IT who's resisting because they don't want to put any effort on these systems, and you need to force them, and they're not going to force, they're not going to listen to you. Now we'll deal with a whole social thing on that, on trying to convince them to do that. But sometimes you need to go in and get approval of leadership to force an issue. How about a support for policy updates for endpoint compliance? Um, maybe somebody just doesn't want EDR on their machines, they think it's going to slow it down, they don't want someone to have access to it, whatever. You need to push this issue, you need to have a policy, so you need to have that support from the board. Um, another one is uh possibly you need to buy something. Approval to procure and implement a data loss prevention solution is what we're talking about on this sheet. So just having the ability and the approval to go buy something. Um, you want that last section of that report to be the last thing that's on their mind. You want them to support you. So that's my one pager. Uh again, it could be up to two pages, but I call it my one pager because you try to keep it as simple as you can. So let's go over it very quickly. Number one, you want to label it. This is going to be a cybersecurity program update, or whatever you want to call it, but you make sure you have a title for it. Uh, you do want to put the date that you're presenting this so they understand, you know, it's for that meeting or that quarter or that month. You're gonna have an executive summary, you're gonna have key metrics, you're gonna have notable activity, you're gonna have risks and issues, you're going to have project progress, so how are you doing on the project, any upcoming audits and testing, which you should be doing on a regular basis, any actions that you have been successful in doing, any next steps that you are going to be successful doing, and then any decisions needed. Now, this is a very basic one-pager. This information is something that you should be able to create at a moment's notice. If you've got 15 minutes to get a report done to the board, you could do it. You should have all this information already. You should be tracking this stuff, you should have it in formats that you can copy and paste it, put it in a document, and get it over to them. Because you need to know all of this stuff anyway to be successful in security and as a CISO. So, if you have a form um or a format that is different, now this was more narrative sections. Sometimes you have a board that wants pictures, and I've done I've done them all. I've done every different kinds where we had we had the dials, you know, the the red, the green, and you know, all kinds of different things. And and those are useful if your board likes that, if they want it. Sometimes you have a very uh very strict guidance on what you can put it in. Uh there was a time where we had to put all of our content into very specific PowerPoint slides because they wanted one large PowerPoint for the board, and all of your stuff had to fit in those slides in a very specific format. That's fine. Uh, you should be able to adapt. Uh, this is you want to present the content, and honestly, you can do it a dozen different ways and still be successful. Alright, with that said, uh, looks like I've been almost 30 minutes. I've been trying to keep these a little bit smaller for everyone. I hope it was useful. I hope it gives you some ideas on how you can provide information to your board. Um, Jess FYI recorded this a couple of nights ago and the mic wasn't on. So I've been watching to make sure that the mic is actually on and recording my sound. And uh so hopefully we'll get this uh exported out and get it up so everyone can see it. So I hope everyone has a great evening. Uh thanks for coming by, and we'll talk to you next time.