Post banner
Compliance 6 Min Read

How to Answer Tough Board-Level Security & Compliance Questions in 2018

GDPR. Meltdown. Spectre. SOC 2. Coming at you like mosquitos on a hot summer night, these topics are of top concern for board members and security teams alike. But what do you do when these issues really aren’t of concern to your particular organization? And how can you put your board and executive team at ease when these issues hit the news?

Our CSO Sam Bisbee spoke about ways to handle and prepare for each of these hot ticket questions in a webinar and you can read the following recap to begin preparing for meetings with your board today.

1. “How are we complying with the GDPR?”

If the EU’s GDPR applies to you, maintaining compliance is critical. You don’t have to look far to see scare tactics from vendors ranging from law firms to compliance consultants, and unfortunately, these are what your board members are likely to read and come to you about. As this Schellman ebook explains, the GDPR applies to organizations even if they don’t have a business physically located in the EU. If any business has any users or customers located in the EU or employees or contractors located there, the GDPR applies.

Before talking to the board, your first order of business is determining whether the GDPR actually applies to you and understanding its full scope of impact. If it does apply, then it’s important to understand the exact definition of PII as defined in the EU (you can find that here). Once you know what data is affected, inventory it, the systems it lives in, system owners, and why that data is necessary to even store. You’ll also want to find out whether any of your customer contracts mentioning PII conflict with this new regulation and how you will handle that.

Next, you’ll want to assess the likelihood of GDPR applying to your business right away. Major companies like Facebook and Google were among the first to be evaluated for compliance, and they’ll be followed soon after by companies in regulated industries and those who have customers in the region. How closely linked you are to doing business in the EU may determine the priority level of how quickly you need to meet compliance, but sooner than later is always a safe policy.

Once you understand these key points, you can enter the boardroom with confidence. As with any other major compliance regulations, give the board your assessment of the situation, your plan, and a timeframe to achieve it. In many ways, the GDPR can be an asset to your business because it allows you to continue doing business in a major economic region of the world, and positioning it this way can help get your board members on the same page with you in terms of understanding and support.

2. “Are we protected against Meltdown or Spectre vulnerabilities?”

If there’s anything else being hyped right now besides GDPR, it’s the Meltdown and Spectre vulnerabilities. Like GDPR, there is a lot of FUD (fear, uncertainty, and doubt) out there about these security issues, and your goal as a security professional is to put out the fire if there aren’t sparks there in the first place.

The fact is, these two vulnerabilities are just another set of potential security issues, so standard security operating procedures apply. Just as you handle and prepare for any other security concern, you need to have a plan in place to deal with them.

That said, before you walk into the boardroom, you need to know the following four things:

  1. Understand what Meltdown and Spectre are and how (if at all) they apply to your business (read this, as well as this post on new Spectre variants)
  2. Develop a plan to remediate any existing vulnerabilities and protect against potential future damage
  3. Measure what (if any) negative impact could be caused to the business by remediation efforts (e.g., system downtime, performance impact)
  4. Rank how these vulnerabilities compare to others in your infrastructure (to help you prioritize)

Whether you’re talking to a board member or a current or prospective customer, the most important thing to remember is that these are vulnerabilities just like the ones you’ve dealt with in the past, and at this point, most attacks are simply theoretical and research-grade, meaning there is likely no immediate cause for alarm and there is time to properly prepare.

3. “How are we ensuring that information won’t be leaked from an open S3 bucket?”

As a security company that helps businesses secure their AWS infrastructure, we hear this one often. The truth is, S3 is not unlike other technologies used in years past to store data. In that sense, it’s better to move the conversation, should it arise, away from the specific technology and focus on the greater topic of data sensitivity and risk. The problem isn’t about S3 buckets at all, but about companies lacking a proper understanding of the risks of storing data in various locations.

Let’s say you’re evaluating the storage of confidential paperwork in a safe at home versus a safety deposit box at your bank. Whereas your home safe relies on a single secret in order to gain entry, the safety deposit box requires multiple steps, thus giving you greater security. However, the safe at home is far easier to access, whereas the safety deposit box isn’t. The key here, and how it applies to business data, is evaluating the level of sensitivity of information and using that to determine where you store it.

Put simply, if you don’t have a strong understanding of S3 security and governance over changes to S3 buckets, you shouldn’t store data there that could be exposed — especially if you don’t have security monitoring in place. In some cases, it may be more secure to store data in a private repository. But regardless of where you store it, have role-based access policies in place using configuration management to introduce stronger security and controls.

4. “What is our plan for achieving SOC 2 compliance?”

SOC 2 is another hot topic these days because it applies to just about any company that uses the cloud to store its customers’ information. If it hasn’t already, it will likely come up in your sales conversations as more and more companies are asking for it, and it can be a big sales booster if you do have it. Done right, achieving SOC 2 compliance means you have secure workflows, tools, and integrations in place that better tie in your cloud infrastructure and give you greater visibility and control into activity.

In order to achieve that, however, you need end-to-end company buy in, which is why it’s important to lay out a plan that you can present to the executive team and your board. In our experience, top-down buy-in for this project is critical to its success.

Read this post to learn how to achieve SOC 2 compliance with zero exceptions and take a look at our compliance playbook that walks you step-by-step through the process so you can present a thorough plan to your executive team and board.

5. “How do we know that someone isn’t stealing our IP?”

Data theft from nation state attackers seems like a looming threat, but is it realistic that your business will be hit by it? Likely not. Nation state attacks are headline news stories in the likes of the Wall Street Journal and InfoWorld, which your board members may read daily, so it makes sense that they’re coming to you asking about it. While it’s good to recognize that these are potential threats, your job is to realign your board members on security issues that have a much higher likelihood of exploitation, like phishing scams and password theft.

We see many businesses prematurely optimize for nation state attacks, but as a result, other significant vulnerabilities and threats get forgotten about, which can cause even bigger issues.

The truth is, by investing your time and budget in everyday security issues that keep the doors locked and data secure, you not only make it harder for everyday attackers to get in, but for nation state attackers as well (should they choose to target you). Attackers big and small are always looking for the easiest route in, because it’s more costly to attack up the chain. There is ROI in being an attacker, and there is ROI in being a defender, so reasoning with your board about why focusing on the more realistic attacks at hand should make a lot of sense to them.

Final Words: Be Prepared for the Unexpected . . .

Being prepared for the topics discussed above will make your board meetings go a lot smoother, but likely they won’t be without an oddball question or two. Keep in mind that most board members do not have a security background or experience with a breach, and it’s up to you to ground them in truth and reason when issues in the news appear important but in reality are not. To navigate other questions that may come up, focus on reorienting them back to reality and data-backed decisions so you can explain why a particular issue is or is not of concern to your business and what your plan is. And of course, if a question comes in that could derail the entire meeting, offer to discuss it with them one-on-one at a separate time. In this way, you can build rapport with your board by offering to educate them independently, while keeping to the agenda.

Trust in your knowledge and expertise, and with a reasonable amount of preparation, board meetings can become a productive place for real conversations, bringing security closer to the heart of the business and gaining widespread buy-in to make your job easier.