How to Answer Tough Board-Level Security & Compliance Questions in 2018

GDPR. Meltdown. Spectre. SOC 2. Coming at you like mosquitos on a hot summer night, these topics are of top concern for board members and security teams alike this year. But what do you do when these issues really aren’t of concern to your particular organization? And how can you put your board and executive team at ease when these issues hit the news?

Our CSO Sam Bisbee spoke about ways to handle and prepare for each of these hot ticket questions in yesterday’s webinar. You can view the entire webinar or read our recap below so you can begin preparing today.

1. “What’s our plan to be GDPR compliant”

The EU’s latest security regulation, GDPR, is on nearly every company’s mind. You don’t have to look far to see scare tactics from vendors ranging from law firms to compliance consultants, and unfortunately, these headlines are what your board members read and come to you about. As this ebook  explains, GDPR applies to businesses even if they don’t have a business physically located in the EU. If any business has any users or customers located in the EU or employees or contractors located there, GDPR applies.

Before talking to the board, your first order of business is determining whether GDPR actually applies to you and its full scope of impact. If it does, then it’s important to understand the exact definition of PII as defined in the EU (you can find that here). Once you know what data applies, begin to inventory it, the systems it lives in, system owners, and why that data is necessary to even store. You’ll also want to find out whether any of your customer contracts mentioning PII conflict with this new regulation and how you will handle that.  

Next, you’ll want to assess the likelihood of GDPR applying to your business right away. Major companies like Facebook, Amazon, and Google will be the first to be evaluated for compliance, followed soon after by companies in regulated industries and those who have customers in the region. How closely linked you are to doing business in the EU may determine the priority level of how quickly you need to meet compliance, but sooner than later is always a safe policy.

Once you understand these key points, you can enter the boardroom with confidence. As with any other major compliance regulation, explain to your board your assessment of the situation, the plan, and a timeframe to achieve it. In many ways, GDPR can be an asset to your business because it allows you to continue doing business in a major area of the world, and positioning it this way can help get your board members on the same page with you.

2. “Are we protected against Meltdown or Spectre vulnerabilities?”

If there’s anything else being hyped up right now besides GDPR, it’s the Meltdown and Spectre vulnerabilities. Like GDPR, there is a lot of FUD (fear, uncertainty, and doubt) out there about these security issues, and your goal as a security professional is to put out the fire if there aren’t sparks there in the first place.

The fact  is, these two vulnerabilities are just another set of potential security issues, so standard security operating procedures apply. Like you handle and prepare for any other security concern, there needs to be a plan in place to deal with them.

That said, before you walk into the boardroom, you need to know the following four things:

  1. Understand what Meltdown and Spectre are and how (if at all) they apply to your business (read this)
  2. Develop a plan to remediate any existing vulnerabilities and protect against potential future damage
  3. Measure what (if any) negative impact could be caused to the business by remediation efforts (e.g., system downtime, performance impact)
  4. Rank how these vulnerabilities compare to others in your infrastructure (to help you prioritize)

Whether you’re talking to a board member or a current or prospective customer, the most important thing to remember is that these are vulnerabilities just like the ones you’ve dealt with in the past, and at this point, most attacks are simply theoretical and research-grade, meaning there is likely no immediate cause for alarm and there is time to properly prepare.

3. “How are we ensuring that information won’t be leaked from an open S3 bucket?”

Being a security company that helps businesses secure their AWS infrastructure, we hear this one often. The truth is, S3 is not unlike other technologies used in years past to store data. In that sense, it’s better to move the conversation, should it arise, away from the specific technology and focus on the greater topic of data sensitivity and risk. The problem isn’t about S3 buckets at all, but about companies lacking a proper understanding of the risks of storing data in various locations.

Let’s say you’re evaluating the storage of confidential paperwork in a safe at home versus a safety deposit box at your bank. Whereas your home safe relies on a single secret in order to gain entry, the safety deposit box requires multiple steps to entry, thus giving you greater security. However, the safe at home is far easier to access, whereas the safety deposit box isn’t. The key here, and how it applies to business data, is evaluating the level of sensitivity of information and using that to determine where you store it.

Put simply, if you don’t have a strong understanding of S3 security and governance over changes to S3 buckets, you shouldn’t store data there that could be exposed — especially if you don’t have security monitoring in place. In some cases, it may be more secure to store data in a private repository, but regardless of where you store it, have role-based access policies in place using configuration management to introduce stronger security and controls.

4. “What is our plan for achieving SOC 2 compliance?”

SOC 2 is another hot topic these days because it applies to just about any company that uses the cloud to store its customers’ information. If it hasn’t already, it will likely come up in your sales conversations as more and more companies are asking for it, and it can be a big sales booster if you do have it. Done right, achieving SOC 2 compliance means you have secure workflows, tools, and integrations in place that better tie in your cloud infrastructure and give you greater visibility and control into activity.

In order to do that, however, you need end-to-end company buy in, which is why it’s important to lay out a plan that you can present to the executive team and your board. In our experience, top-down buy-in for this project is critical to its success.

Read this post to learn why more businesses are demanding SOC 2 compliance today and get our compliance playbook that walks you step-by-step through the process so you can present a thorough plan to your executive team and board.

5. “How do we know that someone isn’t stealing our IP?”

Data theft from nation state attackers seems like a looming threat, but is it realistic that your business will be hit by it? Likely not. Nation state attacks are headline news stories in the likes of the Wall Street Journal and InfoWorld, which your board members may read daily, so it makes sense that they’re coming to you asking about it. While it’s good to recognize that these are potential threats, your job is to realign them on security issues that have a much higher likelihood of exploitation, like phishing scams and password theft.

We see many businesses prematurely optimize for nation state attacks, but as a result, other major vulnerabilities and threats get forgotten about, which can cause even bigger issues.

The truth is, by investing your time and budget in everyday security issues that keep the doors locked and data secure, you not only make it harder for everyday attackers to get in, but for nation state attackers as well (should they choose to target you). Attackers big and small are always looking for the easiest route in, because it’s more costly to attack up the chain. There is ROI in being an attacker, and there’s ROI in being a defender, so reasoning with your board about why focusing on the more realistic attacks at hand should make a lot of sense to them.

Final Words: Be Prepared for the Unexpected . . .

Being prepared for the topics above will make your 2018 board meetings go a lot smoother, but likely they won’t be without an oddball question or two. Keep in mind that many board members do not have a security background or experience with a breach, and it’s up to you to ground them in truth and reason when issues in the news feel important but in reality are not. To navigate other questions that may come up, focus on reorienting them back to reality and data-backed decisions so you can explain why a particular issue is or is not of concern to your business and what your plan is. And of course, if a question comes in that could derail the entire meeting, offer to discuss it with them one-on-one at a separate time. In this way, you can build rapport with your board by offering to educate them independently, while keeping to the agenda.

Trust in your knowledge and expertise, and with a little preparation, board meetings can become a productive place for real conversations, bringing security closer to the heart of the business and gaining widespread buy-in to make your job easier.

Previous Video
T-72 Hours to Report a Breach: Are you GDPR Ready?
T-72 Hours to Report a Breach: Are you GDPR Ready?

GDPR deadlines are fast approaching and many US companies are behind the curve. Watch this video to learn h...

Next Flipbook
5 Security and Compliance Issues Your SaaS Should be prepared for in 2018
5 Security and Compliance Issues Your SaaS Should be prepared for in 2018

Check out this quick reference for clarity and actionable advice on the top security and compliance concern...

Get Access to Threat Stack's Cloud Security Platform

Start Trial

Access All Security Content

First Name
Last Name
Job Title
I'm interested in a demo of Threat Stack's cloud security solution
Yes, I'd like to opt-in to Threat Stack communications
Yes, I'd like to opt-in to Threat Stack communications
*We value your privacy - link to Privacy Page
Thank you!
Error - something went wrong!