Brief Your Board on Cyber – But Don’t Try to Train Them

Back in the late 1980’s, I attended a meeting where everyone kept referencing something called “Excess Seven.” I had absolutely no idea what they were talking about, and I prayed for the meeting to end so that my ignorance would not be exposed.

Things got worse as someone jumped to the board and began chalking boxes mysteriously labeled “STP” and “SCP”. Once the meeting ended, I literally ran to the Bell Labs Library and discovered “SS7” for the first time.

I’m willing to bet that everyone reading these words has experienced some version of this situation. Perhaps it happened in college, or at work, or even in your personal life – but each of us has had the experience of not understanding something that we know we should. And we know that the best way to deal with such lack of understanding involves personal initiative and immediate action. This is how we grow, and we should be grateful when the opportunity arises.

Now, let’s shift our emphasis for a moment to the wonderful experience of being elected to any significant Board of Directors, perhaps for a Fortune 500 company. To be considered for such an important post, you will have already demonstrated meaningful achievement in some field relevant to the company. You might have been a CEO or CFO of some organization, or perhaps you were a distinguished member of the clergy, or maybe you ran a government agency.

But the common denominator is that you are expected to be ready to serve on Day One. That is, any independent director is expected to have a reasonable working knowledge of corporate finance, basic marketing, human resource management, business operations, competitive strategy, and on and on. Woe to the board member who shows ignorance in any of these basic fields: There will be clear social consequences during coffee breaks for such lack of knowledge.

Which brings us to technology, in general, and cybersecurity, specifically. The sad situation for most corporate boards is that there are no social consequences to having an utter lack of understanding of the technology-based aspects of business. Any director sitting down for a board meeting who jokingly laments needing a ten-year-old to help turn on their confounded iPad is met with zero raised eyebrows. In fact, other directors will probably chuckle and agree.

Of course, CIOs know that such ignorance on boards cannot be permitted – and the typical response has been to schedule remedial training in both technology and cybersecurity. The topic of cyber risk is thus a popular request from board principals who nervously watch their shamed executive peers raising their right hands on CSPAN after a serious data breach. It should come as no surprise that training would be considered both appropriate and necessary.

And yet, such training sessions are dangerous when they dumb down technical concepts into comfort-zone terms for board members. It is all too common for the tech to be made simple, so that executives can follow basic concepts and not feel any unease or confusion. I’ve been asked to do this sort of training dozens of times, and I’m generally asked to tailor the cybersecurity presentation toward a minimal level of understanding. Make it easy for them, I’m told.

Here is why this is a bad idea: By offering training wheels for board members in the basics of cybersecurity, we rob them of that critically important discomfort I felt when confused about “Excess Seven.” By making things too easy, we rob them of the urgency that comes from not understanding something they know they should. By dumbing things down, we mislead them into thinking that cybersecurity is simple. And we all know this is not the case.

If you are involved in board-related meeting planning, I’d request that you do the following: From this day on, please agree to no longer support, provide, or condone overly basic, super-simplified training for your members in cybersecurity. Instead, let’s demand that directors be briefed on issues as capable, experienced, and knowledgeable peers. Let them experience our field in our language and let them self-assess whether they understand what is going on.

Look, I fully understand that this will take some courage and resolve. Early reviewers of my thesis have chuckled at the impracticality of going against the grain. Boards will not go for this, I am told. Our CEO will be furious, I am told. We already have someone on our board who understands technology, I am told. Our board secretary simply will not allow this, and on and on. I fully hear your valid claims and it only pushes me more to urge you to action.

If you are a board member reading this – well, I suspect that you might be upset with my comments. But please take a moment to reflect on the grave fiduciary responsibility you’ve accepted as a director. This comes with the implicit understanding that you have the requisite skills to govern. And just as you would never expect to be briefed on corporate finance 101 or basic marketing, you should similarly not demand to be briefed on elemental cyber security.

No – instead, it is your personal responsibility to rush to your own version of the Bell Labs Library. And if you must even ask here how to proceed with such a self-learning process for cybersecurity (hint: check out my Coursera lectures on the topic), then I’d recommend that you initiate that introspective self-evaluation process that served you well in your career. That is, you must ask yourself if you are still fit to serve. (Gulp.)

So, please, let’s all agree right here and now that as security experts, we will stop agreeing to offer 101-type training for corporate boards in cybersecurity. Instead, let’s agree to brief these wonderfully capable executives on security issues as professional and experienced peers in our language. And if you sense during your briefing that there is slight discomfort amongst the participants in the board room, then you will know that you are doing this correctly.

Sorry for the tough love here. Let me know what you think. (I’ll duck.)

This article is a synopsis of points I covered a while back during a webinar held for the Cybersecurity Collaborative, run by my friend Stuart Cohen. Stuart and his founding partners have put together a wonderful collaborative that I encourage you to consider joining. I hope you find the discussion here to be both provocative and actionable – and I hope that you will engage with Stuart’s collaborative.

About the Author

Dr. Ed Amoroso is Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of companies across the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.

 Ed has been Adjunct Professor of Computer Science at the Stevens Institute of Technology for the past twenty-seven years, where he has introduced nearly two thousand graduate students to the topic of information security. He is also affiliated with the Tandon School of Engineering at NYU as a Research Professor, and the Applied Physics Laboratory at Johns Hopkins University as a senior advisor. He is author of six books on cyber security and dozens of major research and technical papers and articles in peer-reviewed and major publications.

Ed holds a B.S. Degree in Physics from Dickinson College, MS/PhD Degrees in Computer Science from the Stevens Institute of Technology, and is a graduate of the Columbia Business School. He holds ten patents in the area of cybersecurity and media technology and he has served as a Member of the Board of Directors for M&T Bank, as well as on the NSA Advisory Board (NSAAB). Ed’s work has been highlighted on CNN, the New York Times, and the Wall Street Journal. He has worked directly with four Presidential administrations on issues related to national security, critical infrastructure protection, and cyber policy.