Budgeting for Cybersecurity - NACD BoardVision
Corey Thomas, CEO of Rapid7 and Michael Pocalyko, CEO, Monticello Capital and Christopher Y. Clark, Publisher of NACD Directorship Magazine discuss how cyber budgets today should be overhauled to improve security.
>> Christopher Clark: Hi, I'm Christopher Clark, publisher of NACD Directorship Magazine, and this BoardVision. Today's subject is cyber security, but from a unique point of view. We're going to concentrate on programs and actually budgets. I'm joined today by Corey Thomas, CEO of Rapid7, and an old friend, Michael Pocalyko, who's the CEO of Monticello Capital. Welcome gentleman!
>> Michael Pocalyko: Good morning.
>> Corey Thomas: Good morning.
>> Christopher Clark: Corey, we, we've had a few conversations offline about budgets and overhauls, and there's a situation that we're in now, because it is warfare, it's World War III when it comes to cyber security, cyber liability, cyber risk, give, give me your take on kind of the stat, status of programs and why budgets should be overhauled.
>> Corey Thomas: Well I think you're absolutely right, and our premise is that cyber security programs and their budgets need to be fundamentally overhauled to acknowledge the basic reality that what we're doing today just isn't working. And our premises that there are things we can do and things we should be doing to improve the overall security and transparency of our systems.
>> Christopher Clark: Michael, you know, you're a director, you're an audit committee expert, you, you're a fraud expect, you've got the Trifecta here, what, what's your take on what Corey just said?
>> Michael Pocalyko: Well Corey's company, Rapid7, and a very few firms like them are critical for directors and for executives, in any business, whether it's service manufacturing, certainly any international business, because the reality is this is not about data, this is about the infrastructure on which we run companies, and that's the way boards need to approach it. Is that this [inaudible] of information technology, cyber security, is as important as audit is to a board of directors.
>> Christopher Clark: Talk about that seesaw, that balance of the right amount of money and budget, before something happens, and that balance of, you know, intelligence, doing it smartly, that's it not just pouring money onto a situation.
>> Corey Thomas: So the first thing that we recommend is make it a focus, make it a priority, develop a strategy, understand it, once you've done that, and once you've taken that into consideration, then what we recommend doing is sitting down with your executive teams and your IT teams, and fundamentally understanding what are the drivers of risk for your business, and what's happening in the context of the world around you.
>> Christopher Clark: Alright, I'm jumping right in here. As a, as a CEO, or as a director who allocates that final, but how can it not be a priority?
>> Michael Pocalyko: Well, if often is not a priority for boards. There are really four trends that are active today. First trend, that we are finally seeing systems as accretive to profit rather than as a cost center. Okay? Second trend, we are recognizing cyber security more in the way we think of insurance, litigation, and risk management than as that guy who just wants to buy new toys. Okay? Third, the trend of the Cloud has finally gotten the attention of the board, who have recognized that, wait a minute, very important pieces of intellectual property and of our strategy, are somewhere, and, and I, as a director, may not know where they are. And the fourth trend is the deep integration of finance and accounting systems, because everything in finance today is online.
>> Christopher Clark: Corey, what can organization's firm specifically do, because we, we've talked about raising the priority level at the board level, C-suite management, but what, what can you recommend?
>> Corey Thomas: Yeah, I think there's three core things that every institution or organization needs to do. One, they need to define that their assets and what their exposure is. If you don't know what you have in your environment, and you don't know how it's tied together, there's no chance that you'll ever be able to protect it. The second thing is we still live in a world where most companies or institutions tend to focus specifically on technology, and their missing the core fact that right now, the weakest point in any company is actually the user's and the employees. Every outside attacker knows that, and they're targeting the individual, and individuals and employees within companies are focused on productivity and getting the job done. They're not focused on security. So the second thing that we recommend is that every company reorient their security posture towards centering around the employee and the individual. The third thing that we recommend is that companies take a very, very serious look at their partnerships and their connectivity to other institution or organizations. You find that many, not all, but many of the recent breaches that have occurred had occurred because there's been easy entry from a third party partner or firm into the internal resource of the corporation that were not well understood at the time.
>> Christopher Clark: You know, Corey makes a really good point here, and, and I, I phrase it a little differently. The risks that we're talking about are not actually cyber risks. They are not actually code risks. Those are a very, very small part of this business. The real risk is in the reliance on people. Corey, based on what Michael said, because we're talking to about 15 to 20,000 directors today, what would you share with them, a sage piece of advice or insight, on how to ensure that the board really embraces this new world the right way?
>> Corey Thomas: The first piece of advice that I'd give the board is start the conversation and dialogue, and make it an ongoing conversation. Too many times I find that I get called in to speak to boards and educate them, too often they treat it as a point conversation, as an obligation to go through. It needs to be part of the ongoing conversation, and there needs to be a recognition that it's an exploration process.
>> Christopher Clark: Corey, Michael, I just wanted to thank you personally, some excellent insights. On behalf of NACD and Rapid7, I wanted to thank you for viewing today. I'm Chris Clark and this is BoardVision.
- Strategic Services - Building relevant cyber security programs
- Cyber Security Awareness - What Boards and Executives Need to Know
View Other NACD BoardVision Episodes by TopicBoard Composition, Evaluation & Director Succession
Strategy & Risk
List all NACD BoardVision Episodes