Managing Cybersecurity Risk from the Boardroom

Source:  Originally published in MSSP Alert on Aug 15 2022

As a leading MSP, Blue Mantis (fka GreenPages) has to be the best of the best steward of cybersecurity for our customers. Cybersecurity stewardship has to permeate through our entire organization every step of the way in our interactions with our customers, from the first sales touch point to how technical team engages. We have the responsibility of holding our customers’ “keys to the cyber kingdoms,” so we are extremely diligent and relentless about cybersecurity.

Keeping our customers safe from cybersecurity threats: As a 20-year cybersecurity and MSP industry veteran, I’ve learned that the approach of continuing to buy more tools and hire more people does not necessarily lead to better security. While it may improve security postures in the short-term, it becomes untenable and impossible to manage in the long-term. We’ve had to take a step back from the more-tools, more-people approach and ask ourselves, “How can we manage the compounding problems of our customers’ increasingly complex digital environments along with escalating cybersecurity threats that are increasing in frequency and sophistication?”

Taking cybersecurity to the boardroom

Cybersecurity risk must be a board-level issue because cybersecurity risks are enormous. Getting hacked, data breaches, malware, loss of service, and ransomware, etc. can take down your business and your customers’ businesses. So we need to not only tackle cybersecurity at the technical level, we must also manage cybersecurity risk at the board and executive levels. There has to be cybersecurity expertise on the board.

It’s up to the board to determine the organization’s risk tolerance, to set goals, and then fund decisions on how to achieve those goals. Of course the board does not decide whether you need to buy a certain security tool. It assesses: What are the “crown jewels” of the company? What do we care most about? How are we protecting our crown jewels? How are we accountable? It’s important to focus on outcomes how they align with corporate goals.

I sit on the Blue Mantis (fka GreenPages) board as the cyber expert, and I spend a lot of time educating our board on cybersecurity issues. It’s highly effective, because when the board is cyber aware and aligned, our organization can move fast to roll out cybersecurity programs organization wide. We specify expected outcomes, ensure accountability, and fund appropriately.

When that happens at the board level, you remove the sand from the gears. It’s clear to everyone throughout the organization that security is a priority, and projects that meet the organization’s security goals get funded and executed successfully.

Metrics and ROI

Blue Mantis (fka GreenPages) has set of key metrics that I regularly present and discuss with the board. I built dashboards for them in a straightforward way to show accountability and transparency. We measure progress month by month and tie progress to the spend in the funding that was approved to get better. We measure:

1. Are we getting better with our overall security posture? 
2. Are funded projects producing the results that we expected? 
3. Are we responding to events quicker? 

I am transparent with these metrics – with the board and with our customers – because transparency drives outcomes, builds trust, and educates. When you can show progress and meet goals, it drives the funding we need to continue to get the job done.

Getting certified in cybersecurity management for corporate boards

I discuss this often with our customers, and I strongly encourage them to take the Cybersecurity Strategy Online Certification program at Boston College, where we partner.

One of the most important things you learn in that program is that you can’t wipe out cybersecurity risk. You can manage it. You anticipate unknowns so that you can move quickly to mitigate damage when something bad happens. Learn more in the eBook A Board’s-Eye View of Cybersecurity Risk.