What are some effective strategies when it comes to readying your board for security? What gets the biggest response?

Especially with security, so many of the decisions that we make seem like obvious no-brainer decisions. But if you walk into a meeting assuming that everyone knows why we have to have multi-factor authentication (MFA), thinking it’s an obvious thing, that's how you end up getting push back. And that is something I've continued to learn. What seems simple and obvious to me might not be obvious to an engineering department that has 12 other competing priorities—the last thing they want to worry about is something that they think impedes their ability to log in, or get code out, or whatever the situation may be.

When it comes to educating senior leadership, I’ve learned that a key factor is the tone that we use—the curtailing and editing that we do. You have one presentation that’s like, “The teams all suck, they don't know what they're doing." Then you massage that into, "We have operational efficiency issues, etc.," which then gets translated to the board as, "We're handling that. We've got a program in place,” or, “We just hired a senior security person that'll solve those problems.” But that misses the original message, which was that things are actually a hot mess.

When asked for a board presentation in the past, I’ve purposely sent senior leadership the real hot mess that shows we have 250 endpoints that are gaping holes, for example. I always try to have that reality check and then message up: this is why we have these 250 endpoint issues here, this is why we need to upgrade them, or this is why we need to add these layers. That communication is vital to being human in discussion—not hyperbole, and not summarized to the nth degree.

I've seen things work in the bug bounty space; it helps to put a dollar value on a failure state that's actually created peacefully. You can build narratives around that. Having your code hacked by someone halfway across the planet hits an engineer differently from when the red team does it. So there are different point solutions that I've seen be really effective, but I do think that the broader issue is creating a language that interfaces between the security team, the board, and the rest of the business.