A CISO carries many weighty responsibilities, but teaching cybersecurity to a company's board of directors in order to secure their buy-in should not be one of them, according to Edward Amoroso, founder and CEO of cybersecurity advisory firm TAG Cyber LLC.
In fact, the former AT&T CISO and CSO believes that a basic understanding of cybersecurity should be a mandatory prerequisite to being named to a board of directors.
“This idea that it's okay to not understand technology and okay to be a Luddite with cybersecurity is a terrible mistake,” said Amoroso at Gigamon's second annual NYC Cybersecurity Summit. “It should be, if you don't have that skill, you don't belong on that board.”
Amoroso said that too many CISOs try to train board members in cyber, babying them with simple concepts that give directors the false impression that they understand cyber, when in fact their comprehension is superficial and ultimately inadequate.
“The best thing we can do with our boards is to brief them – not train them, brief them – as peers, brief them as capable, knowledgeable executives,” said Amoroso. “And when you… reference the fact that the telemetry in your SIEM and the SDN controller looks like it may have a tad bit higher percentage of false positives than you're comfortable with… just wait after that, listen for the crickets, and let them realize they don't know what you're talking about.”