Cybersecurity

Here’s what corporate boards are asking Kevin Mandia about

The Mandiant founder and Google Cloud adviser says boards are paying more attention than ever before, and dispensed some advice for how CISOs can give them what they want.

By Greg Otto

September 20, 2024

Kevin Mandia, founder of Mandiant, addresses the audience at the 2024 mWISE conference in Denver. (Photo Courtesy of Google)

DENVER — Hey, CISOs: You have the C-Suite’s attention.

Given the frequency of attacks and the cost associated with recovery, Kevin Mandia, founder of Mandiant and strategic adviser at Google Cloud, says executives have now recognized the crucial need to integrate robust security measures with core business strategies to protect assets and maintain normal operations.

“Boards and executives are way more interested in cybersecurity today than ever before,” Mandia said Wednesday at the Mandiant Worldwide Information Security Exchange (mWISE). “They’re reading the headlines. They’re recognizing the standards, legislation and regulations they need to comply with. And then they’re also starting to hear from other CEOs and other executives about the breaches they went through.”

How good do we need to be?

Mandia said that most boards or executives have asked him to gauge their cyber readiness through the lens of their competitors.

“If it’s Lockheed Martin, [boards ask], ‘how’s Boeing doing?’ If it’s McDonald’s, ‘how’s Burger King?’ If I’m Coke, ‘where’s Pepsi’s program?’” he said.

But regardless of what industry vertical a company may operate in, he brings the conversation back to risk frameworks, since boards and executives have familiarity dealing with risk from a financial standpoint.

Mandia says by running cybersecurity through a risk framework, it can allow companies to figure out what matters the most, what threats could cause the most damage, and who has to accept the risk if an attack is successful.

“A lot of companies will say, ‘I don’t want to lose the CFO’s email,’ ‘I don’t want to have unauthorized access to our OT network,’ ‘I don’t want to lose customer data,’ ‘I don’t want to lose our source code.’ You have all these different things that great cyber executives have to figure out. There’s a whole process for that I’ve worked with companies on, but the business line owners need to figure out what matters most.”

How do I know if my CISO is any good?

Mandia posited that most boards or executives are looking for benchmarks that allow them to measure technical or management acumen. In reality, he says the best measurement is to figure out if a CISO has a “security mindset.”

He described a security mindset as someone who “hopes for the best, plans for the worst,” and is always thinking about how a company can defend its weaknesses.

“I tell CEOs that you don’t even care what the answer is to these [weakness] questions, as long as your CISO actually has them, because at least that means you have someone with the right mindset,” he said.

Can that happen to us?

Mandia said a lot of executives often read headlines about high-profile attacks and quickly wonder if the same could happen to them. They often try to speak with the person responsible for their backup programs — who isn’t always the CISO — or those in charge of disaster recovery and redundancy efforts. They would pose a straightforward question: “If what happened to them happened here, how quickly could we be up and running again?”

“Very few companies actually know the answer, and many learn the hard way”
when a crisis hits, he said.

What’s the worst-case scenario?

Mandia said there is no right answer to this question, because it usually depends on the nature of the breach. To give boards and executives peace of mind, he recommends tabletop exercises as the best way to envision what the worst-case scenario would look like, without any of the actual harm.

“I think the biggest bang-for-the-buck today is doing tabletop exercises,” he said. “You get a lot of incredible knowledge just doing a realistic tabletop with executives, and security teams, all the way down to the frontline folks.”

Mandia has found that tabletops do a great job at breaking down organizational silos, how capable a company is with crisis communications, and who needs to be involved at the different escalation points of an incident.

“I ask almost every CISO, ‘Have you done a tabletop in the last year?’ Once a year, for one hour. It’s infinitely good compared to nothing at all.”