Andrew Pritchett is the Chief Information Officer at Grant Thornton Australia, joining the firm in 2013. He has lead various teams through technology and cultural change with a strong emphasis on culture and technical excellence. Andrew has been awarded two patents one for a workflow management system and finance system for billing. Andrew believes in a strong emphasis of cyber security as a foundation for both technology teams and the broader business. Andrew loves working with people, helping them develop and all things technical.
This important message was brought home to me at a board dinner a few weeks ago, where an external director asked a question that stopped me in my tracks: are we being watched? That led to a bigger conversation, which gave me a lot of food for thought on the relationships between the CISO, the board, and their organisations at large.
CISOs need a voice at the table
As we all know, cybersecurity representation at board level has long been short of where it should be. The good news is that pattern is shifting, with Gartner reporting that it expects 40% of boards to have a dedicated cyber committee, led by a qualified board member, by 2025. This organisational change is welcome, but CISOs also need to use their soft skills and keep their ears to the ground for upcoming discussions at their organisation that could impact cybersecurity.
Case in point: I hadn’t initially been invited to the board dinner I mentioned above, but I heard about it and offered support if needed. I wanted to avoid the situation where there’s no technical person in the room, everyone talks and comes up with plans, and before you know it, you’re on the hook to deliver a crazy request.
Like many people, I’ve been working remotely during Covid and my wardrobe was somewhat lacking, so I grabbed a new suit and shoes and headed off to dinner. It was at a restaurant with a big round table, and all of us had a placemat with information on ransomware – a neat way to ensure everyone has some facts to hand to talk about.
CISOs should be prepared – but we can’t anticipate everything
Of course, preparation isn’t just about placemats. Thinking about likely questions from the board, and how you might respond using language and metrics they can relate to, will help you handle some of the curve balls. But sometimes a question will blindside you no matter how well prepared you are.
We were discussing our tactics, strategy and controls around ransomware and everything was going swimmingly. Then our CFO said, “Well, last week I got an odd payment request from our CEO while he was on leave.” Then an external director turned to me and said, “You must have someone watching the CEO’s calendar.” I immediately thought about all our controls, and about the fact that if we had a bad actor in our system, they surely would do more than ask for an invoice to be paid.
So I replied, “I doubt that, even a broken watch is right twice a day.” They did not seem impressed with my witty-yet-profound answer and plainly thought it was more likely we’d been infiltrated by a bad actor who was waiting for their chance. The conversation resumed, but I was not happy with where we’d left the discussion.
The way you respond is crucial
The next morning, I considered my options. We could investigate further in-house, but if we don’t have a bad actor, would that process reassure the board member – my new stakeholder – that we don’t have anyone watching us? In the end, I felt we had to get an outside perspective. I contacted our external advisors, The Missing Link, and asked them to treat it as a breach, with an investigation and a full report.
I won’t go into the details of the investigation and its results, but after several weeks of work, including a dark web data and credential review, the report concluded that no bad actor was involved. The email’s timing had been down to chance: it was the scenario in which “even a broken clock is right twice a day”.
Why finding nothing can be a worthwhile exercise
So was I disappointed that we’d poured resources into an investigation only to find no evidence of a malicious intrusion? Absolutely not. This was a serious assertion, and if someone had been watching, we had to know about it. While you shouldn’t panic and react to every shadow, you should definitely trust your experience, chase down leads and look for evidence. Testing your processes often, especially under duress, will help you assess your strengths and weaknesses.
This incident also saw us take the concerns of a board member seriously and to offer reassurance. Communicating risk, threats and budgetary needs at board level is not always easy, and telling a story is a great way to help senior colleagues see the bigger pictures. My response at dinner was not enough. I had to dig deeper, and present a larger narrative that would help our board see that we had thoroughly engaged with the threat, and had found that the email was not a sign of deeper problems.
External experts can play a big role in reinforcing internal teams
Sometimes you need an external perspective to provide assurance. We already do this with financial records, tax advice and mechanical faults. We should consider it in cybersecurity too. Cyber teams can be empowered by external perspectives and freed up by additional resources. External investigations and reports can build confidence, validate your cybersecurity strategy, and demonstrate that you are willing to work flexibly and prioritise key incidents.
Trust is a crucial part of cyber operations
That dinner, with its ransomware tablemats and me in my new shoes, had two big takeaways: that it’s important to be in the room when cybersecurity is up for discussion, and that an investigation can be 100% worth it even if it ends with an all-clear. It shows that you’re willing to address concerns with investment and evidence, rather than simply dismissing them because you feel you know the answer. That investment builds credit and develops trust. Both are crucial if you’re seeking to influence stakeholders, and build a cyber strategy that your board can get behind.