Will 2016 Be The Year Of The Board?

This year has exploded out of the gate, starting on Jan 4 (the first business day of the year) with a flurry of activity. Sure, some of this is just new budget money that is available. However, I’m seeing a lot of organizations in my part of the world (California, Oregon, Washington, Idaho, Montana, Alberta, British Columbia, and Alaska) asking for help on the topic of communicating to executive management and the board of directors.

It’s about time.

Really, though, this makes sense.  Boards of directors aren’t interested in fads in business management. They rely upon their tried-and-true methods of managing businesses through board meetings, audit and risk committees, and meetings with executives. Until recently, board members perceived information security as a tactical matter not requiring their attention. However, with so many organizations suffering from colossal breaches, board members are starting to ask questions, which is a step in the right direction.

Let me say this again. Board members’ asking questions is a big sign of progress. And it doesn’t matter, mostly, what those questions are. It’s a sign they are thinking about information security, perhaps for the first time. And they’re bold enough to ask questions, even if they fear they are asking stupid questions.

The National Association of Corporate Directors (NACD) has an excellent publication on the topic of boards of directors attention on information security, called the Cyber Risk Oversight Handbook. Last I checked, a soft copy is free. Whether you are a board member or an infosec staffer, I highly recommend this for your reading list in early 2016.

Vulnerabilities, threats, and risk in a chess metaphor

Even for security professionals it’s sometimes tricky to properly think about the terms vulnerability, threat, risk, attack, and exploit.  It can be harder yet to describe these concepts to someone who is not a security professional.

In this excerpt from our upcoming book, Biometrics for Dummies, we explain these terms within the metaphor of a game of chess:

“Before we go any further, let’s look at the meaning of the terms threat, vulnerability and risk. Over the years we’ve found these terms to be used interchangeably and incorrectly. As with any industry jargon, these terms are tossed around and used by people who do fully understand their meaning, and by those who think they do — but don’t really.

* Vulnerability: a weakness in a system that may permit an attacker to compromise it.
* Threat: a potential activity that would, if it occurred, harm a system.
* Risk: the potential negative impact if a harmful event were to occur.

The terms vulnerability, threat, and risk can be visualized like this: Imagine a game of chess, where one player has a very weak position, and the other player has a very strong position. The player with the weak position is unable to protect his king — this is a vulnerability. The weak player’s king is vulnerable to attack – a position of high risk. The strong player has powerful pieces (such as a queen, bishops, and rooks) that are in low risk positions to easily capture the weak player’s king — this is a threat.

And while we’re at it, there are some other words we should discuss:

* Attack: the act of carrying out a threat with the intention of harming a system.
* Exploit (verb): the act of carrying out a threat against a specific vulnerability.
* Exploit (noun): a program, tool, or technique that can be used to attack a system.

Using the chess analogy again, the strong player could attack the weak player, exploiting his vulnerability to capture his king. The strong player’s method of attack would be known as his exploit against the weak, high-risk player.”

From Biometrics for Dummies