Chairman, National Retail Federation IT Security Council & former CISO, Ralph Lauren
Video Transcript
So, I had a board member once ask me. “Cy, how do you know what you don't know?” And, and we sort of came back with well, you know, we're experts in a lot of things, but let's go back. We actually ended up adopting the ATT@CK framework to know what we don't know. They're mapping bad-guy activity. We're mapping our systems. Those two things together to become a plan to know the things that you don't know, especially because the MITRE team is keeping that up to date.
That's the other problem is that bad guys are constantly, you know, refining and changing their tactics, and MITRE helps us keep track of that. When we talk to the board, you’ve got to think about who your audience is, and what they're worried about. Five years ago, I would have never...because they would have asked me that question, right? But today, the board is much more involved, and wants to know and understand what we're Are doing to protect the environment. And so, we’ve got to take the technical terms out of it.
We want to talk to them about things like how do we know who's on our network, and who's using our resources? How do we know where all the data is, where it lives, and what it is, and what's important about it? And what we did do with ATT@CK is we summarize it in a way that just makes more sense to businesspeople. ATT@CK has 11 different towers, from initial intrusion, all the way to exfiltration. We'd go across -- I think I summarized that down to about five. Across these five areas, this is what I can see today, and this is where I have gaps.
The boards...they no longer expect us to not have intrusions and not have incidents. What they expect us to do is to respond. I had a great friend who said, hey, as CISOs, you know, you used to get fired if you had an intrusion. No longer. But what we do get judged on is how we respond.
And one of the really important things about our response is noticing sooner, right? Can I have visibility within my all of my network assets -- not just my on-prem, but the whole thing -- and notice when something unusual is happening and respond to it. Sort of cut it off at the pass.
The bad guy can go in, but if they don't make it out with the data, if they don't make it out with an encrypted payload, then then they haven't won. Talking to the board like that, they tend to really respond. They go, “Oh, I get it. Okay.” Then they see this sort of, RAG -- red, amber, green -- environment with these five things, and it gives them a place where they can look at it.