Cybersecurity does not spring from the ground up. It flows from the top, the boardroom, where companies make their most important decisions. While boards don’t care about technical concerns, they do understand risk. Translating the risks and rewards of good security into boardroom terms is vital, according to Joe Gottlieb (pictured), senior vice president of corporate development at SailPoint Technologies Inc.

“Boards are trying to provide governance. They need wisdom to provide governance. If they don’t understand security at all, how can they be wise about it?” Gottlieb asked.

Gottlieb spoke with Jeff Frick (@JeffFrick), host of theCUBE, SiliconANGLE’s mobile livestreaming studio, during the Chertoff Group Security Series “Security in the Boardroom” event in Palo Alto, California. They discussed SailPoint, security culture and translating security needs into boardroom terms. (* Disclosure below.)

Process and culture empower security

SailPoint helps large companies control who has access to what. This is a vital niche, because giving the wrong person access to the wrong things can threaten a company’s entire network. Access must be limited to what a person needs to do their job, and little more, according to Gottlieb. Unfortunately, many businesses have no way to control access in an efficient manner.

“For the average large company, this is a manual effort; it’s not systematic, which it has to be,” Gottlieb said. By putting a process in place to control access effectively, companies can reduce their vulnerability to security attacks. Likewise, a company security culture of consistency, patience and methodical progress is very important, Gottlieb stated.

A defining part of the culture is the boardroom. There has been a significant push recently to make boards more proactive about security. The days of prevention are over; now companies must take an active role in monitoring threats, setting good governance and educating users, according to Gottlieb.

“Every attack starts with a phishing attack that compromises an end-user, then moves laterally to the good stuff,” Gottlieb said.

Meanwhile, measuring the effectiveness of cybersecurity is difficult. The best way to turn it into numbers is to look at security as part of risk management, Gottlieb advised. Doing this can help translate security into terms that boards understand. Then, security becomes a matter of investments and trade-offs, which is how boards see the world, he added.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of The Chertoff Group Security Series “Security in the Boardroom.” (* Disclosure: TheCUBE is a paid media partner for The Chertoff Group Security Series “Security in the Boardroom.” Neither The Chertoff Group LLC nor SailPoint Technologies Inc. have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE