Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Bishop Fox Livestream at RSAC 2024 with Daniel Wallance and Justin Greis of McKinsey

At Bishop Fox's second-annual livestream from the 2024 RSA Conference in San Francisco, we interviewed special guests Daniel Wallance & Justin Greis to learn top strategic priorities for executives and effective communication strategies with the board.

At Bishop Fox's second-annual livestream from the 2024 RSA Conference in San Francisco, we interviewed special guests Daniel Wallance, associate partner at McKinsey & Company, and Justin Greis, partner and North America cybersecurity practice lead at McKinsey. Learn top strategic priorities for executives and effective communication strategies with the board.


Abbreviated Transcript

Tom Eston: Welcome back to the Bishop Fox live stream from the RSA conference in San Francisco. Joining me for this panel discussion is Daniel Wallace, a senior expert at McKinsey and Company, and Justin Greis, the Partner and North America Cybersecurity Practice Lead at McKinsey. Welcome to the live stream.

Daniel Wallance: Great to be here.

Tom Eston: We're going to be talking about the board-level view of cybersecurity risk and resilience. Daniel, what are the top strategic priorities you would recommend to executives to ensure alignment with the board?

Daniel Wallance: It's important to frame the conversation in terms of business risk. What does this mean for the organization? What are the impacts on critical assets? Second, bring the board into tabletop exercises to think through incident response and decision-making. Finally, address how to truly know our capabilities are effective and incorporate that into discussions with the board.

Tom Eston: What do you think about that, Justin?

Justin Greis: I agree. One of the biggest mistakes is expecting the board to interpret technical details live. Convey risk in terms of business impact. Discuss business processes at risk and potential consequences. Always frame the conversation in terms of products and business lines, which the board understands.

Tom Eston: Leaders need to communicate urgency to the board. What advice can you give on this?

Daniel Wallance: Frame it as a narrative. Communicate what you're protecting, your capabilities, and critical assets. Make it part of ongoing dialogue and education sessions, sharing the latest threats and controls deployed.

Justin Greis: Boards understand urgency, but everything in cyber seems urgent. Stratify tasks and convey urgency in an understandable order. Show, don't tell. Walk them through an attack's anatomy to illustrate impact.

Tom Eston: How can someone address complex security concerns in terms of risk to the board?

Daniel Wallance: Keep it simple. Many boards want to learn. Engage in dialogues about the latest cybersecurity threats and technologies to defend against them.

Justin Greis: Simplify the message. Use consistent metrics the board can understand over time. Introduce rotating topics but keep core KPIs and KRIs consistent.

Tom Eston: How should one handle feedback from the board?

Daniel Wallance: View it as a partnership. Engage in discussions about risk tolerances, thresholds, and prioritizations. Use this insight to inform organizational capabilities.

Justin Greis: Consistent feedback is key. There should be multiple touchpoints leading up to board meetings. Develop a strong relationship with the audit and risk committee chair to shape the message together. It's too complex a topic to be adversarial.

Tom Eston: How can the board foster a good cybersecurity culture in an organization?

Daniel Wallance: Celebrate cybersecurity achievements. Emphasize that advancing capabilities add value to the organization. Make it a focus rather than just preventing bad outcomes.

Justin Greis: Use inclusive language like "we" and "our" to show unity. Ask good questions, read materials, educate themselves, and build relationships with the CISO. Regular engagement is crucial for fostering a supportive culture.

Tom Eston: Any tips for effective communication with the board?

Daniel Wallance: Bringing board members into the SOC to see day-to-day operations and responses to attacks can be impactful.

Justin Greis: Ask the CISOs what they need to be successful. Ensure transparency and direct communication. Establish personal connections by helping board members with their own security, which can build trust and understanding.

Tom Eston: Where can our audience learn more about you and McKinsey?

Daniel Wallance: Our website has many resources, including articles on cybersecurity and the board of directors.

Justin Greis: McKinsey.com has a cybersecurity section with great thought leadership. You can also reach out to us on LinkedIn or through email.

Tom Eston: Thank you both for joining the live stream. We'll be back with more from the Bishop Fox livestream at the RSA conference in San Francisco. Stay tuned.


Tom Eston

About the author, Tom Eston

VP of Consulting and Cosmos at Bishop Fox

Tom Eston is the VP of Consulting and Cosmos at Bishop Fox. Tom's work over his 15 years in cybersecurity has focused on application, network, and red team penetration testing as well as security and privacy advocacy. He has led multiple projects in the cybersecurity community, improved industry standard testing methodologies and is an experienced manager and leader. He is also the founder and co-host of the podcast The Shared Security Show; and a frequent speaker at user groups and international cybersecurity conferences including Black Hat, DEF CON, DerbyCon, SANS, InfoSec World, OWASP AppSec, and ShmooCon.
More by Tom

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.