Board Director #1: Okay, let’s jump right in and skip the introduction. We know you are the
CISO. We appointed you. We know what your job description is. Go ahead.
Smith: Okay. I’m sure the board is aware of IoT devices in the marketplace, and the majority of
these devices are being found to have security risks. We ought to carefully think of partnering with
a leading security tool company called Plunk so that we can...
Board Director #2: Hold on a second. We are a health insurance company. Exactly what types of
IoT devices do we have in our offices that are in scope? Are you suggesting the risk of IoT devices to
our business today is more important than spending our money on shoring up our compliance with
health regulations? Or are you talking about IoT devices that you personally predict may impose
risks on us in the future?
Smith: My discussion is really about the future. I’m not sure what IoT devices we may need to be
worried about today, but I was at the RSA conference and all the keynote speakers mentioned the
security implications of IoT and I wanted...
Board Director #2: Come back to us when you are able to map the strategy of our business to tech-
nology and can talk to us about tangible issues that are based on factual understanding of our tech-
nology landscape. That will be all, Mr. Smith. Let’s have the next presenter come up.Smith was escorted out of the conference room. He had predicted the board of directors
would be welcoming of his knowledge on cutting-edge security topics, yet his presentation las-
ted about 1 minute and 15 seconds. He was stunned.
Human resources called Smith the next day and asked for his resignation, effective
immediately. He would be given the six months’ severance pay specified in his employment
contract.
What Went Wrong?
Looking back at this scenario, multiple factors contributed to Smith’s failure. Sam Cronin’s
role as the sales executive at a security-tool company made him a biased source of advice. Ulti-
mately, Cronin was focused on selling licenses to his updated product, which was not in align-
ment with the goals of the board of directors at Acme Inc.
Smith should have consulted his peers and other unbiased individuals he had called upon
for mentorship in the past, as it is clear that he did not have experience with presenting to the
board. Company directors typically want a statement of the problem at hand and how it con-
nects to the company’s business. Instead of focusing on just risks associated with IoT devices,
Smith should have presented a prioritized list of security issues that could interrupt the busi-
ness of Acme Inc. (unauthorized access, loss of confidentiality of intellectual property, etc.)
This list could potentially include IoT concerns along with a proposed roadmap of greater
adoption of IoT devices. Because Smith focused solely on IoT devices, it was immediately
apparent to the board that he had not thought through the entire risk landscape.
254 CHAPTER 9: TWO SCENARIOS—INTENTIONS AND OUTCOMES