The Value of An Outsider’s Perspective: Board Presentations, with Phillip Miller

‍

And many companies have worked with him for exactly this; leaning on Phillip’s expertise to help them navigate new challenges, delivered on a per-project basis over a period of one day to several weeks. 

We caught up with Phillip to understand more about how he is using his specific expertise to provide support to boards, and how this support looks in practice. 

‍

We’re in the age of freelance and fractional

Working patterns within cybersecurity are shifting, and growing demand for services like Phillip’s reflect this. 

Under growing pressure in their current roles, and with demand for experienced professionals remaining high, many senior cybersecurity leaders are choosing to strike out on their own. 

While this isn’t an easy journey, it ultimately allows experts to build a fulfilling career that works around them – not the other way around. 

For Phillip, that means working on interesting cybersecurity projects where he can add value, but leaving plenty of time to also work on his farm, and go on epic road trips in his motor home.  

This working shift presents huge value to companies, too. 

The threat landscape is constantly expanding, and they need to expand their expertise to cover it – but without the cost of bringing in more high-level professionals full time. 

By working with top-level experts on a per-project basis, they get full access to that person’s experience and expertise exactly when they need it, and for a fraction of the cost of hiring them. 

‍

What are board presentations, and how do they work?

Phillip is brought in to assist boards in a number of different formats, and for a variety of reasons – some of which we have outlined below. 

Some companies want Phillip to attend a board dinner or company function and talk through the current threat landscape. 

And at the other end of the spectrum, he might spend up to two months evaluating a large company’s security posture, reviewing hundreds of documents, and conducting multiple internal interviews as part of his work, and producing a report at the end. 

Many engagements sit somewhere in the middle, and Phillip is flexible and adaptable to the needs of each engagement.

‍

When do boards seek Phillip’s help? 

Whether it’s changes to company strategy or the emergence new technology, it’s fair to say life for security leaders is rarely smooth sailing. 

At key moments, a board may seek Phillip’s help with one of the following areas: 

‍

To support a big pivot in strategic direction

“I see this far too often: individuals are hired with an impression that the security program is going to be run one way, and then six months into the job, something dramatically changes and they're finding themselves going a different way”, Phillip explained.

‍

“And maybe the senior leader pivots fast, but the team underneath them doesn't pivot very well. And so in that kind of case we're deep into diagnostics and applying my 30+ years of experience to try to track down the root cause.” 

It’s a CISO’s worst nightmare; they get their security program to a place they’re happy with, only to have the rug pulled out from under their feet, and the strategy pivot into an area they’re less confident in. 

This is the perfect time to seek out a second opinion from someone with previous top level experience in that area, helping the whole security team align around a new goal. 

‍

To help prepare a company for sale

The unfortunate reality is that cybersecurity takes a backseat in many companies until a crucial moment where it can no longer be ignored – such as when they’re trying to sell up. 

Phillip has successfully helped companies navigate this intimidating new phase. 

“I worked with a company that wanted to establish credibility so their value in the marketplace would be appropriate”, he told us. 

“So I worked with their CEO to clearly articulate a strategy and an approach to cybersecurity. I helped him and the owners allocate the right amount of funding, and help them hire an actual real CIO to build out that program and create, segregation of duties, governance, and all of those things.” 

It was a resounding success; the company sold, and the CIO is still there to this day. 

For post-data breach analysis and support

Every organization has security blind spots – and Phillip, along with many experienced professionals, doesn’t place a huge amount of confidence in regular audits to find these weaknesses. 

“We put ourselves on autopilot in an enterprise, and that has a tendency to create deficiencies that your regular audits don't uncover”, he explained.  

“That's the hardest thing I think for any company that's experienced a data breach: they were all compliant up until the day they had their data breach. They passed their audits.”

Phillip partners with organizations recovering from data breaches, helping get to the root of what went wrong, and shore up their processes to prevent a repeat in the future. 

‍

To go beyond what their compliance program demands

“Compliance is always that snapshot in time and the amount of evidence that they gather for most compliance programs is so lightweight and companies get to scope limit stuff down.”

Some companies already recognise the limitations of compliance audits, and want to stay one step ahead of potential threats. Phillip reviews their existing security program and evaluates whether it’s fit for purpose, and scalable against emerging threats.

‍

To get ahead of emerging technology and threats within their sector

With new threats emerging all the time, it’s easy for security teams and leaders to get distracted by the ‘shiny new thing’, and neglect their security fundamentals. Sometimes boards simply need to cut through the noise and understand how much stock to put into emerging threats, and what isn’t worth their focus and investment for the time being.

‍