'No-one wants our data, it's not important': Wrong

San Francisco DA CIO Herman Brown Jr on selling cyber to the board

"No-one wants our data, it's not important," staff at the Office of The District Attorney of San Francisco told CIO Herman Brown Jr as he prepared to roll out multi-factor authentication (MFA) and other identity and access management tools. The CFO didn't want to have to pay for something that wouldn't directly improve productivity, and the busy attorneys saw it as one more hurdle to jump through.

But that's not the point, said Brown. Ransomware gangs don't really care what the data is, they just care about getting hold of the data, and they care that you need it to do your job and may therefore be persuaded to pay to get it back.

Selling insurance - which effectively is what cyber security is - to the board is never going to be easy, especially if they are not risk-minded and particularly if it's seen as adding friction.

The secret, said Brown, interviewed via video at the recent Computing Deskflix IAM event, is to look at what is important, what regulations you have to abide by, and then tell a compelling and all-too-plausible story.

"I'm a defendant. I may not have the skillset myself but I may know someone who could breach the data. Is that enough that I could get my case thrown out or found not guilty?"

A data breach could easily cast sufficient doubt on a prosecution for it to become unsafe. Who's to say records haven't been tampered with. The Office of The District Attorney of the City and County of San Francisco processes about 26,000 cases a year, with 16,000 to 18,000 resulting in a charge. Any case proceeding during a data breach could be legally questioned and sent for a retrial, which would mean a vast amount of extra work and extra expense for the office, which like most in the public sector is chronically understaffed.

"What would that mean from a time perspective, what does that mean from a staffing perspective?"

Balance the potential need to organise thousands of retrials against the minor inconvenience of having to remember a pin number or use an authentication app and the wisdom of the move becomes clear.

It's also very important to select partners carefully, said Brown, who refuses to sign long-term deals for security.

"We don't want someone just to sell us a product. We're looking for someone who is genuinely interested in the success of the organisation and personally in me as the CIO."

And it's a two-way street. An honest relationship means the customer feels happy providing feedback and suggestions, which in turn makes for a better service.

It's very rare that you'll find a vendor to meet 100% of your requirements, said Brown, so it's important to find a business partner that will help ensure the implementation of the tool is successful and that they will be around to support it after the go-live date.

"A lot of vendors will sell you a product and install it, and when you have issues with it, they're nowhere to be found."