This article is by Featured Blogger Mark
Briefing a board of directors on the status of your company’s information security program is a dangerous tightrope act. If you’re too positive and overly confident, you can easily come across as naïve or uninformed. Conversely, if you’re too fatalistic about the inevitability of being compromised, they begin to wonder if they’ve got the wrong person running the program.
As a generalization, board directors have limited knowledge or insight into information security (infosec) management. They’ve likely led companies that implemented enterprise resource planning (ERP) systems, built e-commerce platforms or deployed mobile applications. Consequently, they’ve developed personal intuition and strong convictions about the best ways to manage these types of technology initiatives. However, as a rule, their understanding of infosec threats and safeguards is based largely upon news reports in the Wall Street Journal or USA Today and anecdotal stories from other board members.
A board’s interest in infosec is heightened not only by public breach disclosures but also by a company’s external auditors. Auditors typically brief the board on an annual basis regarding the risks their company is facing in the coming year. Infosec threats have appeared at the top of such lists on a recurring basis over the past few years, magnifying the board’s interest.
So what’s a chief information officer (CIO) or chief information security officer (CISO) to do? How can you strike the appropriate balance between prudence and paranoia? How can you frame your conversation with the board in investment terms they can understand? Here are some suggestions.
Establish A Scorecard
The board needs some type of framework it can use to keep score on the progress of your company’s infosec program. The NIST Cybersecurity Framework is the most commonly used scorecard but it can easily be altered or extended to address the unique aspects of your company’s business model. Progress can be measured in one of two ways. You can report on the nature and extent of the safeguards that are being put in place or you can report on the number of incidents that are being identified and mitigated. A word of warning: You need to explain to the board that the number of security incidents is likely to increase as your detection capabilities mature. A rising incident count is actually a reflection of the effectiveness of your program, not its ineffectiveness.
Obtain External Validation
The board will want periodic assurances by external experts that your infosec program is properly organized and adequately funded. This is not an indictment of your competence or capabilities. In fact, it’s a mark of good judgment to have periodic health checks of your program by acknowledged experts in the field. Validation can come from a wide variety of consulting organizations, former CISOs or even security service vendors. The board is going to ask for this anyway, so you might as well beat them to the punch and demonstrate that you welcome external feedback. It’s important substantively, symbolically and probably legally as well.
Report On The News
You should review major breaches that have received media attention since the last board meeting and be prepared to discuss them head-on. Include a standard slide in your briefing package that addresses publicly reported breaches. Don’t wait for board members to ask whether similar incidents could occur within your company. Be prepared to discuss any implications of such breaches for your firm and what -- if anything -- you’ve done about them. If your company is not susceptible to such breaches, explain why. Don’t wait for the board to randomly inquire about different events they’ve read about. Highlight the events that you believe are most concerning or most relevant to your firm and proactively discuss what you are doing to avoid them.
Become A Professor
Infosec is a complex and rapidly evolving field. Your attack surface is constantly expanding through the proliferation of access points and devices. Bad actors are continually exploiting new technologies and vulnerabilities, and you’re constantly deploying new tools, skills and procedures to counter new threats. Every board meeting is an educational opportunity that should be used to provide the directors with deeper insight into the challenges you confront and the manner in which you’re addressing them. The board is not interested in an academic seminar on infosec but they will appreciate bite-size updates about emerging threats, tools, skills, procedures, regulatory requirements, etc. You’ve got a tough job -- help them understand how tough it really is!
Graduate To Becoming A Trusted Advisor
Once you’ve gained the board’s respect, go beyond the standard program updates and expose them to information they can’t easily obtain anywhere else. Summarize the most provocative presentations or new technologies that you encountered at the annual RSA Security conference. Visit another company of similar size and complexity and report back on the comparative similarities and differences between their infosec program and yours. Share the results of an internal red team exercise and summarize the follow-up actions you’ve taken. Red team exercises are an effective way of weaning the board off their dependency on external consultants -- who knows more about the gaps within your security program than your own team? Properly positioned, the board should be far more interested in the outcome of your red team exercises than a NIST framework health assessment conducted by an outside consultant.
The good news is that boards have become more educated over time about the pervasiveness and persistence of security threats. They’re no longer expecting ironclad guarantees that your company is completely protected from such threats. They’re simply seeking assurance that you’re making prudent investments in safeguards that are most effective in addressing your firm’s specific liabilities. The last thing you can do to ease their concerns is to periodically review the communication plan you’ll employ to brief them in the event of a serious incident or breach. They may no longer be seeking a guarantee of 100% protection, but they do want a 100% guarantee that they won’t be left in the dark if your safeguards fail.