Nancy Edwards
Nancy Edwards
There is both good news and bad news for IT security professionals appealing to their higher-ups for more resources.

The good news is that your board of directors wants to hear about security.

The bad news is that they only want to hear about it for 10 minutes, plus maybe 10 minutes more for Q&A.

Unfortunately, there's further bad news: members of the board are independent thinkers and they feel free to interrupt you at any time. Result? You may not get your full time on the agenda.

Do you remember that in the movie Miss Congeniality the correct answer for all the questions asked of the beauty pageant contestants was “world peace”? With only 10 minutes to convey the status of security, you may feel you're in the same position: “All I want for our company is to be safe and secure.”

So what do you do with only 10 minutes to cover a topic that can be measured in so many ways? At my company, we discussed what's most important at a corporate level, and we decided that a picture is worth a thousand words...and millions of numbers. Our answer: present a few succinct charts.

We chose the CISSP domains as a framework (excluding business continuity for which we report separately). Next, we picked and scored two to three metrics under each CISSP domain.
In the charts we prepared, each metric has a numeric score that dictated whether it was scored green, yellow or red.

That determination comes from a common scorecard applied to each of our diverse metrics. To get one scorecard that works for assorted metrics and subjects, we focused the scorecard on compliance with best practice.

We're careful to say that achieving a green status doesn't mean our company is immune from a problem. It simply means we've done everything in a reasonable manner according to best practice, or we've made a specific evaluation as to why a best practice doesn't apply to our situation.

The scorecard breaks down into five sections: identifying best practices receives 10 points; assessing company practice against best practice receives 15; deciding which best practice and how to implement here receives 15; progressing on implementation of strategy gets 30; testing our company receives 30. This adds up to a grand total of 100.

To get green status requires at least 80 points, and you can't get that far without some testing.
Making a report to your company's board of directors is always challenging, but the task makes one focus broadly and makes one decide what really counts.


Persuading the board
Why does the board of directors care about security? Nancy Edwards, VP/CSO, State Auto Insurance Companies, says that  it's vital to be safe. Companies can lose their crown jewels — trade secrets and operational tools.

The cost factor
Second, says Edwards, boards should recognize that it's costly not to be safe. The TJX case, for example, gives the board plenty of reasons to care: bad security can cost the company lots of money and affect the stock price.

Regulations are extremely important, as well, says Edwards. For example, the Graham-Leach-Bliley Act requires that the boards of directors of financial service companies pay attention to information security.

Give 'em what they want
And if thoise were't enough reasons to convince a board, Edwards points to customer expectations. If all other things are equal, she says, the customer would rather deal with a company that treats their data well.