NIST standard puts security at start of critical systems development
NIST standard puts security at start of critical systems development

As company boards face increasing pressure to understand, and effectively respond to, cyber security issues, IT pros must be prepared to deliver these leaders actionable insight on threats.

On Tuesday, Joanne Martin, global CISO at IBM, advised a group of security professionals on engaging boards of directors about such matters.

During her keynote address at SC Congress Toronto, Martin said that boards are interested in being briefed on bigger picture threat concerns as it pertains organizational risks.

“They really don't want to talk technology; they want to talk safety,” Martin told the crowd.

During her talk, Martin explained how IBM's security program has matured over the years, particularly, in simplifying its governance structure.

Between 1992 and 2004, the company went from having 128 CIOs around the world to consolidating the role under a single individual, she explained.

“It's a structure that globally recognizes that we have one set of policies, everywhere,” Martin said.

In addition, IBM's security team was tasked with pinpointing the top five risks to the company – another way to streamline corporate security efforts.  

Among the top risks at the company now, are threats introduced by Windows XP, Martin revealed. The software, which reached its end of support in April, is still embedded in parts of IBM's systems – a concern many businesses likely face in the aftermath of XP's sunset.

In her experience with boards of directors, Martin also found that many are interested in pinpointing the “crown jewels” at their organization, so there is a clear level of accountability and data prioritization when responding to, or preventing, a breach or attack.

“Boards want to know, how do you know what your most important data is, and how do you protect it?” Martin said.

In her talk, she explained that boards of directors are now, more than ever, forced to answer for company decisions made in the wake of major breaches. There's even been recommendations to vote out board members over such concerns, Martin added.

In the aftermath of Target's massive card breach, Institutional Shareholder Services recommended that several members of the company's board of directors be ousted.

While the board members' positions were ultimately spared, the gravity of the situation was not lost on the company. In June, Target board interim chairwoman Roxanne Austin defended the board's response to the incident in a letter to investors filed with the SEC.