Public and media focus on data breaches and regulatory fees have dramatically deepened the focus on information security for executive boards. If there is one thing that we are all seeing it is this: There is more board involvement in information security today than it was 12 months or even 18 months ago. The board has an oversight and governance role over management's cybersecurity or information security activities. How are you preparing to address your board of directors' questions on cybersecurity?
The boards and management have several fundamental responsibilities to ensure that information security governance is in force. It is important that CISOs ensure that the board focuses on the following:
It's imperative to convey a keen understanding that risks and threats are real and could have significant impact on the enterprise. It's vital to explain how effective information security requires coordinated and integrated action from the top down.
Additionally, you must provide oversight for the development of a security and control framework that consists of standards, measures, practices and procedures after a policy has been approved by the governing body of the organization and related roles and responsibilities assigned.
It's imperative to convey a keen understanding that risks and threats are real and could have significant impact on the enterprise.
Further, ensure that individual roles, responsibilities and authority are clearly communicated and understood by all.
However before you face the board, make sure you are able to answer the following questions: Are you confident that security is being adequately addressed in the enterprise? Are you aware of the latest information security issues and best practices? Does the organization participate in an incident, threat, vulnerability notification and sharing service? What is industry best practice and how does the enterprise compare? Do you regularly articulate and communicate the enterprise requirement for information security? Do you have a view on how much the enterprise should invest in information security improvements? Are information security issues considered when developing business and IT strategy? Are you sharing regular progress reports on the state of security and security improvement projects? Do you set up an independent audit or review of information security? Do you track its progress on recommendations?
You are not prepared to stand in front of the board if you are uncertain about what effective security governance looks like; if there is friction between the risk and reward of technology and securing it; and you have a narrow IT-centric view of information security.
Look, the reality is this: The board has an oversight and governance role over your cybersecurity or information security activities. The board is really not that interested in hearing details of your management of the function and doesn't want to be asked to get involved in that management either.
What this means for you is that the CISO's goal should be to establish trust and credibility with the board through very structured presentations. Board members tend to lack an intimate understanding of information security issues, and most times they aren't looking to develop it. The most important thing for the board is to have confidence that the security team understands the information risks deeply: “Do we have the right management in place and can we trust them?”
Instilling trust is not just personality driven or based on how the CISO conducts themself in the boardroom. CISOs can earn a board's trust by doing their homework (e.g., talking to HR about employee behavior or getting an external perspective on the program's maturity) and being transparent with their boards.
Photo by Rich Green Photography