A recent Ponemon survey indicates an alarming lack of communication between security professionals and their organizations' board members. This lack of security communication leads to vast differences in confidence levels and security awareness. How can chief information security officers encourage better communication between the two groups? Should CISOs schedule additional meetings with the board? And if they can secure more time with the board, what information should be presented to it besides budget requests?
There are three questions to address in the CISO's security communication with the board: Is the CISO viewed as worthy of the board's attention? Does the CISO have a relevant and insightful message for the board? And does the board understand the cybersecurity risks and support the cybersecurity program for the company?
The CISO needs to get on the board's agenda on a recurring basis. A study from Threat Track Security in July 2014 reported "while enterprises are increasingly turning to CISOs to head their cybersecurity operations, about three quarters of respondents (74%) overwhelmingly said they do not believe that 'CISOs deserve a seat at the table and should be part of an organization's leadership team.'"
The board has many pressing issues to deal with. Skilled presenters appeal to the board's highest areas of concern, most of which are to maximize shareholder wealth. The CISO needs to do the same with delivering IT security communication. If CISOs do not have a recurring meeting with the board, then they likely have only one shot to demonstrate the importance of their message. If the CISO does have a recurring meeting with the board, unless the message is viewed as relevant, it's possible that these recurring communications will become less frequent over time or limited to an annual event.
The message to the board needs to be relevant, current and comprehensive. The Ponemon report stated that most board topics related to cybersecurity include the review and approval of a formal security strategy and incident response plan, assessment of the effectiveness of the organization's security policy and optimization of cybersecurity investments in support of organizational efforts. The board will also review the organization's crisis management plan related to cyberattacks.
The CISO typically will have 10 to 15 minutes to report on the state of information security. This IT security communication needs to capture the attention of the board members. Annual approval of the security policy, crisis management plan, budget and optimization of cybersecurity investments are probably spread throughout the year. The CISO needs to include:
- Graphical progress reports of compliance and security improvements using a best practice security framework;
- Current breaches in the news that could occur at the company. This should include ways to reduce the likelihood of occurrence and minimize risk;
- Compliance with cybersecurity laws and regulations emphasizing company and board member liabilities; and
- Empirical data summaries of attack vectors experienced by the company so the board knows if and how the company is currently under attack.
A lack of board support results in a Sisyphus futility. The CISO needs to study the board and its members. What keeps them up at night? How will they react when a breach occurs. The Threat Track Security report states that 52% of CEOs, 35% of COOs and 43% of CFOs agreed CISOs deserve the blame for security incidents. But if the board does not support the CISO and the cybersecurity program, the CISO is more of a scapegoat.
Identify one or two board members that have an interest in cybersecurity. Share cybersecurity news, statistics and information so they can champion the cybersecurity program in the board. This gives support to the CISO's report and opens up the opportunity for better security communication. Make that board member look good.
The CISO needs skilled staff, effective monitoring and protection services, and the budget to meet these objectives. Without management support the options are limited to inexpensive open source tools, training the staff entirely in house and negotiating with IT for employee transfers who have an interest in cybersecurity.
Fighting for basic essential resources to deploy an information security program is very frustrating. Don't wait until a breach occurs that gets the board's attention; take a proactive approach. Be passionate about the cybersecurity program. Get on the board's agenda. Develop relevant report topics that spur open discussion by board members. Know your board members. Identify a board member who can champion your efforts. Educate your board. Make sure they understand cybersecurity, board and board member liabilities, and how they relate to the enterprise. Give others, such as business unit managers, IT managers, compliance executives, legal councils and others reason to speak well of the information security program and CISO. Remember, no one will care any more about cybersecurity than you do.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Dig Deeper on Information security program management
Related Q&A from Mike O. Villegas
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading
Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading