Manage Learn to apply best practices and optimize your operations.

How should organizations make a cybersecurity policy a top priority?

Supporting a cybersecurity policy should be a priority for executive boards. Expert Joseph Granneman explains how CISOs can effectively communicate its importance.

The Department of Homeland Security recently said that setting and following a cybersecurity policy should be a top priority for company board members. How should CISOs and other information security leaders support this effort?

The IT department often gets a little apprehensive when my company is about to perform a vulnerability assessment or penetration test. It usually isn't because they are afraid we will find security issues -- most IT departments are stretched so thin that they have accepted that an audit will find security issues -- their concern comes from the fear of how management will react to the findings, as organizations where security is not ingrained in the culture will want to blame the IT department. They mistakenly consider security to only be an IT issue, but that couldn't be farther from the truth. Information security is an organizational problem that requires organizational focus, originating at the board level and working down through the organization.

CISOs need to find ways to lead the board through the development and implementation of a cybersecurity policy to elevate organizational priority. This can be a challenge for the organizations that still see security as an IT-only problem and may require the CISO to utilize creative tactics. The most difficult part of this process is getting time on the board's agenda. The approaches to getting on the agenda are as varied as the personalities on the board. A CISO can try building relationships with other executives to build support for a cybersecurity agenda. Third-party consultants are sometimes more trusted than internal resources and can also be used to both build security awareness and get in front of the board. You may find support from board members in other industries, such as the banking and financial sector, that have experience in cybersecurity. Experimentation will be required to find the best approach for your organization.

It can be just as hard to keep cybersecurity on the board's agenda as it was to get there in the first place. A CISO needs to focus on presenting concise information -- such as security program metrics and organizational threat readiness -- to keep the board's attention. I like to frame organizational risks in a prioritized top ten list that most people can understand quickly. It also allows for interactive feedback on the appropriateness and prioritization of risks on the list. Some board members may need education on certain technologies, which should be addressed individually to keep presentations short. This strategy also has a side benefit of helping to build relationships with board members while establishing an element of trust.

Information security cannot be considered just an IT problem any longer. Today an organization needs to have security ingrained into its culture to have a chance at defending its information assets. This culture must start from the top with the organization's board and executive management. The CISO plays a critical role in this culture of security by encouraging board participation through the development of a board cybersecurity policy. CISOs will have to use their knowledge of organizational politics, along with a little creativity, in order to help develop and foster the creation of this important policy.  This may be one of the more effective methods for CISO's to finally elevate cybersecurity beyond being just an IT problem and up to a board-level priority.

Ask the Expert
Have questions about enterprise security?  Send them via email today! (All questions are anonymous.)

Next Steps

Executive communication on security may be improving as board interest in security principles grow.

This was last published in February 2015

Dig Deeper on Information security program management