News Stay informed about the latest enterprise technology news and product updates.

Board interest in information security principles growing

Corporate boards have increased their awareness of security issues, but experts say they still lack information security principles.

The information security community has long taken corporate boards to task for failing to be actively involved in IT security programs, which includes not investing enough resources into staff and threat mitigation technologies. However, Infosec professionals may need to shelve the criticism shortly, as two experts now say that a lack of security education, not awareness, is holding board members back from taking more active roles in information security programs.

Ken Daly, president and CEO of the National Association of Corporate Directors (NACD), a non-profit group focused on advanced boardroom leadership and practices, said that many of the more than 14,000 members at the NACD have expressed a desire to lead on information security topics within their respective organizations. Any notion that IT security risk wasn't under the purview of corporate board members was dismissed in recent years, he noted, by the high-profile leaks from Edward Snowden and Bradley Manning, as well as the breaches that affected Target Corp. and other major retailers.

Speaking at a Department of Homeland Security event Tuesday, Larry Clinton, president and CEO of the Internet Security Alliance, agreed with Daly's assessment, citing statistics from a recent FTI Consulting study that showed data security is now the top concern among corporate directors and general counsel. Data security supplanted last year's choice of succession and leadership transition, Clinton added, which shows that information security has become a prominent topic among corporate board members.

"We've actually moved beyond our first goal, which was [raising] cybersecurity awareness, to the harder issue, which is actually understanding the problem and then pragmatically working to solve it," said Clinton. "It's one thing to talk about the fact that cybersecurity should be part of the business, [but] it's another thing to actually do it."

Indeed, rising awareness of information security issues among board members is obviously a positive, Daly said, but it hasn't necessarily led to more action from boards when it comes to mitigating risks. Many NACD members have actually indicated through surveys and informal discussions that they simply lack the education when it comes to security topics, according to Daly, with some going as far as admitting that they don't have the security-specific vocabulary needed to effectively discuss relevant technologies, threat vectors and trends.

To answer that demand for more information security knowledge, the NACD released a handbook in June that details five general information security principles, all of which are aimed at covering board-level considerations related to security risk oversight. Daly said that the handbook has been downloaded more than 1,200 times since its release and will likely receive more attention as the Department of Homeland Security has chosen to highlight it as a resource for private sector businesses concerned about security. The NACD will also be providing more security resources in the form of video series and expert presentations at the organization's meetings, he added.

As for what's included in the NACD handbook, one of the principles advises board members to be aware of the legal implications associated with cyber risks. Certain states such as California have established specific guidelines in regard to breach notifications, while high-profile data breaches have led to numerous companies being sued. To ensure that a business cannot be accused of neglecting security after such an event, the NACD handbook noted that board discussions featuring security topics -- including updates on specific risks, the security program as a whole and technologies -- should be recorded in the minutes of all official meetings.

The handbook also says corporate boards should also ensure that they regularly meet with pertinent security staff and experts to discuss cyber risks, and decide how much toleration each individual organization will have for such risks. What the handbook doesn't advocate, Daly emphasized, is the placement of a dedicated security resource on a board.

Instead, Daly said that all board members should be involved in managing risk as part of an "enterprise-wide" strategy. That means that each board member and committee should be involved with understanding how security impacts their specific realm within the enterprise, he noted, and then determining whether to take a deep dive themselves in an attempt to manage the issue, or possibly even hiring outside consultants to help educate them.

"I've not heard a lot of desire [from NACD members] to put another expert on the board," said Daly. "I think that actually defeats this enterprise-wide notion."

Daly expressed his hope that even if the NACD handbook doesn't provide all the answers for corporate boards, it will at least turn the current "unknown" of information security into an "uncertain" -- meaning that they will accept that data breaches are an inevitability, but the outcome of such breaches can still be affected by the mitigations put in place by an organization in advance.

Dig Deeper on Information security program management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

The NACD handbook is only available (despite the "COMPLIMENTARY CONTENT AVAILABLE TO ALL" admonition) to proven board-level members who register for a fee. This is quite a lack of transparency, as the InfoSec community at large has no way to vet this information as relevant, or even accurate.
The security of an organisation’s data is paramount. And whilst it is important to be ‘aware’ of security issues, it is more vital that a board takes responsibility for this and is actively doing something to ensure the safety of their company’s data. Board data for example is highly sensitive, and a conscientious and comprehensive oversight at the board level is essential, as Daly suggests. Fortunately, there are solutions available that eliminate the risk associated with paper board packs and data. Boards should invest in targeted meeting tools that not only provide a fast and consistent way of providing board packs, but provide users with access to information securely and efficiently, at any time, delivering information in a structured, ordered format. Crucially, data is stored securely, in facilities that are compliant with local data regulations, allowing board members to access it from their device. Furthermore, stringent password requirements can be applied for system users, to prevent unwanted access or worse, a loss of data. Tools that help manage the risk by monitoring and prioritising it alongside other risks, and crucially one that can be integrated with an organisation’s existing meeting management software will undoubtedly provide the board with a comprehensive oversight. Security is a risk that board members are increasingly aware of but are not necessarily taking the action to mitigate. With the increasing complexity of security threats and a pressure to prevent the negligence of security matters, boards should look to actively and continuously exploit solutions that provide real time access to information, safely and securely. Alister Esam Managing Director eShare