CISOs Must Engage the Board About Information Security

Your organization will come under attack. It's not a matter of "if." It's a matter of "when." And security is no longer simply an operational concern. As technology has become the central component of nearly all business processes, security has become a business concern. As a result, information security should sit firmly on the boardroom agenda.

"If the worst were to happen, could we honestly tell our customers, partners or regulators that we've done everything that was expected of us, especially in the face of some fairly hefty fines that could be levied by regulators," asks Steve Durbin, global vice president of the Information Security Forum, a nonprofit association that researches and analyzes security and risk management issues on behalf of its members, many of whom are counted among the Fortune Global 500 and Fortune Global 1000.

"We're seeing, I think, not only that boards need to get up to speed on this, but also they need to be preparing their organization for the future," Durbin says. "They need to be determining how they can be more secure tomorrow than they were today."

It's About Risk Management, Not Compliance

It's not just about compliance, he emphasizes. It's about overall risk management.

"If you're in a highly regulated industry, you need to be compliant," he says. "But that needs to be going hand-in-hand with your risk-based approach. It really is no good, if you have a breach or a problem, simply sitting back and saying, 'But we're compliant.'"

And this, Durbin says, requires the chief information security officer (CISO) to step up and engage the board.

"The CISO's function is certainly going through a process of pretty significant change, but I think businesses are as well," he says. "The role has evolved significantly from just being focused on pure technology to being focused on business risk and speaking the language of business to get the message across to boards that are probably not as technologically savvy as they ought to be."

Business-Savvy CISOs Have an Opportunity

"The bottom line here is that there is a bit of an opportunity for business-savvy, smart CISOs who are able to make that transition," he adds. "It is an opportunity in terms of how they can convey those messages to the board to really address this topic of resilience that we talk about over and over again."

"When boards and CISOs engage successfully, organizations are better able to take advantage of the opportunities presented by cyberspace and today's information technology while addressing the associated risk," says Michael de Crespigny, CEO of the ISF. "To manage the risk/reward balance, CISOs must drive engagement across their organizations, changing the conversation to convey the value of information security to the organization--in terms that resonate with top decision makers and align with business objectives."

CISOs Need to Adopt a Service Provider Approach

Durbin says that like the CIO, the CISO now needs to adopt a more customer or account management focus on their clients--to become service providers to the business. In other words, the CISO and the security function need to stop being roadblocks and traffic cops in favor of becoming facilitators that help the business achieve business goals in a secure manner.

"They need to really be moving beyond a security strategy," Durbin says. "I am seeing much more of a trend where they're saying, 'You know what? We don't have a security strategy anymore. We have a business strategy. We embed ourselves within the business strategy and roll out together. If, from a business standpoint, we consider there's significant enough value in going down a bring-your-own route, my job is to figure out how do we do that in a secure fashion."

"CISOs need to lead and drive engagement with the board--and start by changing the conversation," de Crespigny says. "They need to translate the complex world of information security and information risk into easily understandable issues and solutions. CISOs must change their way of thinking and the resulting conversation, so that information risk can be considered alongside other risks that boards oversee. As information security leaders, we have to shape the way we talk about information risk management for each audience."

That doesn't necessarily mean that the CISO will walk into a board meeting and chew the fat, Durbin says. A CISO who reports to the CFO might bring the message to that executive, relying on the CFO to raise the issues with the board. But whoever carries the message, the important point, he stresses, is that the message cannot be statistics about levels of malware, it has to be about how the security function can assist the business in achieving business goals.

Tips and Warnings to Help the CISO Engage the Board

In a recent report, Engaging with the Board: Balancing cyber risk and reward, the ISF presented a four-point plan for CISOs to engage the board: define, prepare, engage and review.

At the "Define" stage, CISOs must understand the organization's business and its perception of information security, understand the board and define the scope of the security program. The ISF offers a number of tips, warnings and notes for this stage:

Understand all the stakeholders, not just the internal ones. These include the SEC, FCC, FSA and ICO as well as the board and audit committee.

Don't remind board members of their fiduciary duties--instead show them how you can help them to discharge those duties.

Find out how information security is viewed by the rest of the organization--you want to be seen as a business enabler.

At the "Prepare" stage, CISOs must determine what to say, how to say and to whom to say it. Tips for this stage include the following:

Reporting does not drive action; be clear in expressing what outcomes you are looking to achieve.

Engage with government agencies and others that have a reputation for high-quality threat intelligence.

In the cases when statistics and KPIs are useful, they should not be the starting point for creating the message.

At the "Engage" stage, CISOs must lay the foundation for success, have the conversation and build the board's confidence. Tips include the following:

Don't try management by decibels.

Be relentless in demonstrating business value.

Leverage everything you can; there is no time to sit on your laurels.

Don't try to educate the board in the meeting; no individual will want to show ignorance of the topic in front of the others.

At the "Review" stage, CISOs must find out what happened, assess the success of the iteration and identify the next steps. Tips include the following:

Hearsay is a form of feedback; although its content is not always reliable, it carries an indication about the general appreciation of your performance in front of the board.

Look for and review the minutes--if possible check with the minute-taker to see what he or she going to record against your topic before they publish the minutes.

Engagement typically starts below board level and works up one level at a time.

Meeting your objectives is not always essential, it may be that the iteration improved engagement in ways that you had not anticipated.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about EngageFCCICOSEC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place