Your organization will come under attack. It's not a matter of "if." It's a matter of "when." And security is no longer simply an operational concern. As technology has become the central component of nearly all business processes, security has become a business concern. As a result, information security should sit firmly on the boardroom agenda.
"If the worst were to happen, could we honestly tell our customers, partners or regulators that we've done everything that was expected of us, especially in the face of some fairly hefty fines that could be levied by regulators," asks Steve Durbin, global vice president of the Information Security Forum, a nonprofit association that researches and analyzes security and risk management issues on behalf of its members, many of whom are counted among the Fortune Global 500 and Fortune Global 1000.
"We're seeing, I think, not only that boards need to get up to speed on this, but also they need to be preparing their organization for the future," Durbin says. "They need to be determining how they can be more secure tomorrow than they were today."
It's About Risk Management, Not Compliance
It's not just about compliance, he emphasizes. It's about overall risk management.
"If you're in a highly regulated industry, you need to be compliant," he says. "But that needs to be going hand-in-hand with your risk-based approach. It really is no good, if you have a breach or a problem, simply sitting back and saying, 'But we're compliant.'"
And this, Durbin says, requires the chief information security officer (CISO) to step up and engage the board.
"The CISO's function is certainly going through a process of pretty significant change, but I think businesses are as well," he says. "The role has evolved significantly from just being focused on pure technology to being focused on business risk and speaking the language of business to get the message across to boards that are probably not as technologically savvy as they ought to be."
Business-Savvy CISOs Have an Opportunity
"The bottom line here is that there is a bit of an opportunity for business-savvy, smart CISOs who are able to make that transition," he adds. "It is an opportunity in terms of how they can convey those messages to the board to really address this topic of resilience that we talk about over and over again."
"When boards and CISOs engage successfully, organizations are better able to take advantage of the opportunities presented by cyberspace and today's information technology while addressing the associated risk," says Michael de Crespigny, CEO of the ISF. "To manage the risk/reward balance, CISOs must drive engagement across their organizations, changing the conversation to convey the value of information security to the organization--in terms that resonate with top decision makers and align with business objectives."
CISOs Need to Adopt a Service Provider Approach
Durbin says that like the CIO, the CISO now needs to adopt a more customer or account management focus on their clients--to become service providers to the business. In other words, the CISO and the security function need to stop being roadblocks and traffic cops in favor of becoming facilitators that help the business achieve business goals in a secure manner.
"They need to really be moving beyond a security strategy," Durbin says. "I am seeing much more of a trend where they're saying, 'You know what? We don't have a security strategy anymore. We have a business strategy. We embed ourselves within the business strategy and roll out together. If, from a business standpoint, we consider there's significant enough value in going down a bring-your-own route, my job is to figure out how do we do that in a secure fashion."
"CISOs need to lead and drive engagement with the board--and start by changing the conversation," de Crespigny says. "They need to translate the complex world of information security and information risk into easily understandable issues and solutions. CISOs must change their way of thinking and the resulting conversation, so that information risk can be considered alongside other risks that boards oversee. As information security leaders, we have to shape the way we talk about information risk management for each audience."
That doesn't necessarily mean that the CISO will walk into a board meeting and chew the fat, Durbin says. A CISO who reports to the CFO might bring the message to that executive, relying on the CFO to raise the issues with the board. But whoever carries the message, the important point, he stresses, is that the message cannot be statistics about levels of malware, it has to be about how the security function can assist the business in achieving business goals.
Tips and Warnings to Help the CISO Engage the Board
In a recent report, Engaging with the Board: Balancing cyber risk and reward, the ISF presented a four-point plan for CISOs to engage the board: define, prepare, engage and review.
At the "Define" stage, CISOs must understand the organization's business and its perception of information security, understand the board and define the scope of the security program. The ISF offers a number of tips, warnings and notes for this stage:
Understand all the stakeholders, not just the internal ones. These include the SEC, FCC, FSA and ICO as well as the board and audit committee.
Don't remind board members of their fiduciary duties--instead show them how you can help them to discharge those duties.
Find out how information security is viewed by the rest of the organization--you want to be seen as a business enabler.
At the "Prepare" stage, CISOs must determine what to say, how to say and to whom to say it. Tips for this stage include the following:
Reporting does not drive action; be clear in expressing what outcomes you are looking to achieve.
Engage with government agencies and others that have a reputation for high-quality threat intelligence.
In the cases when statistics and KPIs are useful, they should not be the starting point for creating the message.
At the "Engage" stage, CISOs must lay the foundation for success, have the conversation and build the board's confidence. Tips include the following:
Don't try management by decibels.
Be relentless in demonstrating business value.
Leverage everything you can; there is no time to sit on your laurels.
Don't try to educate the board in the meeting; no individual will want to show ignorance of the topic in front of the others.
At the "Review" stage, CISOs must find out what happened, assess the success of the iteration and identify the next steps. Tips include the following:
Hearsay is a form of feedback; although its content is not always reliable, it carries an indication about the general appreciation of your performance in front of the board.
Look for and review the minutes--if possible check with the minute-taker to see what he or she going to record against your topic before they publish the minutes.
Engagement typically starts below board level and works up one level at a time.
Meeting your objectives is not always essential, it may be that the iteration improved engagement in ways that you had not anticipated.