How CISOs should address their boards about security

Don't wait until after a breach to talk with your board of directors. Have regular discussions to make sure you're on the same page on security priorities.

How CISOs should address their boards about security

There are two times you might have to talk to your organization’s board of directors about security: before a breach and after. Be sure you’ve had the former before you need to have the latter.

The board of directors, whose duty it is to run the company in the long-term interest of the owners, needs to know you’ve taken prudent steps to protect the organization’s digital assets. That should mean the board wants to talk with you, the CISO, to learn firsthand what your department is doing to mitigate information security threats.

+ Also on Network World: How to survive in the CISO hot seat +

Board members want a high-level picture of the threat landscape and a checklist of the measures you’ve taken and policies you’ve adopted to protect the organization. Your job is to provide the board with perspective and not necessarily details. A scorecard or checklist can be an effective visual and a good starting point for a discussion of the organization’s security measures. It lets you provide a high-level overview, and it gives you a road map for diving into details if the board asks for more information.

Initiate security discussions

In some organizations, some of the time, the board of directors may give less thought to information security than to other business priorities. When that happens, it’s your job to initiate a dialog, especially when new threats arise or you’ve implemented new security measures. Prepare a briefing on the new factors, how your department is addressing them and what support you need from the board as you protect the business.

When you explain to your board what the organization does and needs to do to address infosec risks, you’ll probably have to translate technical details into business terms, even if some of the board members have a technical background. It might be frustrating to have to “dumb down” the details, but technical knowledge is your responsibility and business issues are theirs; it’s inevitable that something will be lost in translation.

If the response from board members isn’t all you could hope for, you may have to take a firmer stand on the importance of information security.

Ask them, “In the event of a breach, could we truthfully assert that we did everything reasonable to protect our data?” You need the board behind you because you work within constraints imposed by the board and upper management. You’re responsible for the actions of your department, but they’re responsible for the bigger picture of budget and strategy.

When you talk to the board, you need to provide perspective. No organization is 100 percent impervious to attacks. The goal is to minimize the damage that results from them. It’s the difference between a denial of service attack that brings down your online ordering system, one that slows access for several hours, and one that causes a five-minute hiccup while you implement your preplanned defensive arrangements.

The board’s job (and to some extent your own) is to balance risk with other priorities, such as turning a profit. You need to be able to offer a defensible, quantified assessment of risk as well as numbers for the cost of measures to mitigate that risk.

Look at the big picture: How can security advance the company's goals?

Every conversation with the board should be a dialog. It’s not all about you as CISO wanting a bigger budget and more people because of a more dangerous threat landscape. Like the board, you have to see the bigger picture. You should ask how your department can help further business goals and to what business priorities you should direct your department’s time and energy.

All of that discussion should take place as a regular part of doing business. Talking about information security with the board after a breach is a more stressful situation. At this point, the board isn’t looking for a scapegoat or someone to blame—it wants assurances that the leak has been plugged and an assessment of the damage done.

After informing the board, you’ll probably have to work with your organization’s communications team to craft a message telling affected users and regulatory officials exactly what happened and why.

The search for blame isn’t the board’s top priority. But if the board finds the breach was caused by incompetence (a port accidentally left open, credentials of a fired employee not canceled), you’re going to be having to a very uncomfortable conversation.


The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful cybersecurity companies