• United States




How CISOs should address their boards about security

Apr 25, 20174 mins
Internet SecurityIT LeadershipNetwork Security

Don't wait until after a breach to talk with your board of directors. Have regular discussions to make sure you're on the same page on security priorities.

board of directors
Credit: Thinkstock

There are two times you might have to talk to your organization’s board of directors about security: before a breach and after. Be sure you’ve had the former before you need to have the latter.

The board of directors, whose duty it is to run the company in the long-term interest of the owners, needs to know you’ve taken prudent steps to protect the organization’s digital assets. That should mean the board wants to talk with you, the CISO, to learn firsthand what your department is doing to mitigate information security threats.

+ Also on Network World: How to survive in the CISO hot seat +

Board members want a high-level picture of the threat landscape and a checklist of the measures you’ve taken and policies you’ve adopted to protect the organization. Your job is to provide the board with perspective and not necessarily details. A scorecard or checklist can be an effective visual and a good starting point for a discussion of the organization’s security measures. It lets you provide a high-level overview, and it gives you a road map for diving into details if the board asks for more information.

Initiate security discussions

In some organizations, some of the time, the board of directors may give less thought to information security than to other business priorities. When that happens, it’s your job to initiate a dialog, especially when new threats arise or you’ve implemented new security measures. Prepare a briefing on the new factors, how your department is addressing them and what support you need from the board as you protect the business.

When you explain to your board what the organization does and needs to do to address infosec risks, you’ll probably have to translate technical details into business terms, even if some of the board members have a technical background. It might be frustrating to have to “dumb down” the details, but technical knowledge is your responsibility and business issues are theirs; it’s inevitable that something will be lost in translation.

If the response from board members isn’t all you could hope for, you may have to take a firmer stand on the importance of information security.

Ask them, “In the event of a breach, could we truthfully assert that we did everything reasonable to protect our data?” You need the board behind you because you work within constraints imposed by the board and upper management. You’re responsible for the actions of your department, but they’re responsible for the bigger picture of budget and strategy.

When you talk to the board, you need to provide perspective. No organization is 100 percent impervious to attacks. The goal is to minimize the damage that results from them. It’s the difference between a denial of service attack that brings down your online ordering system, one that slows access for several hours, and one that causes a five-minute hiccup while you implement your preplanned defensive arrangements.

The board’s job (and to some extent your own) is to balance risk with other priorities, such as turning a profit. You need to be able to offer a defensible, quantified assessment of risk as well as numbers for the cost of measures to mitigate that risk.

Look at the big picture: How can security advance the company’s goals?

Every conversation with the board should be a dialog. It’s not all about you as CISO wanting a bigger budget and more people because of a more dangerous threat landscape. Like the board, you have to see the bigger picture. You should ask how your department can help further business goals and to what business priorities you should direct your department’s time and energy.

All of that discussion should take place as a regular part of doing business. Talking about information security with the board after a breach is a more stressful situation. At this point, the board isn’t looking for a scapegoat or someone to blame—it wants assurances that the leak has been plugged and an assessment of the damage done.

After informing the board, you’ll probably have to work with your organization’s communications team to craft a message telling affected users and regulatory officials exactly what happened and why.

The search for blame isn’t the board’s top priority. But if the board finds the breach was caused by incompetence (a port accidentally left open, credentials of a fired employee not canceled), you’re going to be having to a very uncomfortable conversation.


The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.