Risk
5/19/2014
12:00 PM
Steve Durbin
Steve Durbin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

How To Talk About InfoSec To Your Board Of Directors

Today's cybersecurity challenges cannot be met by a compartmentalized IT strategy because every piece of the modern enterprise runs on connectivity and data.

In our global economy, the rapid evolution of technology has caused a massive shift in the information security landscape.  Businesses are finding that they have more limited resources than ever before which must be prioritized to areas of greatest need or return. The task of determining priorities is difficult in itself; the imperative is delivering more for less, both in terms of new investment and existing resources.

These monumental challenges cannot be met by a compartmentalized IT strategy because every piece of the modern enterprise runs on connectivity and data. Information technology runs through every department; so must information security initiatives. Today's chief information security officers (CISO) need to be proactive in promoting and supporting new business based on strong information security and sound business-based risk assessment.

As a result of these trends it is essential for CISOs to connect with the Board of Directors and approach technology and security initiatives with a risk vs. reward mindset. Too often new technologies are adopted as a way of differentiating to gain advantage over competitors. But without a robust, cost-benefit-risk analysis, organizations could end up standing out for all the wrong reasons.

Information security is the business
Managing information risk is critical for all organizations to deliver their strategies, initiatives and goals. Consequently, information risk management is relevant only if it enables the organization to achieve its objectives while also making it resilient to unexpected events. In conversation with the BoD, ask how information security can support corporate business priorities, such as acquiring and retaining customers, growing competitive advantage, and fostering innovation.

An organization's risk management activities -- whether coordinated as an enterprise-wide program or at functional levels  --  must include assessment of risks to information that could compromise success. Ask the tough questions: "If the worst happened, could we honestly tell our customers, partners, and regulators that we had done everything that was reasonably expected? Are we prepared for the future?"

Preventing negative incidents
One of the primary aims of information security is to prevent negative incidents. However, it's almost impossible for organizations to avoid such incidents completely. While many businesses are good at incident management, less have a mature, structured approach for analyzing what went wrong in the first place. As a result, they're incurring unnecessary costs and accepting inappropriate risks. Worse yet, they may be destined to repeat their mistakes.

Despite our best plans and efforts, not all security incidents can be prevented. Organizations of all sizes need mature incident management capabilities. Without a proper impact assessment, businesses don't know the incremental, long-term or intangible costs of an incident -- but those costs still hit the bottom line and the brand's reputation

Preparation is key to agility and resilience
Without knowing the cost of potential incidents, organizations will continue to misdirect resources, fix symptoms instead of causes, and even worse, not spend money where it's needed to mitigate a major incident in waiting. Lack of risk intelligence creates major weaknesses.

Most organizations have a limited appetite for investigating incidents, due to the understandable desire to get back to business as usual. It is the responsibility of the board and CISO to make sure this step is not overlooked; skipping a thorough investigation means the organization misses a golden opportunity to learn from it. Convincing the BoD of the value of impact assessments and associated follow-through is an important function of today's information security leader.

Take stock now before it's too late
Enterprises have varying degrees of control over today's ever-evolving security threats. Organizations where all stakeholders work together toward building a strong defense will be most likely to thrive under the immense pressure created by reduced resources, proliferating threats, and evolving technologies. New perils arise with the speed and unpredictability of a force of nature; businesses and consumers are vulnerable to damage. Organizations of all sizes need to take stock today to ensure they are fully prepared and engaged to deal with these ever-emerging security challenges.

Steve Durbin is Global Vice President of the Information Security Forum(ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously he was ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
stevedurbin
50%
50%
stevedurbin,
User Rank: Author
5/21/2014 | 5:39:47 PM
Re: Who talks to the BoD about InfoSec
Marilyn , great question and the answer is it depends... In many large companies now I'm seeing the CISO reporting through to the Chief Risk Officer or the Risk Committee, yet we still also see a more traditional CISO to CIO report line in some organisations; it really all depends on the view the organisation takes about security risk and, in heavily regulated industries, compliance.  What is common is that boards are now asking questions of their risk profile and ability to withstand and recover from cyber attacks.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/21/2014 | 2:50:43 PM
Who talks to the BoD about InfoSec
Steve, I'm curious about whether it's typical for a CISO to speak to the board of directors about InfoSec or whether it's the CIO that has that responsibility. What's your take on the division of labor/responsibility in communicating with the board about security matters.
stevedurbin
100%
0%
stevedurbin,
User Rank: Author
5/20/2014 | 3:04:35 AM
Re: "How" to talk to the Board !!
Hi, I'd be happy to pick up on the specifics - the how to - if that would be of interest to readers and @DarkReading of course, in a follow up blog piece.
felixonline
50%
50%
felixonline,
User Rank: Apprentice
5/19/2014 | 11:41:17 PM
"How" to talk to the Board !!
Hi, Understand the value proposition associated with engaging the Board on infosec matters, but there is very little coverage for and material on the "How"? For example, strategy, planning the delivery of messages (e.g. timing, extent of messaging, level of technical detail etc.), pre-requisites (e.g. CEO/CFO pre-engaged) etc. Are you planning a follow-up to this article?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.