Risk
5/19/2014
12:00 PM
Steve Durbin
Steve Durbin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

How To Talk About InfoSec To Your Board Of Directors

Today's cybersecurity challenges cannot be met by a compartmentalized IT strategy because every piece of the modern enterprise runs on connectivity and data.

In our global economy, the rapid evolution of technology has caused a massive shift in the information security landscape.  Businesses are finding that they have more limited resources than ever before which must be prioritized to areas of greatest need or return. The task of determining priorities is difficult in itself; the imperative is delivering more for less, both in terms of new investment and existing resources.

These monumental challenges cannot be met by a compartmentalized IT strategy because every piece of the modern enterprise runs on connectivity and data. Information technology runs through every department; so must information security initiatives. Today's chief information security officers (CISO) need to be proactive in promoting and supporting new business based on strong information security and sound business-based risk assessment.

As a result of these trends it is essential for CISOs to connect with the Board of Directors and approach technology and security initiatives with a risk vs. reward mindset. Too often new technologies are adopted as a way of differentiating to gain advantage over competitors. But without a robust, cost-benefit-risk analysis, organizations could end up standing out for all the wrong reasons.

Information security is the business
Managing information risk is critical for all organizations to deliver their strategies, initiatives and goals. Consequently, information risk management is relevant only if it enables the organization to achieve its objectives while also making it resilient to unexpected events. In conversation with the BoD, ask how information security can support corporate business priorities, such as acquiring and retaining customers, growing competitive advantage, and fostering innovation.

An organization's risk management activities -- whether coordinated as an enterprise-wide program or at functional levels  --  must include assessment of risks to information that could compromise success. Ask the tough questions: "If the worst happened, could we honestly tell our customers, partners, and regulators that we had done everything that was reasonably expected? Are we prepared for the future?"

Preventing negative incidents
One of the primary aims of information security is to prevent negative incidents. However, it's almost impossible for organizations to avoid such incidents completely. While many businesses are good at incident management, less have a mature, structured approach for analyzing what went wrong in the first place. As a result, they're incurring unnecessary costs and accepting inappropriate risks. Worse yet, they may be destined to repeat their mistakes.

Despite our best plans and efforts, not all security incidents can be prevented. Organizations of all sizes need mature incident management capabilities. Without a proper impact assessment, businesses don't know the incremental, long-term or intangible costs of an incident -- but those costs still hit the bottom line and the brand's reputation

Preparation is key to agility and resilience
Without knowing the cost of potential incidents, organizations will continue to misdirect resources, fix symptoms instead of causes, and even worse, not spend money where it's needed to mitigate a major incident in waiting. Lack of risk intelligence creates major weaknesses.

Most organizations have a limited appetite for investigating incidents, due to the understandable desire to get back to business as usual. It is the responsibility of the board and CISO to make sure this step is not overlooked; skipping a thorough investigation means the organization misses a golden opportunity to learn from it. Convincing the BoD of the value of impact assessments and associated follow-through is an important function of today's information security leader.

Take stock now before it's too late
Enterprises have varying degrees of control over today's ever-evolving security threats. Organizations where all stakeholders work together toward building a strong defense will be most likely to thrive under the immense pressure created by reduced resources, proliferating threats, and evolving technologies. New perils arise with the speed and unpredictability of a force of nature; businesses and consumers are vulnerable to damage. Organizations of all sizes need to take stock today to ensure they are fully prepared and engaged to deal with these ever-emerging security challenges.

Steve Durbin is Global Vice President of the Information Security Forum(ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously he was ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
stevedurbin
50%
50%
stevedurbin,
User Rank: Author
5/21/2014 | 5:39:47 PM
Re: Who talks to the BoD about InfoSec
Marilyn , great question and the answer is it depends... In many large companies now I'm seeing the CISO reporting through to the Chief Risk Officer or the Risk Committee, yet we still also see a more traditional CISO to CIO report line in some organisations; it really all depends on the view the organisation takes about security risk and, in heavily regulated industries, compliance.  What is common is that boards are now asking questions of their risk profile and ability to withstand and recover from cyber attacks.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/21/2014 | 2:50:43 PM
Who talks to the BoD about InfoSec
Steve, I'm curious about whether it's typical for a CISO to speak to the board of directors about InfoSec or whether it's the CIO that has that responsibility. What's your take on the division of labor/responsibility in communicating with the board about security matters.
stevedurbin
100%
0%
stevedurbin,
User Rank: Author
5/20/2014 | 3:04:35 AM
Re: "How" to talk to the Board !!
Hi, I'd be happy to pick up on the specifics - the how to - if that would be of interest to readers and @DarkReading of course, in a follow up blog piece.
felixonline
50%
50%
felixonline,
User Rank: Apprentice
5/19/2014 | 11:41:17 PM
"How" to talk to the Board !!
Hi, Understand the value proposition associated with engaging the Board on infosec matters, but there is very little coverage for and material on the "How"? For example, strategy, planning the delivery of messages (e.g. timing, extent of messaging, level of technical detail etc.), pre-requisites (e.g. CEO/CFO pre-engaged) etc. Are you planning a follow-up to this article?
More Blogs from Commentary
Dark Reading Radio: Data Loss Prevention (DLP) Fail
Learn about newly found vulnerabilities in commercial and open-source DLP software in the 7/30 episode of Dark Reading Radio.
The Perfect InfoSec Mindset: Paranoia + Skepticism
A little skeptical paranoia will ensure that you have the impulse to react quickly to new threats while retaining the logic to separate fact from fiction.
Weak Password Advice From Microsoft
Tempting as it may seem to do away with strong passwords for low-risk websites, password reuse is still a significant threat to both users and business.
Internet of Things: 4 Security Tips From The Military
The military has been connecting mobile command posts, unmanned vehicles, and wearable computers for decades. Itís time to take a page from their battle plan.
Passwords Be Gone! Removing 4 Barriers To Strong Authentication
As biometric factors become more prevalent on mobile devices, FIDO Alliance standards will gain traction as an industry-wide authentication solution.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio