Risk
5/19/2014
12:00 PM
Steve Durbin
Steve Durbin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

How To Talk About InfoSec To Your Board Of Directors

Today's cybersecurity challenges cannot be met by a compartmentalized IT strategy because every piece of the modern enterprise runs on connectivity and data.

In our global economy, the rapid evolution of technology has caused a massive shift in the information security landscape.  Businesses are finding that they have more limited resources than ever before which must be prioritized to areas of greatest need or return. The task of determining priorities is difficult in itself; the imperative is delivering more for less, both in terms of new investment and existing resources.

These monumental challenges cannot be met by a compartmentalized IT strategy because every piece of the modern enterprise runs on connectivity and data. Information technology runs through every department; so must information security initiatives. Today's chief information security officers (CISO) need to be proactive in promoting and supporting new business based on strong information security and sound business-based risk assessment.

As a result of these trends it is essential for CISOs to connect with the Board of Directors and approach technology and security initiatives with a risk vs. reward mindset. Too often new technologies are adopted as a way of differentiating to gain advantage over competitors. But without a robust, cost-benefit-risk analysis, organizations could end up standing out for all the wrong reasons.

Information security is the business
Managing information risk is critical for all organizations to deliver their strategies, initiatives and goals. Consequently, information risk management is relevant only if it enables the organization to achieve its objectives while also making it resilient to unexpected events. In conversation with the BoD, ask how information security can support corporate business priorities, such as acquiring and retaining customers, growing competitive advantage, and fostering innovation.

An organization's risk management activities -- whether coordinated as an enterprise-wide program or at functional levels  --  must include assessment of risks to information that could compromise success. Ask the tough questions: "If the worst happened, could we honestly tell our customers, partners, and regulators that we had done everything that was reasonably expected? Are we prepared for the future?"

Preventing negative incidents
One of the primary aims of information security is to prevent negative incidents. However, it's almost impossible for organizations to avoid such incidents completely. While many businesses are good at incident management, less have a mature, structured approach for analyzing what went wrong in the first place. As a result, they're incurring unnecessary costs and accepting inappropriate risks. Worse yet, they may be destined to repeat their mistakes.

Despite our best plans and efforts, not all security incidents can be prevented. Organizations of all sizes need mature incident management capabilities. Without a proper impact assessment, businesses don't know the incremental, long-term or intangible costs of an incident -- but those costs still hit the bottom line and the brand's reputation

Preparation is key to agility and resilience
Without knowing the cost of potential incidents, organizations will continue to misdirect resources, fix symptoms instead of causes, and even worse, not spend money where it's needed to mitigate a major incident in waiting. Lack of risk intelligence creates major weaknesses.

Most organizations have a limited appetite for investigating incidents, due to the understandable desire to get back to business as usual. It is the responsibility of the board and CISO to make sure this step is not overlooked; skipping a thorough investigation means the organization misses a golden opportunity to learn from it. Convincing the BoD of the value of impact assessments and associated follow-through is an important function of today's information security leader.

Take stock now before it's too late
Enterprises have varying degrees of control over today's ever-evolving security threats. Organizations where all stakeholders work together toward building a strong defense will be most likely to thrive under the immense pressure created by reduced resources, proliferating threats, and evolving technologies. New perils arise with the speed and unpredictability of a force of nature; businesses and consumers are vulnerable to damage. Organizations of all sizes need to take stock today to ensure they are fully prepared and engaged to deal with these ever-emerging security challenges.

Steve Durbin is Global Vice President of the Information Security Forum(ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously he was ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
stevedurbin
50%
50%
stevedurbin,
User Rank: Author
5/21/2014 | 5:39:47 PM
Re: Who talks to the BoD about InfoSec
Marilyn , great question and the answer is it depends... In many large companies now I'm seeing the CISO reporting through to the Chief Risk Officer or the Risk Committee, yet we still also see a more traditional CISO to CIO report line in some organisations; it really all depends on the view the organisation takes about security risk and, in heavily regulated industries, compliance.  What is common is that boards are now asking questions of their risk profile and ability to withstand and recover from cyber attacks.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/21/2014 | 2:50:43 PM
Who talks to the BoD about InfoSec
Steve, I'm curious about whether it's typical for a CISO to speak to the board of directors about InfoSec or whether it's the CIO that has that responsibility. What's your take on the division of labor/responsibility in communicating with the board about security matters.
stevedurbin
100%
0%
stevedurbin,
User Rank: Author
5/20/2014 | 3:04:35 AM
Re: "How" to talk to the Board !!
Hi, I'd be happy to pick up on the specifics - the how to - if that would be of interest to readers and @DarkReading of course, in a follow up blog piece.
felixonline
50%
50%
felixonline,
User Rank: Apprentice
5/19/2014 | 11:41:17 PM
"How" to talk to the Board !!
Hi, Understand the value proposition associated with engaging the Board on infosec matters, but there is very little coverage for and material on the "How"? For example, strategy, planning the delivery of messages (e.g. timing, extent of messaging, level of technical detail etc.), pre-requisites (e.g. CEO/CFO pre-engaged) etc. Are you planning a follow-up to this article?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2014-2640
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-2641
Published: 2014-10-01
Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.