Risk
5/19/2014
12:00 PM
Steve Durbin
Steve Durbin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

How To Talk About InfoSec To Your Board Of Directors

Today's cybersecurity challenges cannot be met by a compartmentalized IT strategy because every piece of the modern enterprise runs on connectivity and data.

In our global economy, the rapid evolution of technology has caused a massive shift in the information security landscape.  Businesses are finding that they have more limited resources than ever before which must be prioritized to areas of greatest need or return. The task of determining priorities is difficult in itself; the imperative is delivering more for less, both in terms of new investment and existing resources.

These monumental challenges cannot be met by a compartmentalized IT strategy because every piece of the modern enterprise runs on connectivity and data. Information technology runs through every department; so must information security initiatives. Today's chief information security officers (CISO) need to be proactive in promoting and supporting new business based on strong information security and sound business-based risk assessment.

As a result of these trends it is essential for CISOs to connect with the Board of Directors and approach technology and security initiatives with a risk vs. reward mindset. Too often new technologies are adopted as a way of differentiating to gain advantage over competitors. But without a robust, cost-benefit-risk analysis, organizations could end up standing out for all the wrong reasons.

Information security is the business
Managing information risk is critical for all organizations to deliver their strategies, initiatives and goals. Consequently, information risk management is relevant only if it enables the organization to achieve its objectives while also making it resilient to unexpected events. In conversation with the BoD, ask how information security can support corporate business priorities, such as acquiring and retaining customers, growing competitive advantage, and fostering innovation.

An organization's risk management activities -- whether coordinated as an enterprise-wide program or at functional levels  --  must include assessment of risks to information that could compromise success. Ask the tough questions: "If the worst happened, could we honestly tell our customers, partners, and regulators that we had done everything that was reasonably expected? Are we prepared for the future?"

Preventing negative incidents
One of the primary aims of information security is to prevent negative incidents. However, it's almost impossible for organizations to avoid such incidents completely. While many businesses are good at incident management, less have a mature, structured approach for analyzing what went wrong in the first place. As a result, they're incurring unnecessary costs and accepting inappropriate risks. Worse yet, they may be destined to repeat their mistakes.

Despite our best plans and efforts, not all security incidents can be prevented. Organizations of all sizes need mature incident management capabilities. Without a proper impact assessment, businesses don't know the incremental, long-term or intangible costs of an incident -- but those costs still hit the bottom line and the brand's reputation

Preparation is key to agility and resilience
Without knowing the cost of potential incidents, organizations will continue to misdirect resources, fix symptoms instead of causes, and even worse, not spend money where it's needed to mitigate a major incident in waiting. Lack of risk intelligence creates major weaknesses.

Most organizations have a limited appetite for investigating incidents, due to the understandable desire to get back to business as usual. It is the responsibility of the board and CISO to make sure this step is not overlooked; skipping a thorough investigation means the organization misses a golden opportunity to learn from it. Convincing the BoD of the value of impact assessments and associated follow-through is an important function of today's information security leader.

Take stock now before it's too late
Enterprises have varying degrees of control over today's ever-evolving security threats. Organizations where all stakeholders work together toward building a strong defense will be most likely to thrive under the immense pressure created by reduced resources, proliferating threats, and evolving technologies. New perils arise with the speed and unpredictability of a force of nature; businesses and consumers are vulnerable to damage. Organizations of all sizes need to take stock today to ensure they are fully prepared and engaged to deal with these ever-emerging security challenges.

Steve Durbin is Global Vice President of the Information Security Forum(ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously he was ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
stevedurbin
50%
50%
stevedurbin,
User Rank: Author
5/21/2014 | 5:39:47 PM
Re: Who talks to the BoD about InfoSec
Marilyn , great question and the answer is it depends... In many large companies now I'm seeing the CISO reporting through to the Chief Risk Officer or the Risk Committee, yet we still also see a more traditional CISO to CIO report line in some organisations; it really all depends on the view the organisation takes about security risk and, in heavily regulated industries, compliance.  What is common is that boards are now asking questions of their risk profile and ability to withstand and recover from cyber attacks.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/21/2014 | 2:50:43 PM
Who talks to the BoD about InfoSec
Steve, I'm curious about whether it's typical for a CISO to speak to the board of directors about InfoSec or whether it's the CIO that has that responsibility. What's your take on the division of labor/responsibility in communicating with the board about security matters.
stevedurbin
100%
0%
stevedurbin,
User Rank: Author
5/20/2014 | 3:04:35 AM
Re: "How" to talk to the Board !!
Hi, I'd be happy to pick up on the specifics - the how to - if that would be of interest to readers and @DarkReading of course, in a follow up blog piece.
felixonline
50%
50%
felixonline,
User Rank: Apprentice
5/19/2014 | 11:41:17 PM
"How" to talk to the Board !!
Hi, Understand the value proposition associated with engaging the Board on infosec matters, but there is very little coverage for and material on the "How"? For example, strategy, planning the delivery of messages (e.g. timing, extent of messaging, level of technical detail etc.), pre-requisites (e.g. CEO/CFO pre-engaged) etc. Are you planning a follow-up to this article?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8896
Published: 2014-12-22
The Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 allows remote authenticated users to modify ...

CVE-2014-8897
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

CVE-2014-8898
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

CVE-2014-8899
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.