Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/19/2014
12:00 PM
Steve Durbin
Steve Durbin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How To Talk About InfoSec To Your Board Of Directors

Today's cybersecurity challenges cannot be met by a compartmentalized IT strategy because every piece of the modern enterprise runs on connectivity and data.

In our global economy, the rapid evolution of technology has caused a massive shift in the information security landscape.  Businesses are finding that they have more limited resources than ever before which must be prioritized to areas of greatest need or return. The task of determining priorities is difficult in itself; the imperative is delivering more for less, both in terms of new investment and existing resources.

These monumental challenges cannot be met by a compartmentalized IT strategy because every piece of the modern enterprise runs on connectivity and data. Information technology runs through every department; so must information security initiatives. Today's chief information security officers (CISO) need to be proactive in promoting and supporting new business based on strong information security and sound business-based risk assessment.

As a result of these trends it is essential for CISOs to connect with the Board of Directors and approach technology and security initiatives with a risk vs. reward mindset. Too often new technologies are adopted as a way of differentiating to gain advantage over competitors. But without a robust, cost-benefit-risk analysis, organizations could end up standing out for all the wrong reasons.

Information security is the business
Managing information risk is critical for all organizations to deliver their strategies, initiatives and goals. Consequently, information risk management is relevant only if it enables the organization to achieve its objectives while also making it resilient to unexpected events. In conversation with the BoD, ask how information security can support corporate business priorities, such as acquiring and retaining customers, growing competitive advantage, and fostering innovation.

An organization's risk management activities -- whether coordinated as an enterprise-wide program or at functional levels  --  must include assessment of risks to information that could compromise success. Ask the tough questions: "If the worst happened, could we honestly tell our customers, partners, and regulators that we had done everything that was reasonably expected? Are we prepared for the future?"

Preventing negative incidents
One of the primary aims of information security is to prevent negative incidents. However, it's almost impossible for organizations to avoid such incidents completely. While many businesses are good at incident management, less have a mature, structured approach for analyzing what went wrong in the first place. As a result, they're incurring unnecessary costs and accepting inappropriate risks. Worse yet, they may be destined to repeat their mistakes.

Despite our best plans and efforts, not all security incidents can be prevented. Organizations of all sizes need mature incident management capabilities. Without a proper impact assessment, businesses don't know the incremental, long-term or intangible costs of an incident -- but those costs still hit the bottom line and the brand's reputation

Preparation is key to agility and resilience
Without knowing the cost of potential incidents, organizations will continue to misdirect resources, fix symptoms instead of causes, and even worse, not spend money where it's needed to mitigate a major incident in waiting. Lack of risk intelligence creates major weaknesses.

Most organizations have a limited appetite for investigating incidents, due to the understandable desire to get back to business as usual. It is the responsibility of the board and CISO to make sure this step is not overlooked; skipping a thorough investigation means the organization misses a golden opportunity to learn from it. Convincing the BoD of the value of impact assessments and associated follow-through is an important function of today's information security leader.

Take stock now before it's too late
Enterprises have varying degrees of control over today's ever-evolving security threats. Organizations where all stakeholders work together toward building a strong defense will be most likely to thrive under the immense pressure created by reduced resources, proliferating threats, and evolving technologies. New perils arise with the speed and unpredictability of a force of nature; businesses and consumers are vulnerable to damage. Organizations of all sizes need to take stock today to ensure they are fully prepared and engaged to deal with these ever-emerging security challenges.

Steve Durbin is Managing Director of the Information Security Forum, an independent, not-for-profit dedicated to investigating, clarifying and resolving key issues in information security and risk management. He is a frequent speaker on the Board's role in cybersecurity and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
stevedurbin
50%
50%
stevedurbin,
User Rank: Author
5/21/2014 | 5:39:47 PM
Re: Who talks to the BoD about InfoSec
Marilyn , great question and the answer is it depends... In many large companies now I'm seeing the CISO reporting through to the Chief Risk Officer or the Risk Committee, yet we still also see a more traditional CISO to CIO report line in some organisations; it really all depends on the view the organisation takes about security risk and, in heavily regulated industries, compliance.  What is common is that boards are now asking questions of their risk profile and ability to withstand and recover from cyber attacks.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/21/2014 | 2:50:43 PM
Who talks to the BoD about InfoSec
Steve, I'm curious about whether it's typical for a CISO to speak to the board of directors about InfoSec or whether it's the CIO that has that responsibility. What's your take on the division of labor/responsibility in communicating with the board about security matters.
stevedurbin
100%
0%
stevedurbin,
User Rank: Author
5/20/2014 | 3:04:35 AM
Re: "How" to talk to the Board !!
Hi, I'd be happy to pick up on the specifics - the how to - if that would be of interest to readers and @DarkReading of course, in a follow up blog piece.
felixonline
50%
50%
felixonline,
User Rank: Strategist
5/19/2014 | 11:41:17 PM
"How" to talk to the Board !!
Hi, Understand the value proposition associated with engaging the Board on infosec matters, but there is very little coverage for and material on the "How"? For example, strategy, planning the delivery of messages (e.g. timing, extent of messaging, level of technical detail etc.), pre-requisites (e.g. CEO/CFO pre-engaged) etc. Are you planning a follow-up to this article?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16219
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. An out-of-bounds read may be exploited by processing specially crafted project files. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16221
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. A stack-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16223
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. A heap-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16225
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. A write-what-where condition may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16227
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. An improper input validation may be exploited by processing a specially crafted project file not validated when the data is entered by a user. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute a...