Strategies & Tactics to Engage the Board of Directors About Cyber Security
Imperva is honored to have Craig Shumard, recognized thought leader and spokesman in the area of information protection, guest blog for us. Craig has dedicated more than two decades to protecting private, sensitive and confidential information as Chief Information Security Officer of CIGNA Corporation from May 1999 until his retirement in 2010.
This is the first in a series by Craig on addressing cyber security with senior management.
Ensuring a good security posture requires BoD support and engagement
Obtaining and maintaining an acceptable or reasonable security posture requires effective security governance; key to that structure is the involvement, support, and engagement of the Board of Directors.
The Board of Directors have significant responsibilities to understand and support their organization’s cyber security posture to ensure cyber risks are adequately mitigated. Ultimately, the Directors are responsible for the risk tolerance of an enterprise and reporting to the SEC.
Why you want BoD involvement
First, it is important for the Directors to fulfill their fiduciary responsibilities and governance duties over increasing cyber threats and risks. They need to demonstrate a standard of due care.
Just as important, involving and gaining the support of the Board aligns the organization to your security program and aligns external and internal stakeholders to your security initiatives and priorities. Advance Board support has the potential to ease internal debate on security controls or policies since BoD commitments and representations are taken seriously by the entire internal organization.
Why the BoD should be concerned
As recent cyber security incidents have demonstrated; security and privacy breaches can have significant and material financial impact to a business. Cyber threats and breaches are increasing in complexity, frequency, and magnitude. Examples of risks associated with cyber threats include:
- Compromised customer data
- Diminished brand and reputation
- Loss of investor and consumer confidence and loyalty
- Stolen sensitive intellectual property
- Compliance and regulatory sanctions
- Network or systems outages and down time
Drivers for effective security governance
There are many converging drivers that require every organizations to have an effective security governance function that includes the BoD. These drivers include:
- Growing Regulations Requirements
New and emerging laws, regulations, and guidance designed to increase cyber controls to combat increasing cyber threats from the National Association of Corporate Directors (NACD), the Security and Exchange Commission (SEC), and the numerous security requirement driven by HIPAA, FFIEC, PCI, and other important regulations.
- Increasing Cyber Threat Landscape
Threats have increased the need for high-level management and BoD governance. The impact of a cyber incident can be so significant it can materially affect an enterprise.
- Increasing Technological Cyber Risks
Virtualization, cloud computing, mobile computing, IT consumerism, social networks, data cloud storage and sharing, Internet of things (IoT) are all increasing technological cyber risks which require effective security governance oversights and new controls.
Finally, there is decreasing tolerance by customers, business partners, and regulators for not adhering to ‘generally accepted security practices’. Effective security controls must be in place and adhered to.
Characteristics of an effective security governance function
Mature security governance have the following characteristics:
- Security is authoritative at the enterprise level (i.e. remember the weakest link principle).
- Considered a cost of doing business.
- Not a discretionary budget item that must be repeatedly defended.
- Business units do not get to decide unilaterally how much security they want.
- Adequate and sustained funding and allocation of security resources.
Governance responsibilities and practices exercised by the BoD provide strategic direction, ensure that information security objectives are achieved and funded, and ensure cyber risks are managed appropriately and not overridden by business units.
Strategies and tactics to engage BoD and senior management
Board communications should occur at least once a year. You should benchmark your security posture to established security standards bodies (such as ISO, COBIT, NIST, ISF) to answer the questions of your organization security maturity stance and provide assurance that generally accepted controls are either in place or planned.
Progress should be defined on a year-to-year basis, versus a level of due care and versus companies of similar sizes/segments. (i.e. peer or industry group benchmarking).
All major risks or gaps reported or disclosed to the BoD should be submitted with action plans to resolve or, at minimum, next steps to resolve gap. Information Security risk mitigation projects should be owned by Senior Management, with issues vetted before going to the board.
When dealing with contested or escalating security risk issues to the board assume your audience does not understand information security. Your narrative should be short, a one-pager preferably–definitely no longer than 2 pages, talk in business risk terms and terminology. Be factual, issues need to be dealt with in a straightforward manner. Do not sugar coat issues nor exaggerate issues. Fear, uncertainty or doubt (FUD) should not be used. Jargon should be explained or not used. (Watch for more information from Imperva regarding a set of tools that can help with this issue.)
How to align security to business
Aligning security to the business is key to gaining BoD support. Document how information security projects and initiatives are aligned with the organization’s strategic business objectives. Your Information Security strategy should have a forward looking aspect that embeds information security into the business and IT planning process and focuses on emerging trends and technology to address evolving risks and business changes.
Show how information security contributes to the organization’s success. The role of information security in addressing market, privacy, technology and regulation risks should be documented. Illustrate how information security will enable business objectives and initiatives. Highlight how effective security policies and controls can enhance the interests of all the stakeholders (such as customers, business units, employees, auditors) in a cost effective manner. Reflect the organization’s risk appetite. Be consistent with the management and reporting of other types of risk in the organization (for example, operational, financial, or other market risk reporting).
Heads up – Why BoD support fails
Many actions can negatively impact and erode BoD support. Examples include:
- When security organizations cry ‘wolf’ or ‘sky is falling’ too often.
- When information security activities are not be risked based and expressed in business terms.
- When the information security organization fails to achieve acceptable compliance with applicable legislation and regulations.
- When an organization security posture is not measured against tangible benchmarks and generally accepted security practices.
- When security initiatives or projects are not measured versus objectives and success criterias.
- When BOD reporting and discussions lack structure or discipline.
The Board of Directors is critical to an effective cyber security governance program.
Gaining BoD support requires benchmarking your security posture, aligning information security posture to the business objectives, reporting and communicating with the BoD effectively, and last but not least, avoiding pitfalls that can derail your efforts.
For more information about cyber security strategies, please review these white papers.