Security and the Board
Not long ago I was asked to attend a quarterly Board meeting of one of my healthcare clients and to present the recommendations of a Strategic Security Roadmap (SSR) exercise that my team and I had conducted for the organization. The meeting commenced sharply at 6am one weekday morning and I was allocated the last ten minutes to explain our recommendations and proposed structure for a revised Cybersecurity Management Program (CMP).
The client Director of Security and I waited patiently outside the Board Room while other board business was conducted inside. As is the case with many organizations, information security was not really taken seriously there, and the security team reported into IT way down the food chain, with no direct representation in the C Suite. The organization’s CMP had evolved over the years from anti-virus, patching and firewall management into other domains of the ISO27002 framework but was not complete or taken very seriously by those at the top. Attempts at building out a holistic security program over the years had met with funding and staff resource constraints and Directors of Security had come and gone with nothing really changing.
The Security Director was enthusiastic, young, and bright. He had memorized the magic quadrant leaders for each and every security tool he felt would round-out security across the organization. His approach to security was a shopping list of “shiny objects” each of which was a best of breed point solution. There was no strategy for integrating them and little understanding of the costs and efforts that would be involved. Proposed solutions were only loosely tied back to business objectives and drivers.
Right on time, an Executive Admin opened the double doors to the boardroom and we were ushered in; printed color copies of the Executive Brief I had prepared uppermost on a stack of papers in front of each member. Like many healthcare boards, the membership was a mix of active physicians dressed in their whites and greens ready for their day shift, the CEO and his Executive team, and a collection of what looked to be retired Generals and corporate chieftains from various industries, including one notable banker.
The CIO introduced me and I spent the next eight minutes walking the Board through the recommendations of our report, leaving two minutes on the clock for questions. The Executive Team and most of the younger physicians nodded in agreement and understanding with each recommendation I made. Some of the older members required further clarification and a deeper explanation of the risk management context, which formed the basis of the suggested revisions.
All was going well and it looked at this point that funding would be approved for an updated security program. Then one of the older physicians asked a question about a particular security application. The Director of Security who hadn’t said anything thus far, saw his opportunity to jump in and be heard. Unfortunately the language the director used was highly technical and the physician looked on with a blank stare.
It was at this point that I realized why all previous attempts to build out a robust holistic information security management program had met with failure. Security and the Board spoke totally different languages. It became clear that a formal Cybersecurity Management Program written in language that both sides could understand, and that addressed underlying business objectives rather than focused on the shiniest and newest security products and services, would be absolutely critical to this customer if it was to secure its business.
Fortunately in this case the CMP was approved, but the communications issues between security professionals and boards of directors are widespread – especially in organizations afflicted with low levels of security maturity. There is a difference in language and often a generational gap that hampers understanding on both sides. Each views cybersecurity through a completely different conceptual lens.
Security professionals all too often attempt to explain risks in language that senior executives may not fully comprehend, using alien concepts and terminology. They fail to translate and communicate cybersecurity threats in terms of business enterprise risks and potential future impacts. These communication issues are compounded by a lack of trust and a long-standing historic pattern by security professionals of using fear, uncertainty and doubt, otherwise known as ‘FUD’ in these conversations.
Instead of muscling decision makers into procuring desired security tools with FUD, security professionals should define the probable costs of inaction, compared to the costs and benefits of action. This should include objective conversations about regulatory compliance and protecting corporate brand image, as well as the potential penalties and costs that accompany breaches.
Boards need to view cybersecurity as a critical business function and a business enabler in an increasingly inter-networked world. They need to educate themselves so they can make informed decisions on security strategy and policy and spend. Security needs representation at the senior executive level and to make regular reports to the Board so that the Board can make appropriate enterprise risk management decisions.
There is a wide lack of quantitative risk assessment and reporting across the industry. Reporting should enable executives and their boards to view and weigh cyber risks, taking the form of a more familiar-looking balance sheet, rather than in a subjective report with only limited business risk context.
Above all, organizations need a formal cybersecurity management program in which security purchasing decisions can be understood from the context of addressing enterprise risks while following a previously approved cybersecurity management plan.
A newly published Cisco whitepaper lists 10 key success factors to building a successful cybersecurity management plan. These apply not only to organizations constructing their very first formal CMP, but also to those looking to update, or to maintain their existing program. When followed in order, these will position the organization well for success.
The introduction of a CMP affects virtually every individual or group in an organization, so it’s essential that the final cybersecurity management program address everyone’s needs.