Cyber risk, information security, privacy and compliance services to business thought leaders.
19 Feb 2020

Reaching for the Pinnacle of Information Security Maturity

February 19th, 2020
Adam Stone, VP, Consulting Services

Not all security leaders are alike. Though this statement is obvious to most, many folks in this industry have a difficult time articulating exactly what makes one security leader stand out from others. Does s/he exhibit technical acumen? Business savvy? Strong financial instincts? Skillful sales and marketing reflexes? Effective organizational skills? Could it be the case that security leaders maintain certain aspects of all these traits (and more)? According to a trio of researchers affiliated with the Building Security in Maturity Model (BSIMM), information security leaders tend to fall into four “tribes” with differing approaches to security management. In a whitepaper entitled, “Four CISO Tribes and Where to Find Them,” authors Gary McGraw, Sammy Migues and Brian Chess assert that security leaders exhibit character traits that skilled observers can both identify and measure. In descending order from strategic to tactical, each “tribe” of security leaders carries its own strengths and weaknesses. Ultimately, the authors suggest that the security leaders who can appreciate and learn from the differences between the tribes are those best situated to creatively lead organizations into the next iteration of information security management. Secure Digital Solutions (SDS) agrees with this conclusion. We observe that, in general, these tribes describe individuals with increasing levels of information security process maturity, where Tribe 4 is the least mature and Tribe 1 the most (see image below).

Using tribes as the organizational foundation of their study, the authors interviewed over two dozen Chief Information Security Officers (CISOs) working for large corporations. During the interviews, the researchers used a set of three security “domains” with eighteen “discriminators,” or approaches to addressing information security topics. For each discriminator, the researchers translated each CISO’s survey responses into statements that best approximate his/her management philosophy. Using this approach, CISOs can identify their tribe and use this information to determine what steps are necessary to elevate oneself to the next level (for instance, transitioning from Tribe Four to Tribe Three, and so on).

The researchers’ method to establish “tribal membership” among CISOs is similar to the method SDS developed for the TrustMAPP® Performance Management System. Instead of narrowly assessing the qualities and character traits of the security leader separately from the function, TrustMAPP enables organizations to use process maturity as the baseline metric describing the effectiveness of the entire information security function (which includes people, processes and technology). The goal of both methods is the same: use quantitative and qualitative data to identify current state, while leveraging this knowledge by taking steps to reach the next level. In place of “discriminators” however, the TrustMAPP System evaluates process maturity across six maturity “attributes,” as illustrated below.

Prior to conducting a TrustMAPP assessment information security leaders set a maturity goal for their organization, typically on a scale of 1-5 (see maturity levels defined below). After completing a TrustMAPP assessment, an organization can quickly identify which business processes fall short of the maturity goal. Using this data, information security managers can communicate a meaningful message to executives and develop plans to improve. After nearly five years of capturing data from the TrustMAPP system, we observe that security leaders and their functional area transition slowly and methodically from one level of process maturity to another in manner not unlike the different tribes defined by the authors of “Four CISO Tribes and Where to Find Them.” In other words, security leaders (like business processes) fall along a continuum of maturity – where one learns from and builds off the previous level.

How can you leverage the power of understanding your tribal membership and information security program maturity relative to your maturity goals? The TrustMAPP Platform makes the process simple and efficient. Information security leaders can use the ideas advanced by the McGraw and team in combination with one or more industry-accepted frameworks to build an assessment that captures both dimensions. We designed TrustMAPP to make the assessment process nearly painless. In four steps, you will benefit from TrustMAPP’s reporting metrics to plan for process improvements.

If you are interested in elevating your professional maturity and improving your organization’s information security program, contact Secure Digital Solutions today at 952-544-0234 from 9am-5pm Central Time, or email us at

15 Jun 2018

Processes Are for Managers

A Holistic Approach to Information Security

(originally posted November 2015 – revised June 2018)
By Chad Boeckmann, (CEO, 
Secure Digital Solutions)

In my previous blog, “Controls are for Auditors” I wrote about how we as security leaders need to move away from managing security controls in the weeds like an auditor. This article describes a “processes are for managers” approach. It aims to align security management with the business in order to communicate and manage information security effectively.

CISOs are tasked to achieve challenging outcomes and need to also communicate the state of their progress and the state of information security program – related risks – to other executives and board of directors. Our team partners with CISO’s from Fortune 500 companies and many mid-market businesses. They are all challenged with the same dilemma: Presenting effectively to an audience that does not necessarily understand the complexities of information security.

To address this challenge consider looking at the information security program as a business process. Frameworks and legal or industry data protection requirements often overlap and these requirements can be combined to establish a core process as a requirement of the security program. For example ISO27002, HIPAA Security Rule and GLBA all require Access Control. If we look at access control for a moment:


Let’s say we want to measure the referenced process above. Access Control is a requirement of many data protection laws and is also highlighted in both ISO27001 and NIST Cyber Security Framework. Instead of managing control verbiage from a regulation or framework we can measure the effectiveness of Access Control Management generally from a process perspective but do so specifically using maturity attributes. Looking at Access Control Management we want to understand the level of performance (maturity) of this process across the six major attributes using a standard maturity scale of 1 through 5.

  1. What is our level of maturity of Awareness for Access Control Management across our environment?
  2. What is our level of maturity for Policy & Procedures for Access Control Management across our environment?
  3. What is our level of maturity of Expertise for Access Control Management across our environment?
  4. What is our level of maturity of Accountability for Access Control Management across our environment?
  5. What is our level of maturity of Automation for Access Control Management across our environment?
  6. What is our level of maturity of Measurability for Access Control Management across our environment?

If the business is performing well in Awareness, Policy and Procedure and Accountability (relative to our process in question) then understand clearly where our resources and investment should be applied. In this example, improvement can be applied to Automation (tools) and Metrics for Access Control Management. This approach provides a much more holistic method to repeatedly understand attributes of a control process that applies to internal policies and external regulations.Then taking core business objectives, such as improving customer retention, and associating a core process like “access management” to that objective, one can correlate how information security is supporting key business outcomes.

This approach described is proven to establish alignment with business leadership, while still meeting control objectives and focusing resources on the areas of greatest impact. Let your internal and external auditors measure the effectiveness of the control in place, you will know the answer before the audit starts by measuring and improving upon attributes of each process. Therefore we can leave controls to auditors and adopt a “process for managers” approach to manage security programs and related risks. To see this methodology in action, take a look at a 2-minute video demonstrating TrustMAPP, a platform we developed to holistically manage information security.

22 May 2018

GDPR Deadline Looming

Does the GDPR "due date" remind us of Y2K? What will really happen on May 25th? No one really knows for sure the answer to this question but likely there will be a lot of work to continue to do in the months (and perhaps years) to follow May 25th, 2018.

Just for fun here is a timer you can refer to for the GDPR deadline.

GDPR Top Ten Disciplines for EU Data

#1 Data Portability
#2 Accountability Principle
#3 Extraterritorial applicability of the GDPR
#4 Maintaining records of processing activities
#5 New Data Subject Rights
#6 Privacy by Design and by default
#7 Data Protection Authority enforcement methods
#8 Pseudonymization and its use in profiling
#9 Security and breach notification
#10 One stop shop

Stop Panicking and Start Your GDPR Readiness Journey Today

The time to act is now. Firms of all sizes must determine how GDPR will impact their business and act accordingly. For business executives who do not have the time or expertise needed to meet GDPR’s stringent requirements, our seasoned consultants will help you identify GDPR readiness gaps and define common-sense strategies for meeting compliance obligations. We leverage the in-the-trenches experience of past compliance initiatives to provide maximum value for today’s clients. Start your GDPR-focused compliance journey today with an affordable Readiness Assessment. Contact us at 952-544-0234 or visit our privacy services page for more information.

11 Apr 2017

Quest for Excellence in Cybersecurity Management

April 10th, 2017
Adam Stone, Principal, Secure Digital Solutions

Baldrige’s recently-published framework raises the bar for information security leaders by tying cybersecurity program management to performance excellence.

The Baldrige Performance Excellence Program, the venerable organization behind the national award for Performance Excellence® and quality for U.S. firms, released the final version of the Baldrige Cybersecurity Excellence Builder v1.0 (BCEB) self-assessment tool following their annual summit last week in Baltimore. Initiated in response to Executive Order 13636, the BCEB blends two NIST products (the Cybersecurity Framework and the Baldrige Excellence Framework) into a single assessment methodology. The goal of the BCEB is to help security leaders assess the effectiveness of their approach to cybersecurity, as determined by the unique needs, goals, and capabilities of their firm. Organized by seven categories (leadership, strategy, customers, measurement, operations, customers, and results), the BCEB uses process maturity as the key metric for communicating the strengths and weaknesses of an organization’s cybersecurity program.

Process Maturity: The New Standard for Cybersecurity Performance Excellence

The maturity-focused cybersecurity management approach is a paradigm shift that threatens the deeply-entrenched risk- and compliance-focused assessments familiar to most in the industry. We have observed disagreement among security professionals about the what the word maturity actually represents. Some use the word to describe the effectiveness of security controls, while others use maturity to understand their firms’ ability to minimize cyber risk. Authoritative bodies, such as the Federal Financial Institutions Examination Council (FFIEC), appear to be adding to the confusion by blending the notion of process maturity with risk preparedness in the Cybersecurity Assessment Tool. In the end however, the FFIEC approach, along with similar assessment tools, still focus on more traditional controls-based risk management instead of performance excellence and quality.

What is often missed in traditional risk and compliance assessments is a clear understanding of the value that cybersecurity provides to the business. When security leaders communicate in the language of compliance or risk (two inherently negative topics), they miss the opportunity to demonstrate to executives the ways in which mature cybersecurity processes can help enable business growth and sustainability. An emphasis on business enablement – expressed as a function of performance excellence and quality – is what sets the BCEB apart from the traditional cybersecurity assessment tools.

Cybersecurity risk traditionalists will be pleased to know that we do not suggest that process maturity metrics replace established risk formulations. Quite the opposite! We need to understand risk in order to set clear goals and effectively respond to the ever-changing threat landscape for their firms. When communicating the value of cybersecurity to executives however, security leaders will likely find that the BCEB tool kit provides a better picture of the organization’s capacity to identify opportunities and leverage the benefits of effective cybersecurity management.

For Secure Digital Solutions (SDS), the emergence of the Baldrige Cybersecurity Excellence Builder validates the power of the cybersecurity assessment methodology embedded in our TrustMAPP® platform. Both the BCEB and TrustMAPP use process maturity to express the degree to which an organization achieves consistent quality and performance excellence. With clear alignment to the firm’s mission, values and objectives, TrustMAPP helps security leaders bridge the gap between security operations (risk focused) and process maturity (business focused).

To learn more on how cloud-based TrustMAPP® can help you maximize the benefits of the Baldrige Cybersecurity Excellence Builder, ask for your free trial today.

TrustMAPP® is a registered trademark of Secure Digital Solutions, LLC. All rights reserved.

BALDRIGE EXCELLENCE FRAMEWORK™ is a trademark, and BALDRIGE PERFORMANCE EXCELLENCE PROGRAM and Design®, MALCOLM BALDRIGE NATIONAL QUALITY AWARD®, and PERFORMANCE EXCELLENCE® are federally registered trademarks, of the U.S. Department of Commerce, National Institute of Standards and Technology.

20 Mar 2017

Cyber Risk is a Key Focus for Corporate Boards

March 20th, 2017
By Adam Stone, Principal

For organizations across industry sectors, digital commerce is the dominant vehicle to transact business and improve efficiency. Groundbreaking innovations in computing potential accelerate the speed of change for business, and the risks that naturally follow. A key risk that is often highlighted is cyber risk. Cyber risk is a key focus for corporate boards. According to the Institute of Risk Management cyber risk is defined as “any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.”

Board members of the digital economy need the knowledge to ask the right questions of corporate executives. Without a reasonable degree of technical fluency, board members lack important tools to ensure a professional standard of care for the organizations they serve. Board members face a business imperative: adapt, today, to the disruptive changes of digital commerce by adopting a new dialect based in cyber risk.

Recently, the National Association of Corporate Directors (NACD) published the 2017 Cyber Risk Oversight Handbook. The message of the Handbook is clear: to assert meaningful oversight in the digital economy, board members must treat cyber-risk as an issue of strategic import and operational significance for the organization. Cyber-risk ought not be written off as an “IT issue,” since this sort of thinking creates a hazardous blind spot for professionals charged with corporate governance responsibilities. To prepare board members for discussions about cyber risk, NACD recommends the following:

  • Understand the legal ramifications for the company, as well as the board itself.
  • Ensure directors have sufficient agenda time and access to expert information in order to have well-informed discussions with management.
  • Integrate cyber risk discussions with those about the company’s overall tolerance for risk.

These recommendations emphasize the need for proactive (rather than reactive) identification and analysis of cyber risks, as well as clear direction on cyber-risk management strategies. Importantly, the board’s treatment of cyber-risk ought to reflect the firm’s culture and capacity for change.

In support of an effective cyber risk strategy for the board, the Handbook outlines five cyber risk oversight principles fundamental to an effective risk management program.

Information security leaders play a crucial role in cyber risk governance. Board members depend on current, meaningful data to support the effectiveness of the firm’s information security controls and processes. For over a decade, Secure Digital Solutions (SDS) has provided solutions to elevate the language of information security by focusing on process maturity mapped to risk categories. Our award-winning TrustMAPP® platform leverages the powerful MAPP™ (Maturity Assessment, Profile, and Plan) methodology to quickly identify, measure and understand the performance of the business processes that support a security program and inform risk decisions.

Using process maturity as the key performance indicator for program effectiveness, TrustMAPP provides security leaders with readily available tools to effectively communicate the business value of cybersecurity and cyber risk. Executives and board members reap the benefits of TrustMAPP analytics via improved clarity in the organization’s information security posture and its impact on cyber risk strategies.

Want to learn more? Visit for information about TrustMAPP®, powered by the MAPP™ methodology.

16 Feb 2017

Investors’ Top Five Cyber Security Questions

February 16th, 2017

In the wake of numerous high profile cyber attacks against global businesses, including Sony, Target, and eBay, investors and boards alike are realizing that data breaches are an ever-present threat. Investors expect that company boards will assume a leadership role in addressing risks and controlling damage from these cyber incidents. Information security leaders should also understand what boards and investors expect from them in translating the business value of security
An article from the Council of Institutional Investors called “Prioritizing Cybersecurity” explores investors top five cyber security questions they are asking company boards, and how the board can effectively respond.



  1. How are the company’s cyber risks communicated to the board, by whom, and with what frequency?

With this question, investors want to learn how well informed the directors are regarding the company’s cyber risk profile. Investors are best reassured when the board is updated frequently about information security risks.

  1. Has the board evaluated and approved the company’s cybersecurity strategy?

Investors expect the board to have a full understanding of the company’s strategy for minimizing the financial and material impact of a cyber incident. A good strategy includes protecting the most critical data and assets from operational, financial, reputational, and legal harm. It should include preventative, detective, and corrective measures. The board must also be familiar with management’s incident response procedures, including simulation drills and a strong communications plan.

  1. How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?

Cyber security often requires a multi-disciplinary approach across multiple management levels. Board members are responsible for reviewing the backgrounds and qualifications of everyone accountable for cybersecurity. Investors look for an organizational structure with clearly delineated responsibilities and sufficient management oversight.

  1. How does the board evaluate the effectiveness of the company’s cybersecurity efforts?

The board has the authority to establish standard performance metrics based on the company’s size, industry, and risk profile. An additional benchmark is to compare performance to that of similar companies. Investors want to know how the company’s security efforts perform according to the company’s own metrics, as well as how they compare to other companies.

  1. When did the board last discuss whether the company’s disclosure of cyber risk and cyber incidents is consistent with SEC guidance?

Investors want the board to fairly and accurately report on the company’s cyber risk profile and security performance. The SEC asks that companies disclose cyber incidents, but provides few guidelines regarding when such a disclosure is required. The board can proactively communicate the process used to assess damage from cyber incidents on the company’s data and assets. Transparency about this process reassures investors of the company’s cyber health.

Boards and investors can develop a more productive partnership through better communication. Board members should seek to understand the investors’ concerns, and the investors should make equal effort to understand the board’s decisions and actions.

Secure Digital Solutions offers TrustMAPP®, a platform that facilitates this type of communication and information sharing with boards by information security leaders. Contact our team to learn more about TrustMAPP® solution.

21 Dec 2016

Five Popular Initiatives of Cyber Security Leaders in 2017

cybersecurity-initiativesWith the new year approaching, now is a great time to celebrate the successes (and
failures) of information security leaders and reflect on the challenges these leaders face in 2017. With this we’ve condensed the list to five popular initiatives of cyber security leaders in 2017. After experiencing massive ransom ware attacks, large-scale data breaches and other adverse cybersecurity events of 2016, we anticipate another demanding year.

Recently, we asked security executives how they plan to address cybersecurity in 2017. What lessons did they take from the past year? What do they anticipate are the issues needing the most attention in 2017? Additionally we collaborated with Fortium Partners to gain the perspective of the CIO office.

What we learned from these conversations is a summary of similar initiatives highlighted in 2016 with the addition of a few new priorities.

  1. Third-party security risk grows as we continue to outsource critical functions and migrate systems to the cloud.
    • Assessing third-party risk became a top priority after high-profile data breaches in 2013-2014. Third-party risk management initiatives finally made the project list across many security teams and C-suite leaders in 2015 and 2016 and will continue to improve with additional automation, scope expansion and improved metrics in 2017. Third-party risk management will become a core function of security and compliance operations and move off of the special projects list in 2017.
  2. Influencing employee behavior and company culture around cyber security is challenging without top-level support and remains a top priority.
    • Security awareness training is still a critical component to maintaining policy compliance and information security best practices. Security leaders will continue to sharpen and hone the messages and content to end users throughout 2017, because security is everyone’s role not just the security team. This is a theme the security industry has been focused on for several years. Although the topic is not new, take this as a reminder that user security awareness training is still as important as ever. In our experience, many successful attacks involve human-error. Training is one key mechanism to reduce these errors to an acceptable level of risk.
  3. Threat actors continue to adapt their tactics faster than we can build or adapt our defenses.
    • Hardening the perimeter is an old concept and nearly inapplicable in todays connected landscape. Thus, security leadership is taking the position that all connected devices are untrusted until otherwise vetted. This approach is also driving improvements in third-party risk management where connectivity is often involved between two organizations. There are some promising new solutions in the marketplace that can perform real-time detection and stop questionable network traffic at the door. As the industry continues to improve upon attack prevention we will see the sophistication of attacks evolve . The industry will always be in an arms race to build a better mousetrap as the attackers’ devise methods to subvert the traps over time. In a nutshell, the leadership to whom we speak and our own observations do not see this initiative slowing down, or moving off the top five list in the near term.
  4. Resources remain slim and do not line up with the demand for effective controls.
    • The demand for skilled talent in cyber security has never been greater. We’ve spoken to a couple of solution providers who have a unique take on this by developing training programs that within 1-2 years can develop individuals into effective cyber security analysts. Accelerated training programs, coupled with trusted third party partnerships, provides the best near term solution to meet the demands of today’s security needs. Companies are growing tired of bidding for talent and instead look to partners to augment specific functions of their security operations, governance and compliance efforts.
  5. Information security remains an afterthought which, in turn, feeds the perception that security is a barrier to innovation and speed to market.
    • Reducing release cycle times and speed to market will continue to be top of mind for many CIOs and their business partners. Pressure will continue to build to skip past anything that could slow that process. However, the consequences of failing to catch vulnerabilities are clear, such as: incurring regulatory fines, reputation damage, customer data theft, and the list goes on. Over the next few years there will be emphasis on building security into the software development life cycle (SDLC). The good news is that automated testing and source code analysis tools will continue to mature, enabling incorporation into an organization’s SDLC.

It’s clear that security executives have their work cut out for them. How will they accomplish their objectives? We believe that the answer is simple: better communication. Too often, we observe information security leaders speak a language foreign to executives, board members and peers. The result is predictable. Security leaders experience perception issues connected to a lack of credibility among those in the C-suite. Without the trust and confidence of company executives, information security leaders find themselves swimming upstream with a flimsy paddle.

Make 2017 the year that you build credibility for your program. Speaking the language of business and develop a business story around cyber security program priorities and successes is critically important to maintain credibility. Collaborate closely with the CIO and internal audit/risk management functions to educate management and gain support for critical initiatives. Express your ideas, recommendations, and proposals in ways that engage and energize executives and board members. Use business-focused metrics to tell a compelling story. Focus on process over controls.

Secure Digital Solutions wishes our customers and all business leaders a successful and productive 2017. May you earn the credibility needed to advance your business objectives for the new year!

Contact our team to learn about methods to communicate with executives and board of directors using our MAPP™ (maturity assessment, profile and plan)™ methodology enabled by the cloud-based TrustMAPP® platform.

16 May 2016

How much information security is enough?

By Chad Boeckmann & Adam Stone
May 16th, 2016

Let’s talk about benchmarking. It’s a question our team receives from clients both large and small. When discussing our information security-focused MAPP methodology and our TrustMAPP (formerly, Accliviti) platform, our clients (and their board members) want to know how they stack up, maturity-wise, to their peers. The common belief among this audience is that benchmarking data will help answer the question “how much information security is enough?”

This approach makes sense at a certain level; knowing how mature your organization’s security program is relative to your peers seems, on its face, to suggest that you are meeting (or not meeting) the standard defined by your industry. Like many statistics however, context plays an important role in deciphering benchmarking data. And it probably wouldn’t surprise the reader that without the benefit of context, the value of benchmark data diminishes. This is especially true for a topic such as information security program maturity.iStock_000019293901_Small

How much information security is enough? When do we find confidence that the organization has invested the right amount of time and resources to reasonably safeguard our information assets? Fair questions. Based on our experience over the last ten years, knowing your maturity benchmark provides an incomplete answer. The reason is simple: each organization is different. The diversity of organizational cultures and risk appetites within a given industry – even in highly-regulated sectors – virtually guarantees that the results of a maturity assessment will yield an interpretation unique to the organization under review.

Looking at this from a practical view, consider Bank A and Bank B (organization size doesn’t matter in this case). Let’s say that Bank A conducted an assessment that yielded an average information security program maturity score of 3 (out of a scale of 1 Low – 5 High). Bank B underwent a similar assessment that returned a score of 3.75. Benchmarking one against the other, it appears that Bank B is more mature than Bank A. Does this mean that Bank A needs to invest into security more to catch up to Bank B?

Not necessarily. Though these two scores provide some information about the effectiveness of each organization’s information security program, the scores provide little insight into the culture and capacity that drives process maturity. This leads us to the core question: does knowing the maturity of your peers provide meaningful, actionable information with which a security leader can leverage? Our answer is a resounding “maybe.”

We recommend that companies look inward versus outward. Instead of focusing on the comparison of your security maturity to your peers, consider a more introspective approach. What is your company’s security program maturity goals? What drives these goals? How does our organization’s culture impact our ability to achieve these goals? What does it mean to score a maturity level of 3 versus 4 or 2?

Since many organizations have yet to conduct an information security program maturity assessment, we suggest that you use the results of your first assessment to set a baseline for your organization. Communicate the baseline to your executives and board members. Ask this audience to draw a line in the sand based on, of course, an understanding of organizational culture and capacity. Work to improve information security program maturity based on the goals defined by these key stakeholders. Doing so, security leaders will find that, despite the constantly shifting business priorities, focusing on your own maturity goals will produce far greater dividends than worrying about your peer’s security maturity.

To learn more about information security program maturity, you can request a copy of our popular white paper on MAPP (Maturity Assessment, Profile and Plan).


05 Apr 2016

Bringing Focus and Clarity to The Issue of Cyber Risks

By Christophe Veltsos, PhD
April 5th, 2016

Board directors and top leadership are under pressure to get a handle on cybersecurity risks. While the “security problem” isn’t new, it has ballooned into a top agenda item for most organizations today. On a positive note, it means that boards, management, and senior security staff are having conversations around cybersecurity risks, and how to align those with the needs of the business. However, the ongoing list of data breaches making headlines almost every day implies that those conversations are not being as fruitful as they need to be.

Establish security objectives, policies and roles.
Establish security objectives, policies and roles.

A large gap exists between what those in the cybersecurity trenches know, and what management and the board are told about those activities and projects. In today’s environment, it is no longer acceptable to have a Chief Information Officer (CIO) or Chief Information Security Officer (CISO) to simply give us their “word” that security is under control. Boards and management are asking more probing questions, and it’s about time. In response, CIOs and CISOs need to be better explain how money and resources are being spent. In making the case for their budgets and proposed risk mitigation activities, however, CIOs and CISOs need to steer clear of techno-babble or risk losing their executive’s and board’s attention and support.

To assist management and board directors, a Spencer Stuart article entitled Cybersecurity: The Board’s Role defined key questions for how board directors can assess their organization’s current handling of cybersecurity risks:

  1. Does management have “a clear and consistent understanding of cybersecurity relative to the business?”
  2. Does management understand its responsibility in this domain, and particularly whether management has “an adequate system of controls in place?”
  3. Is the cybersecurity budget appropriately funded?

The problem that boards and management face is understanding a fairly foreign topic to them, about which they are supposed to make decisions to ensure the continued cyber health of their organization. In the past, security could ask for and receive sizeable security budgets without being able to show the impact of this funding on the organization’s ability to handle risks. In today’s environment, management and the board are eager to show that they are not ignoring their responsibilities to customers, shareholders, and even government watchdog agencies, but also show that they understand a right size approach and budget to protect the business from risks.

How can management communicate to the board that it has “a clear and consistent understanding of cybersecurity relative to the business?” How can management demonstrate that it has “an adequate system of controls in place” and that the cybersecurity budget is adequately funded?

In a report entitled Cyber Risk ‐ Getting the Boardroom Focus Right, Deloitte outlined a key attribute of organizations deemed to be at the highest level of cybersecurity risk governance: that “cyber risk management and reporting become ‘business as usual.’”

How can we have engaging, challenging conversations about the organization’s cybersecurity activities? How can we make sure the topic of cybersecurity becomes part of “business as usual” for management and the board?

We shift the conversation away from individual cyber-related projects (such as perimeter defenses or antivirus) and towards an approach that is understandable, logical, repeatable, reliable, and robust. This approach exists – it’s called MAPP: Maturity Assessment, Profile, and Plan. We first group similar security controls and activities into processes, or a high-level business view of a group of related security activities (such as user access control or governance). From this perspective, an organization looks at the maturity of its security processes, and then tracks, reports, and has engaging conversations on its handling of security risks. Security management can show the C-suite that it’s doing the right things the right way. The C-suite can be on the same page, without having to go to cyber school.

For board directors and top leadership, there is no escaping from their responsibilities to tackle cybersecurity risks. What is needed is an approach that will bring focus and clarity to the discussions about cybersecurity to ensure that the right decisions are made. The organization’s future depends on it.

Don’t delay, download and read our MAPP approach today.

04 Feb 2015

Engaging the Board on Security & Privacy

A Moment of Opportunity for Security and Privacy Leaders

By Adam Stone, Privacy Practice Lead, SDS

Following numerous major security breaches in the news in 2014, corporate boards of directors are increasingly interested in understanding information security and what it means to their business. As a data security leader, use this opportunity for engaging your board of directors on information security by honing your message in a way that resonates with the board.

Given the fever pitch of breach reporting in 2014 (culminating with the recent SonBoD-roomy hack), data security has finally found its way into board meeting agendas for organizations across the spectrum. This is a business moment that many have been waiting for. Ask any battle-weary data security leader who’s struggled to gain corporate credibility and visibility and they will utter an exasperated “It’s about time!”

How does a data security leader leverage the board’s newfound interest in data protection and keep members engaged for the long run?

First, a bit of introspection. Data security continues to grapple with how the organization perceives where it fits in the corporate hierarchy (and this perception is often at odds with how data security leaders believe it should be). Traditionally, the Board has perceived data security as an IT issue relegated to a cost-of-doing-business versus a contributor to strategic, sustainable growth and long-term shareholder/stakeholder value. As a result, data security topics are often bundled with operational IT matters and filtered up to the board via established proxies, such as inside of audit or the chief information officer (CIO).

For years, thought leaders[i] have promoted data security as a business issue worthy of its own pulpit. Until recently though, evidence to back the truth of this claim was missing or mixed. With the Sony event, we can reflect on what happens when the board is not adequately exposed to data security topics. Sony is not alone; recent surveys suggest that a majority of corporate boards are minimally involved in cybersecurity preparedness[ii] and remain largely unprepared to deal with a security breach[iii] despite board members’ increasing interest in addressing this subject[iv].

This lack of engaging board of directors on information security, is in part, a branding problem linked to several causes; among these may be the wonky, technocratic way practitioners who try to communicate the benefits of safeguarding data along with reasonable solutions for making this happen. Let’s face it: data security is not a particularly sexy topic for most.

Security industry leaders risk making an already poorly-understood subject less engaging by not clearly, consistently and relentlessly communicating its purpose, objectives and goals in terms of money saved and/or money earned. Board members are rarely inspired to action with heavy-handed, compliance-focused messages and even fewer are motivated by technobabble.

Boards understand risk. They understand that risk (an inherent negative) is a key part of doing business (that’s why data security functions exist). Undesirable, or at least indifferent board perceptions of data security should be countered with positive “opportunity” messages focused on the long view. Board members want to know how data security investments will bolster (or repair) public confidence, and make the organization’s current and future products and services desirable and efficiently produced. Successful data security leaders ensure that their communication strategy lines up with the board’s needs.

To accomplish this task, simply communicate using a dashboard-like approach to reflect, through colors, the areas of the information security program that require the most focus.  Use this simple concept to achieve buy-in then deliver the answer to the forthcoming question “how much effort and capital will that take?”  BE PREPARED!  When engaging the board of directors on information security you will have just 3-5 slides and a maximum of 5-7 minutes.  Create one slide to communicates the state of the union and the next slides that describe the costs of going from “red to yellow” and “yellow to green”.

For more help and information to developing an information security dashboard presentation you may contact our team here:

Some references worth noting for further reading on this subject:

[i] One organization assisting board members on how to address cybersecurity issues is the National Association of Corporate Directors (NACD). We recommend accessing their materials on this subject at

[ii] “Cybersecurity: What the Board of Directors Needs to Ask.” The Institute of Internal Auditors Research Foundation (IIARF). 2014. 10 January 2015. <>.

[iii] “Cyber Incident Response: Are Business Leaders Ready?” Economist Intelligence Unit (EIU) sponsored by Arbor Networks. 2014. 13 January 2015. <>.

[iv] “IT and Cybersecurity Oversight: PwC’s 2014 Annual Corporate Directors Survey.” PricewaterhouseCoopers, LLP. 2014. 13 January 2015. <>.