Cyber risk, information security, privacy and compliance services to business thought leaders.
16 Feb 2017

Investors’ Top Five Cyber Security Questions

February 16th, 2017

In the wake of numerous high profile cyber attacks against global businesses, including Sony, Target, and eBay, investors and boards alike are realizing that data breaches are an ever-present threat. Investors expect that company boards will assume a leadership role in addressing risks and controlling damage from these cyber incidents. Information security leaders should also understand what boards and investors expect from them in translating the business value of security
An article from the Council of Institutional Investors called “Prioritizing Cybersecurity” explores investors top five cyber security questions they are asking company boards, and how the board can effectively respond.

 

 

  1. How are the company’s cyber risks communicated to the board, by whom, and with what frequency?

With this question, investors want to learn how well informed the directors are regarding the company’s cyber risk profile. Investors are best reassured when the board is updated frequently about information security risks.

  1. Has the board evaluated and approved the company’s cybersecurity strategy?

Investors expect the board to have a full understanding of the company’s strategy for minimizing the financial and material impact of a cyber incident. A good strategy includes protecting the most critical data and assets from operational, financial, reputational, and legal harm. It should include preventative, detective, and corrective measures. The board must also be familiar with management’s incident response procedures, including simulation drills and a strong communications plan.

  1. How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?

Cyber security often requires a multi-disciplinary approach across multiple management levels. Board members are responsible for reviewing the backgrounds and qualifications of everyone accountable for cybersecurity. Investors look for an organizational structure with clearly delineated responsibilities and sufficient management oversight.

  1. How does the board evaluate the effectiveness of the company’s cybersecurity efforts?

The board has the authority to establish standard performance metrics based on the company’s size, industry, and risk profile. An additional benchmark is to compare performance to that of similar companies. Investors want to know how the company’s security efforts perform according to the company’s own metrics, as well as how they compare to other companies.

  1. When did the board last discuss whether the company’s disclosure of cyber risk and cyber incidents is consistent with SEC guidance?

Investors want the board to fairly and accurately report on the company’s cyber risk profile and security performance. The SEC asks that companies disclose cyber incidents, but provides few guidelines regarding when such a disclosure is required. The board can proactively communicate the process used to assess damage from cyber incidents on the company’s data and assets. Transparency about this process reassures investors of the company’s cyber health.

Boards and investors can develop a more productive partnership through better communication. Board members should seek to understand the investors’ concerns, and the investors should make equal effort to understand the board’s decisions and actions.

Secure Digital Solutions offers TrustMAPP®, a platform that facilitates this type of communication and information sharing with boards by information security leaders. Contact our team to learn more about TrustMAPP® solution.

17 Aug 2016

How Measuring Process Maturity Exceeds a Binary Compliance Approach

August 17th, 2016
By Corey Tower, CISM, PMP

If you have ever been in charge of implementing an inaugural security program or have been asked to formally organize information security, you know that compliance requirements are at the forefront of the conversation. Yet if you’ve been building and managing a security program for years you already know a compliance-based approach is not robust to handle modern threats or comprehensive to manage risk across the entire business. As a measurement tool, compliance assessments are blunt instruments that focus primarily on the existence of controls. These assessments tend to yield binary results – either the organization is compliant, or not.  Let’s explore how measuring your process maturity exceeds a binary compliance approach.

Implementing security effectively from the results of a compliance assessment is challenging, since gaps in compliance suggest the need for security investments that may be disproportionate to the problem the organization is trying to solve.

How Maturity Prioritizes Investment

Focusing on your maturity will allow you to view your program in both dark and bright lights. If you are serious about the effectiveness of your security program, you must be honest about the current state. For example, if you have in-house software development and you complete the compliance section of securing source code, you have two choices:

  1. Compliance Approach: Check the box that says “We do it – done.”
  2. Maturity Approach: Deep dive into process-level maturity. (I.e. “How do we protect source code? How well defined are the standards to protect source code? What goal have we defined for source code protection? Is the security of our source code library adequate?”) Each scored on a maturity scale of 0 through 5 such as those defined by COBIT.

Once you’ve completed a maturity assessment of all processes that make up information security program, you can begin a more efficient plan for resource allocation and budget management. For example, perhaps 250 hours of project resource time can be shifted from your very mature patch management process to help your struggling security and event management effort. A maturity-based assessment helps to identify the performance level of key process areas and the output compliments and enhances a risk assessment.  Looking at processes through the lens of maturity provides greater dimension to team and security program performance and conveys how to allocate resources once maturity goals are achieved.

Automate Maturity Assessments
Secure Digital Solutions’ TrustMAPP™ platform, powered by the MAPP™ (Maturity Assessment, Profile, and Plan) methodology, offers security leaders the ability to:

  • Identify how much security is “enough” by establishing process-level performance goals
  • Measure the effectiveness of your security programs and the capacity to accomplish outcomes
  • Link information security metrics and measurement back to business value and strategy
  • Use analytics and estimated level of effort to tell a compelling story to business executives and the board

TrustMAPP reports security posture by maturity levels, including trending analysis, planning, budgeting, and built-in support for multiple security frameworks and regulations. As a cloud solution, TrustMAPP enables clients to begin assessing their information security program in weeks instead of months. TrustMAPP helps security leaders create and communicate a strategic roadmap, build budgets and resource plans to guide their organizations’ security activities.

09 Jun 2016

Breaking Down Barriers to Effective Information Security

June 9, 2016
Mike-Edlund-Large
By Mike Edlund, CISM

A recent survey* was conducted by PricewaterhouseCoopers (PwC) and asked 9600 C-level leaders about obstacles to effective cybersecurity. The barriers identified in PwC’s study include:

  • Insufficient funding for capital expenditures
  • Lack of or ineffective CEO leadership
  • Absence or shortage of in-house technical expertise
  • Insufficient funding for operating expenditures
  • Lack of an effective information security strategy
  • Lack of an actionable cybersecurity vision or understanding
  • Lack of or ineffective CIO leadership
  • Poorly integrated or overly complex information/IT systems
  • Lack of or ineffective Security Chief (CISO or others) leadership

PwC found that sometimes different C-levels have diverging views on how strong a barrier is. For example, one item, Absence or shortage of in-house technical expertise, was viewed more strongly as an obstacle by CEOs and CIOs, but the CFO did not view as strongly.

Let’s look at breaking down these barriers – we’ll group some to address collectively.

  • Lack of an effective information security strategy
  • Lack of an actionable cybersecurity vision or understanding

We’ve found that having a common language to discuss and create strategy and vision for cybersecurity or information security at the company’s executive levels breaks down these barriers. For all C-level and senior leadership, conduct strategy sessions that revolve around the information security processes and use the process lens just like the rest of the business looks at its operations. Looking at how well processes are running (as-is) and how they can be improved (to-be) will let all parties assist with and provide input on good strategy and goal setting, just like the rest of the business. Looking at information security processes from this perspective lets information security become and be understood as a business enabler, not the classic department of “No!” from the past.

  • Lack of or ineffective CEO leadership
  • Lack of or ineffective CIO leadership
  • Lack of or ineffective Security Chief (CISO or others) leadership

Using the above common language approach (viewing cybersecurity through the process lens) should provide all three leaders with language and understanding that can help them have an equal understanding. When each has common understanding about and a language through which to view information security and its strategy, leadership easily begins speaking the same language and addressing the most important decisions collectively.

  • Insufficient funding for capital expenditures
  • Insufficient funding for operating expenditures

Conducting a risk assessment, compliance assessment and capability assessment by competent internal or external parties helps to provide this supporting information for investments. Regardless of whether results and gaps are viewed through a risk, compliance or capability lens, gaps or findings with priorities for improvements should include funding for new technology, new staff efforts or ongoing efforts appropriately captured assists C-level leadership understand needs for information security investments. A strong review during an assessment, whether conducted internally or by a third-party, should include findings that include costs for addressing information security program gaps.

  • TrustMAPP-ExecutivePlanningAbsence or shortage of in-house technical expertise

A solid team capability assessment will review cybersecurity team member responsibilities and roles for any of the assessments mentioned previously (risk, compliance or process-based). Findings will lead to leadership understanding where there are gaps in addressing the cybersecurity program’s needs through its people. As mentioned above, solid assessment results should provide funding estimates for additional training or personnel to meet developing or ongoing requirements of the security program. As mentioned above, review of cybersecurity expertise, whether conducted internally or by a third-party, should include findings that include costs for addressing cybersecurity program personnel gaps.

  • Poorly integrated or overly complex information/IT systems

This one may require review from various perspectives to reduce complexity or improve integration. Integration may be improved through the above approach using process as a common language between cybersecurity and the C-level. Understanding what is needed between information security and the business should improve through this common language approach. Further review through risk, compliance or process-based assessment should tease out issues around this barrier. Risk may find that poorly integrate systems show frequent downtime or failures, increasing risks due to unavailability of systems. Compliance may find that poor sharing of compliance-specific information between systems or high costs related to complying with a regulation due to system complexity show where improvements will be needed.

To break down these barriers for your information security program, look at what SDS’ Maturity Assessment, Profile, and Plan (MAPP) approach can provide for you.

*Survey: http://www.pwc.com/us/en/view/issue-15/cybersecurity-business-priority.html

16 May 2016

How much information security is enough?

By Chad Boeckmann & Adam Stone
May 16th, 2016

Let’s talk about benchmarking. It’s a question our team receives from clients both large and small. When discussing our information security-focused MAPP methodology and our TrustMAPP (formerly, Accliviti) platform, our clients (and their board members) want to know how they stack up, maturity-wise, to their peers. The common belief among this audience is that benchmarking data will help answer the question “how much information security is enough?”

This approach makes sense at a certain level; knowing how mature your organization’s security program is relative to your peers seems, on its face, to suggest that you are meeting (or not meeting) the standard defined by your industry. Like many statistics however, context plays an important role in deciphering benchmarking data. And it probably wouldn’t surprise the reader that without the benefit of context, the value of benchmark data diminishes. This is especially true for a topic such as information security program maturity.iStock_000019293901_Small

How much information security is enough? When do we find confidence that the organization has invested the right amount of time and resources to reasonably safeguard our information assets? Fair questions. Based on our experience over the last ten years, knowing your maturity benchmark provides an incomplete answer. The reason is simple: each organization is different. The diversity of organizational cultures and risk appetites within a given industry – even in highly-regulated sectors – virtually guarantees that the results of a maturity assessment will yield an interpretation unique to the organization under review.

Looking at this from a practical view, consider Bank A and Bank B (organization size doesn’t matter in this case). Let’s say that Bank A conducted an assessment that yielded an average information security program maturity score of 3 (out of a scale of 1 Low – 5 High). Bank B underwent a similar assessment that returned a score of 3.75. Benchmarking one against the other, it appears that Bank B is more mature than Bank A. Does this mean that Bank A needs to invest into security more to catch up to Bank B?

Not necessarily. Though these two scores provide some information about the effectiveness of each organization’s information security program, the scores provide little insight into the culture and capacity that drives process maturity. This leads us to the core question: does knowing the maturity of your peers provide meaningful, actionable information with which a security leader can leverage? Our answer is a resounding “maybe.”

We recommend that companies look inward versus outward. Instead of focusing on the comparison of your security maturity to your peers, consider a more introspective approach. What is your company’s security program maturity goals? What drives these goals? How does our organization’s culture impact our ability to achieve these goals? What does it mean to score a maturity level of 3 versus 4 or 2?

Since many organizations have yet to conduct an information security program maturity assessment, we suggest that you use the results of your first assessment to set a baseline for your organization. Communicate the baseline to your executives and board members. Ask this audience to draw a line in the sand based on, of course, an understanding of organizational culture and capacity. Work to improve information security program maturity based on the goals defined by these key stakeholders. Doing so, security leaders will find that, despite the constantly shifting business priorities, focusing on your own maturity goals will produce far greater dividends than worrying about your peer’s security maturity.

To learn more about information security program maturity, you can request a copy of our popular white paper on MAPP (Maturity Assessment, Profile and Plan).

 

02 May 2016

Process Maturity Assessments for Information Security

Adam Stone, CISSP, CIPP, HCISPP, CHPS
May 2, 2016

Over the past few weeks, SDS received lots of positive feedback from a recent post, Elevate Cybersecurity Communication to Improve Executive Understanding. What we took away from responses to this and a related post is that there is great interest in unifying and elevating the security discussion by shifting the focus to business processes. It is important to note that process maturity assessments for information security are unique in outcome and value. Not surprisingly, there is still confusion about the differences between an information security process maturity assessment and the other types of security assessments traditionally employed (namely, risk-, controls- and compliance-focused assessments). We can empathize. Measuring and communicating process maturity is a relatively new approach that is picking up steam across business sectors. It will take some time to see the industry understand, adopt and operationalize. That said, business leaders should understand that each information security assessment type has its own unique objectives, goals and benefits. The simple table below to highlight these differences:

 

Assessment Type Objectives Goals Benefits
Audit Comply with prevailing reporting requirements. Seek evidence that an organization implements and adheres to its internal policies and controls. Provide assurances by aligning business practices with internal policies and controls requirements.
Compliance Assessment Comply with prevailing legal and regulatory obligations. Seek evidence that an organization implements and adheres to its legal and regulatory obligations. Reduce exposure by aligning business practices with compliance requirements.
Risk Assessment Manage risk to an acceptable level. Identify and prioritize risks based on an analysis of threats, vulnerabilities and mitigating controls factored against the likelihood that a threat actor will exploit a given vulnerability. Enable organizations to predict and prepare security defenses for future loss events.
Maturity Assessment Manage organizational culture to improve effectiveness. Measure the capacity to effectively and efficiently manage an information security program. Enable organizations to improve security-related business processes by motivating a culture of security throughout.

 

assessment_relationshipOf these four assessment approaches, only the process maturity approach explicitly aims to elevate the language of information security by recognizing that organizational culture (enabled by people, processes and tools) plays a significant role in the lasting success of an information security program. Through the lens of culture, the maturity assessment identifies, quantifies and recommends strategies to raise the organization’s capacity to “get security done” in a manner that emphasizes process efficiency and effectiveness. Unlike the other assessment types (which sometimes view security in a vacuum), the maturity assessment emphasizes the fact that security is a critical business function that exists to help companies grow revenue and minimize costs.

Now before you risk and compliance assessment purists pick up your pitchforks, let’s be clear: we are not suggesting that maturity assessments replace commonly-employed information security assessments. In fact, we believe that the results of maturity assessments complement and inform audits, compliance and risk assessments…and vice versa. At the end of the day, the assessment approach you use depends on the folks who will consume the results and recommendations. If you anticipate that this audience will be senior executives and the board, using the language of process maturity will improve the force and clarity of your message.

Secure Digital Solutions’ TrustMAPP™ platform, powered by our MAPP™ methodology, uses a process maturity assessments for information security approach to enable organizations with clear understanding of security posture. This security posture is based on maturity levels, including trending analysis, planning (resources hours) and budgeting (capital costs), with built-in support for multiple security frameworks and regulations. With Accliviti’s SaaS delivery model, scoring, tracking improvements and communicating performance of a cybersecurity program happens in weeks, instead of months, using built-in analytics. Accliviti helps security leaders create and communicate a strategic roadmap to guide the organization’s security activities.

By leveraging the best-practice MAPP model (Maturity Assessment, Profile, and Plan) using an automated tool like TrustMAPP, security leaders can now focus more time and interactions towards security strategy and advisor roles for the business.

11 Apr 2016

Elevate Cybersecurity Communication to Improve Executive Understanding

By Adam Stone, Secure Digital Solutions
April 11, 2016

A few weeks ago, my colleague, Tennelle Anderson, argued the need for a common language that explains cybersecurity issues in a clear, consistent manner. The thrust of Anderson’s post is that business leaders hear different narratives about the state of cybersecurity depending on who is delivering the message. Ask an auditor about security and the response often focuses on controls. A corporate lawyer may communicate security in terms of compliance. Invite a security professional’s view about the state of security and the answer is often couched in risk mitigation. It is time we begin to Elevate Cybersecurity Communication to Improve Executive Understanding.

Not surprisingly, top managers are confused. According to a recent CNBC report, “more than 90 percent of corporate executives said they cannot read a cybersecurity report” and as a result, “are not prepared to handle a major attack.” Ouch.

As we can see, the real problem facing today’s cybersecurity leaders is less about blocking and tackling security threats and more about successfully communicating program effectiveness (without overselling) to the folks that matter. Without a clear understanding of the value security brings to the business, the natural reaction of executives and board members is to gloss over the issue or worse, underinvest in the security function.

There are new methodologies and solutions rising to the cybersecurity communications challenge. Of these, measuring and communicating cybersecurity issues in terms of process maturity is gaining the most traction. Distinct from the outputs of audits, compliance reviews and risk assessments, focusing on process maturity provides a new narrative; describing in measurable terms an organization’s capacity to effectively and efficiently manage the myriad business processes that comprise a cybersecurity program. Process maturity tablet-2-FPOenables organizations to think strategically about cybersecurity challenges by elevating the discussion beyond controls-based management

Secure Digital Solutions’ Accliviti™ tool, powered by our MAPP™ methodology, empowers organizations with a clear picture of security posture based on ma
turity levels, including trending analysis, planning and budgeting, and built-in support for multiple security frameworks and regulations. With Accliviti’s SaaS delivery model, scoring, tracking improvements and communicating performance of a cybersecurity program happens in weeks, instead of months, using built-in analytics. Accliviti helps security leaders create and communicate a strategic roadmap to guide the organization’s security activities.

By leveraging the best-practice MAPP model (Maturity Assessment, Profile, and Plan) using an automated tool like Accliviti, security leaders can now focus more time and interactions towards security strategy and advisor roles for the business.

05 Apr 2016

Bringing Focus and Clarity to The Issue of Cyber Risks

By Christophe Veltsos, PhD
April 5th, 2016

Board directors and top leadership are under pressure to get a handle on cybersecurity risks. While the “security problem” isn’t new, it has ballooned into a top agenda item for most organizations today. On a positive note, it means that boards, management, and senior security staff are having conversations around cybersecurity risks, and how to align those with the needs of the business. However, the ongoing list of data breaches making headlines almost every day implies that those conversations are not being as fruitful as they need to be.

Establish security objectives, policies and roles.
Establish security objectives, policies and roles.

A large gap exists between what those in the cybersecurity trenches know, and what management and the board are told about those activities and projects. In today’s environment, it is no longer acceptable to have a Chief Information Officer (CIO) or Chief Information Security Officer (CISO) to simply give us their “word” that security is under control. Boards and management are asking more probing questions, and it’s about time. In response, CIOs and CISOs need to be better explain how money and resources are being spent. In making the case for their budgets and proposed risk mitigation activities, however, CIOs and CISOs need to steer clear of techno-babble or risk losing their executive’s and board’s attention and support.

To assist management and board directors, a Spencer Stuart article entitled Cybersecurity: The Board’s Role defined key questions for how board directors can assess their organization’s current handling of cybersecurity risks:

  1. Does management have “a clear and consistent understanding of cybersecurity relative to the business?”
  2. Does management understand its responsibility in this domain, and particularly whether management has “an adequate system of controls in place?”
  3. Is the cybersecurity budget appropriately funded?

The problem that boards and management face is understanding a fairly foreign topic to them, about which they are supposed to make decisions to ensure the continued cyber health of their organization. In the past, security could ask for and receive sizeable security budgets without being able to show the impact of this funding on the organization’s ability to handle risks. In today’s environment, management and the board are eager to show that they are not ignoring their responsibilities to customers, shareholders, and even government watchdog agencies, but also show that they understand a right size approach and budget to protect the business from risks.

How can management communicate to the board that it has “a clear and consistent understanding of cybersecurity relative to the business?” How can management demonstrate that it has “an adequate system of controls in place” and that the cybersecurity budget is adequately funded?

In a report entitled Cyber Risk ‐ Getting the Boardroom Focus Right, Deloitte outlined a key attribute of organizations deemed to be at the highest level of cybersecurity risk governance: that “cyber risk management and reporting become ‘business as usual.’”

How can we have engaging, challenging conversations about the organization’s cybersecurity activities? How can we make sure the topic of cybersecurity becomes part of “business as usual” for management and the board?

We shift the conversation away from individual cyber-related projects (such as perimeter defenses or antivirus) and towards an approach that is understandable, logical, repeatable, reliable, and robust. This approach exists – it’s called MAPP: Maturity Assessment, Profile, and Plan. We first group similar security controls and activities into processes, or a high-level business view of a group of related security activities (such as user access control or governance). From this perspective, an organization looks at the maturity of its security processes, and then tracks, reports, and has engaging conversations on its handling of security risks. Security management can show the C-suite that it’s doing the right things the right way. The C-suite can be on the same page, without having to go to cyber school.

For board directors and top leadership, there is no escaping from their responsibilities to tackle cybersecurity risks. What is needed is an approach that will bring focus and clarity to the discussions about cybersecurity to ensure that the right decisions are made. The organization’s future depends on it.

Don’t delay, download and read our MAPP approach today.

27 Oct 2015

Controls Are for Auditors

An Information Management Approach

By: Chad Boeckmann, CISSP, CISA (CEO, Secure Digital Solutions)

Consider this approach to information security: Controls are for auditors; processes are for managers. As someone who has for nearly two decades provided guidance to help companies improve their information security, I’ve concluded the typical industry approach to information security (focusing on controls) is too narrow.

Often, tools are purchased as a reaction to the latest threat or worse, a socially cool trend. To truly operationalize security, information security practitioners, particularly leaders (CISO’s), must focus on how to manage the security program, both data security and cyber security, based on performance of processes. Let’s take the following excerpt described by IIA:

The Institute of Internal Auditors (IIA) defines control, the control environment, and control processes as follows:

A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Control processes are the policies, procedures (both manual and automated) and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level an organization is willing to accept. Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance that the organization will achieve its objectives.

So how can you actually begin to measure your security program and operationalize performance based on process? First there are many controls that can be harmonized into processes. You might be thinking, “There are too many processes to manage effectively. Controls are easier.” I would challenge any security program, in most use cases, to identify more than 40 processes that need to be managed to align with regulatory and internal or external policy objectives for information security. Yes, this includes regulations such as GDPR, HIPAA, PCI DSS, FFIEC and frameworks like ISO27001/2 and NIST CSF.

Many of the regulatory controls and framework controls overlap considerably. To use a golf analogy, if we raise our eyes from the rough outlining the fairway, we can see the ball and pin clearly. Taking an industry recognized IT Management and Governance framework like COBIT and marrying it with a set of consolidated processes, your life as a CISO or information security practitioner becomes easier. Easier because you have the ability to align the organization’s objectives (the pin) with metrics related to the process (the fairway) to get the ball to the pin.

This is why we’ve automated this process with TrustMAPP. This is part 1 of a 2-part blog post. In the next entry I’ll discuss how to go about measuring process level performance to align with frameworks and regulations in a simplified but meaningful way.

09 Oct 2015

Playbook for the CISO

What the COBIT Maturity Model Provides

By: Chris Cathers, Secure Digital Solutions

In this new world of cyber threats, weekly data breach news and executive stakeholder concerns we enter a phase that requires a discussion of what Information Security 2.0 should look like. With this in mind it is time to consider revising (or creating) A CISO Playbook.

In my discussions with clients across multiple industries there is one common theme: Regulatory pressures are increasing as a result of recent fraud and data breach.

It is no surprise that regulators and auditors are increasing scrutiny of information security controls. Using a control framework (e.g. NIST, ISO) as the base of recommended controls is not enough to manage information security effectively. Effective management includes understanding the maturity of the process and expertise of the people in the organization responsible for supporting the specified controls.

As an example, if DLP (Data Loss Prevention system) is implemented to prevent extraction loss of confidential information, it is not enough just to have a DLP solution, you need to have the expertise to run the solution, the appropriate reporting and decision support in place when an alert happens, the appropriate metrics delivered to the appropriate people along with policies to support this. This is how a CISO can define an effective process supporting the controls.

In order to elevate information security, we suggest adding a level of measurement above just the existence of controls and risk associated with deficiencies, and measuring your program through the lens of Awareness, Policy/Procedure, Accountability, Measurability, Expertise, and Automation.  As COBIT 4.1 suggests, these maturity attributes mentioned are critical to understanding the full breadth of capability within the information security processes that actually support the chosen control framework(s) and regulation(s).  This approach truly provides an advantage to a CISO Playbook and allows the CISO to look at all of the parts that make up the whole instead of simply a classical audit perspective of “on” or “off” relative to if a control is in place or not in place.

To learn more about how to achieve this process with significant performance and planning metrics, read more about our cloud-based platform, Accliviti.

04 Feb 2015

Engaging the Board on Security & Privacy

A Moment of Opportunity for Security and Privacy Leaders

By Adam Stone, Privacy Practice Lead, SDS

Following numerous major security breaches in the news in 2014, corporate boards of directors are increasingly interested in understanding information security and what it means to their business. As a data security leader, use this opportunity for engaging your board of directors on information security by honing your message in a way that resonates with the board.

Given the fever pitch of breach reporting in 2014 (culminating with the recent SonBoD-roomy hack), data security has finally found its way into board meeting agendas for organizations across the spectrum. This is a business moment that many have been waiting for. Ask any battle-weary data security leader who’s struggled to gain corporate credibility and visibility and they will utter an exasperated “It’s about time!”

How does a data security leader leverage the board’s newfound interest in data protection and keep members engaged for the long run?

First, a bit of introspection. Data security continues to grapple with how the organization perceives where it fits in the corporate hierarchy (and this perception is often at odds with how data security leaders believe it should be). Traditionally, the Board has perceived data security as an IT issue relegated to a cost-of-doing-business versus a contributor to strategic, sustainable growth and long-term shareholder/stakeholder value. As a result, data security topics are often bundled with operational IT matters and filtered up to the board via established proxies, such as inside of audit or the chief information officer (CIO).

For years, thought leaders[i] have promoted data security as a business issue worthy of its own pulpit. Until recently though, evidence to back the truth of this claim was missing or mixed. With the Sony event, we can reflect on what happens when the board is not adequately exposed to data security topics. Sony is not alone; recent surveys suggest that a majority of corporate boards are minimally involved in cybersecurity preparedness[ii] and remain largely unprepared to deal with a security breach[iii] despite board members’ increasing interest in addressing this subject[iv].

This lack of engaging board of directors on information security, is in part, a branding problem linked to several causes; among these may be the wonky, technocratic way practitioners who try to communicate the benefits of safeguarding data along with reasonable solutions for making this happen. Let’s face it: data security is not a particularly sexy topic for most.

Security industry leaders risk making an already poorly-understood subject less engaging by not clearly, consistently and relentlessly communicating its purpose, objectives and goals in terms of money saved and/or money earned. Board members are rarely inspired to action with heavy-handed, compliance-focused messages and even fewer are motivated by technobabble.

Boards understand risk. They understand that risk (an inherent negative) is a key part of doing business (that’s why data security functions exist). Undesirable, or at least indifferent board perceptions of data security should be countered with positive “opportunity” messages focused on the long view. Board members want to know how data security investments will bolster (or repair) public confidence, and make the organization’s current and future products and services desirable and efficiently produced. Successful data security leaders ensure that their communication strategy lines up with the board’s needs.

To accomplish this task, simply communicate using a dashboard-like approach to reflect, through colors, the areas of the information security program that require the most focus.  Use this simple concept to achieve buy-in then deliver the answer to the forthcoming question “how much effort and capital will that take?”  BE PREPARED!  When engaging the board of directors on information security you will have just 3-5 slides and a maximum of 5-7 minutes.  Create one slide to communicates the state of the union and the next slides that describe the costs of going from “red to yellow” and “yellow to green”.

For more help and information to developing an information security dashboard presentation you may contact our team here: http://securedigitalsolutions.com/contact/

Some references worth noting for further reading on this subject:

[i] One organization assisting board members on how to address cybersecurity issues is the National Association of Corporate Directors (NACD). We recommend accessing their materials on this subject at http://www.nacdonline.org/.

[ii] “Cybersecurity: What the Board of Directors Needs to Ask.” The Institute of Internal Auditors Research Foundation (IIARF). 2014. 10 January 2015. <http://www.theiia.org/bookstore/product/cyber-security-what-the-board-of-directors-needs-to-ask-download-pdf-1852.cfm>.

[iii] “Cyber Incident Response: Are Business Leaders Ready?” Economist Intelligence Unit (EIU) sponsored by Arbor Networks. 2014. 13 January 2015. <http://www.arbornetworks.com/ciso/eiureport>.

[iv] “IT and Cybersecurity Oversight: PwC’s 2014 Annual Corporate Directors Survey.” PricewaterhouseCoopers, LLP. 2014. 13 January 2015. <http://www.pwc.com/us/en/corporate-governance/annual-corporate-directors-survey/information-technology-cybersecurity-oversight.jhtml>.