A Moment of Opportunity for Security and Privacy Leaders

By Adam Stone, Privacy Practice Lead, SDS

Following numerous major security breaches in the news in 2014, corporate boards of directors are increasingly interested in understanding information security and what it means to their business. As a data security leader, use this opportunity for engaging your board of directors on information security by honing your message in a way that resonates with the board.

Given the fever pitch of breach reporting in 2014 (culminating with the recent SonBoD-roomy hack), data security has finally found its way into board meeting agendas for organizations across the spectrum. This is a business moment that many have been waiting for. Ask any battle-weary data security leader who’s struggled to gain corporate credibility and visibility and they will utter an exasperated “It’s about time!”

How does a data security leader leverage the board’s newfound interest in data protection and keep members engaged for the long run?

First, a bit of introspection. Data security continues to grapple with how the organization perceives where it fits in the corporate hierarchy (and this perception is often at odds with how data security leaders believe it should be). Traditionally, the Board has perceived data security as an IT issue relegated to a cost-of-doing-business versus a contributor to strategic, sustainable growth and long-term shareholder/stakeholder value. As a result, data security topics are often bundled with operational IT matters and filtered up to the board via established proxies, such as inside of audit or the chief information officer (CIO).

For years, thought leaders[i] have promoted data security as a business issue worthy of its own pulpit. Until recently though, evidence to back the truth of this claim was missing or mixed. With the Sony event, we can reflect on what happens when the board is not adequately exposed to data security topics. Sony is not alone; recent surveys suggest that a majority of corporate boards are minimally involved in cybersecurity preparedness[ii] and remain largely unprepared to deal with a security breach[iii] despite board members’ increasing interest in addressing this subject[iv].

This lack of engaging board of directors on information security, is in part, a branding problem linked to several causes; among these may be the wonky, technocratic way practitioners who try to communicate the benefits of safeguarding data along with reasonable solutions for making this happen. Let’s face it: data security is not a particularly sexy topic for most.

Security industry leaders risk making an already poorly-understood subject less engaging by not clearly, consistently and relentlessly communicating its purpose, objectives and goals in terms of money saved and/or money earned. Board members are rarely inspired to action with heavy-handed, compliance-focused messages and even fewer are motivated by technobabble.

Boards understand risk. They understand that risk (an inherent negative) is a key part of doing business (that’s why data security functions exist). Undesirable, or at least indifferent board perceptions of data security should be countered with positive “opportunity” messages focused on the long view. Board members want to know how data security investments will bolster (or repair) public confidence, and make the organization’s current and future products and services desirable and efficiently produced. Successful data security leaders ensure that their communication strategy lines up with the board’s needs.

To accomplish this task, simply communicate using a dashboard-like approach to reflect, through colors, the areas of the information security program that require the most focus.  Use this simple concept to achieve buy-in then deliver the answer to the forthcoming question “how much effort and capital will that take?”  BE PREPARED!  When engaging the board of directors on information security you will have just 3-5 slides and a maximum of 5-7 minutes.  Create one slide to communicates the state of the union and the next slides that describe the costs of going from “red to yellow” and “yellow to green”.

For more help and information to developing an information security dashboard presentation you may contact our team here: http://securedigitalsolutions.com/contact/

Some references worth noting for further reading on this subject:

[i] One organization assisting board members on how to address cybersecurity issues is the National Association of Corporate Directors (NACD). We recommend accessing their materials on this subject at http://www.nacdonline.org/.

[ii] “Cybersecurity: What the Board of Directors Needs to Ask.” The Institute of Internal Auditors Research Foundation (IIARF). 2014. 10 January 2015. <http://www.theiia.org/bookstore/product/cyber-security-what-the-board-of-directors-needs-to-ask-download-pdf-1852.cfm>.

[iii] “Cyber Incident Response: Are Business Leaders Ready?” Economist Intelligence Unit (EIU) sponsored by Arbor Networks. 2014. 13 January 2015. <http://www.arbornetworks.com/ciso/eiureport>.

[iv] “IT and Cybersecurity Oversight: PwC’s 2014 Annual Corporate Directors Survey.” PricewaterhouseCoopers, LLP. 2014. 13 January 2015. <http://www.pwc.com/us/en/corporate-governance/annual-corporate-directors-survey/information-technology-cybersecurity-oversight.jhtml>.