How Best to Communicate with Your Board of Directors on Your Company’s Security Posture

In the not too distant past, companies were able to secure their IT environments in a controlled way—apps were on premise, networks were finite, data centers were owned and managed internally, PCs were stationary and employees relied on their desk phones.

How dramatically the IT landscape has changed! Protecting employees, customers, partners and their data is now much more complex. With public cloud infrastructure managed by third parties, a higher percentage of SaaS applications deployed, Wi-Fi, mobile devices, and connectivity to an entire eco-system, security is significantly more challenging today. And so, while the fundamental job of the CISO or CIO is the same—securing the organization—how we go about it is very different with the emergence of the Internet of Things, mobility and the cloud.

All of this is occurring at a time when data breaches are at an all-time high. Hackers have become quite sophisticated, employing the latest technical advances, including artificial intelligence and machine learning to breach a network, finding the weakest points of resistance. They can attack a company in many ways, stay longer, and are more targeted.

According to Symantec’s latest Internet Security Threat Report, one in 131 emails contained a malicious link or attachment—the highest rate in five years. The size of ransoms spiked 266%, and CIOs have lost track of how many cloud apps are used inside their companies (when asked, most will say up to 40 when the number nears 1,000—Symantec’s CASB project can help with full visibility of non-sanctioned IT cloud applications).

In short, there is plenty to keep CIOs and CISOs awake at night. The question `Are we secure?’ does not have an easy answer. Even if you employ the best security and IT teams available, and have security applications in place throughout the entire IT architecture stack, security flaws can occur—witness the latest Meltdown and Spectre flaws in Intel microprocessors inside nearly all of the world’s computers. These two flaws could allow hackers to steal the entire memory contents of computers and spur the discovery of new attacks.

When I’m asked why I’m concerned about what’s lurking over the security horizon, I use my house analogy: for most of us our homes always need some repair. It’s never-ending, right? The gutters are broken, bathrooms need caulking, and with the latest unpredictability of weather there are now floods from time to time. But what if we get hit with a tsunami-force storm and rains come down at 900 pounds per second hitting every angle of the house? Nobody can predict with a high degree of accuracy which 10 areas the water will seep through. Maybe we can predict the three or four, at best. The rest is a roll of the dice.

The same could be true for an organization. The CISO will know what is secured and what needs a bit more work. But when those aggressive attackers attack it is often difficult to predict exactly what part of the entire architecture it will affect.

Bridging the board gap

All of which makes it vital that the board of directors and company experts with the responsibility for the organization’s cyber security are aligned.

Easier said than done. For years, there’s been a disconnect between the way that boards assess cyber threats, costs, areas of responsibilities, and the experience of the IT specialists tasked with managing security. So why is it so hard for security executives to convey that sense of urgency and enormity to their board?

Here are a few thoughts.

• Any security discussion needs to involve two components. First, the conversation should be as important to the board as the financial health of the company. Boards spend between 60% and 70% of their meetings analyzing financial results. Similarly, security should be among the top issues that the board discusses at every single meeting. It’s not a one-and-done discussion. It's just as important as a business’s financial health: security is always changing and should be part of the overall risk discussion.

• At the same time, CSOs and CIOs have a responsibility to present a clear and crisp security overview to ensure the company’s security posture is easily understandable to boards. Part of this role is educational—generally speaking, boards don’t have security expertise and don’t know what questions to ask. CISOs/CIOs must paint the big picture—show how security looks from an architectural standpoint. All too often, the board receives a security briefing they can’t understand, weighed down with technical jargon that is poorly presented. The result is board frustration and confusion, obscuring a company’s security strategy and execution.

  If we communicate well, we’ll answer four basic key questions:

  •  What are the risks?

  • Where are we secure?

  • Where are our weaknesses?

  • Where do we need to invest?

This can all be obtained via an architectural view in which the board can easily visualize “security” across the entire landscape form infrastructure to endpoints.

• It then becomes more of a risk discussion and returns the topic to more familiar terrain. We can help by providing a risk scorecard so the board understands the overall security posture, highlighting strengths and weaknesses. At that point, management can more easily grasp where security needs to improve and where investment may be needed.

When I see people doing this right, regular Board review material is provided to confirm status that the main cyber threats for the company have been identified and sized, there is an action plan to improve defenses and respond to these threats and preparations have been made to respond to a successful attack.  However, if you suffer a material security breach, it could harm—at a minimum—your company’s brand and reputation. In the worst-case scenario—as we’ve seen with many Fortune 500 companies—a security breach could significantly damage your business. Arming your board with the right information can ensure they can support security professionals’ goals to protect against today’s often unpredictable security threats.