Every so often, I see an interesting piece on Forbes.com. This time it is How To Talk To the Board About Cybersecurity.
A CIO shares his experience working with boards and advice on that challenge for CISOs.
Here are some useful comments (with my highlights):
- If a CIO can’t effectively communicate budget requirements, or a CISO can’t articulate why the risk outweighs the efficiency that would be gained by rolling out a particular technology, it puts not only technical, but business operations and security, at risk.
- … while security teams increasingly recognize the fact that breach prevention is a losing strategy, oftentimes the board is not quite there yet. Just as security teams are recalibrating their efforts towards detection, mitigation, and resilience, CISOs should encourage the board to look at how the organization is equipped to respond when the inevitable occurs—including how it will recover.
- One of the most important things technical leaders can do in communicating with the board is to get on the same page ahead of time. In the day-to-day of security operations (SecOps) and IT operations (IT Ops), priorities often come into conflict. One is focused on performance, which requires speed and agility. One is focused on protecting critical assets and data, which can often mean strict requirements and lengthy evaluations.
But for the board, the only consideration is how these two things are supporting (or hindering) business operations.
- CISOs and other security leaders do need to find ways to avoid being pigeon-holed as the team of “no.” If CISOs, together with CIOs, can demonstrate a clear understanding of business requirements and objectives and talk about what security measures need to be in place to achieve them, it reframes the conversation around “when” not “if.”
- Ultimately Security is about tradeoffs: risk vs. reward, risk vs. speed. If you, as a technology leader, can demonstrate that you understand those tradeoffs and are capable of moving forward while balancing those risks, you will be seen as an asset to the success of your business, not a roadblock.
There are a couple of key messages here that I have been sharing for several years, including in my book, Making Business Sense of Technology:
- Talk to leadership in business terms: what is required to achieve business objectives, whether that is security or technology innovation?
- While reasonable precautions need to be made to prevent a breach, that is an impossible goal. The capable hacker will get in. The question is whether it will take your organization the typical 8-9 months to know what is going on, or whether you will be able to detect a breach promptly and respond appropriately.
I welcome your thoughts.
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- Are you hungry for a better approach to risk appetite? - November 18, 2020
- The state of SOX compliance - October 20, 2020
- Rethinking internal auditing - April 27, 2020
