In many organizations, the Board of Directors — or a risk committee lead by a few board members — receives regular updates on the state of information security in the organization. I’ve seen this message delivered by the CISO, CIO, CRO, Chief Audit Executive and any number of others.
I recall a conversation about 10 years ago in front of a board of directors when the CISO was presenting on the number of vulnerabilities that have been discovered and fixed over time. The first question by a board member was “can you explain what a vulnerability is?”
Board Members have a tough job. On top of providing govnernace and advice on the business itself, they need to be experts in accounting, risk management and now information security.
I put together a list of fundamental principals the Board (or any CXO) should think about when reading and listening to their information security teams.
- Security is not absolute.
- If all you read about security is in the Wall Street Journal, you must be pretty freaked out.
- There is no way to fix everything.
- It’s not what you found, it’s what didn’t you find.
- You have a finite amount of money and time while attackers have unlimited.
- There are multiple “actors” who want to attack your organization: students, ex-employees, nation states, that weird dude down the block, everyone you can think of.
- There are multiple “assets” they can attack: applications, systems, networks, products, people.
- There are multiple reasons people attack you. And none of them matter.
- Don’t believe that a breach is inevitable, but prepare for one anyway.
- It’s not always that you got breached but how you handle it.
- While there is a lot of technology you can apply, you also need just as much process and people to support it.
- Following regulations does not make you secure (but it does make you compliant).
- Following good security practices usually makes you compliant too.
- Understand what data you keep. And how that data is regulated.
- Security is not just about passwords. But you’d really better have a password other than password1.
- Being a CXO or Board Member doesn’t make you the exception to security. You don’t get to opt-out. Your information is just as valuable as the next guy.
- Just because you bought something doesn’t make it more or less secure than if you built it. (And vice versa.)
- Universally companies have underspent on security over the past decade.
- But that doesn’t excuse you from asking how new money is going to be spent.
- Good security people are really hard to come by.
- While you can go to school to learn to be a CEO, CFO, and CMO, you can’t yet go to school to learn to be a CISO.
- But that shouldn’t excuse them from not having good management skills.
- Find a third party you trust to consult you on security.
- Don’t be afraid to ask more questions.
What’s missing? Leave it in the comments below.