24 Security Things Board of Directors Should Know

September 21, 2015

In many organizations, the Board of Directors — or a risk committee lead by a few board members — receives regular updates on the state of information security in the organization. I’ve seen this message delivered by the CISO, CIO, CRO, Chief Audit Executive and any number of others.

I recall a conversation about 10 years ago in front of a board of directors when the CISO was presenting on the number of vulnerabilities that have been discovered and fixed over time. The first question by a board member was “can you explain what a vulnerability is?”

Board Members have a tough job. On top of providing govnernace and advice on the business itself, they need to be experts in accounting, risk management and now information security.

I put together a list of fundamental principals the Board (or any CXO) should think about when reading and listening to their information security teams.

  1. Security is not absolute.
  2. If all you read about security is in the Wall Street Journal, you must be pretty freaked out.
  3. There is no way to fix everything.
  4. It’s not what you found, it’s what didn’t you find.
  5. You have a finite amount of money and time while attackers have unlimited.
  6. There are multiple “actors” who want to attack your organization: students, ex-employees, nation states, that weird dude down the block, everyone you can think of.
  7. There are multiple “assets” they can attack: applications, systems, networks, products, people.
  8. There are multiple reasons people attack you. And none of them matter.
  9. Don’t believe that a breach is inevitable, but prepare for one anyway.
  10. It’s not always that you got breached but how you handle it.
  11. While there is a lot of technology you can apply, you also need just as much process and people to support it.
  12. Following regulations does not make you secure (but it does make you compliant).
  13. Following good security practices usually makes you compliant too.
  14. Understand what data you keep. And how that data is regulated.
  15. Security is not just about passwords. But you’d really better have a password other than password1.
  16. Being a CXO or Board Member doesn’t make you the exception to security. You don’t get to opt-out. Your information is just as valuable as the next guy.
  17. Just because you bought something doesn’t make it more or less secure than if you built it. (And vice versa.)
  18. Universally companies have underspent on security over the past decade.
  19. But that doesn’t excuse you from asking how new money is going to be spent.
  20. Good security people are really hard to come by.
  21. While you can go to school to learn to be a CEO, CFO, and CMO, you can’t yet go to school to learn to be a CISO.
  22. But that shouldn’t excuse them from not having good management skills.
  23. Find a third party you trust to consult you on security.
  24. Don’t be afraid to ask more questions.

What’s missing? Leave it in the comments below.