Security and the Board


Not long ago I was asked to attend a quarterly Board meeting of one of my healthcare clients and to present the recommendations of a Strategic Security Roadmap (SSR) exercise that my team and I had conducted for the organization. The meeting commenced sharply at 6am one weekday morning and I was allocated the last ten minutes of the meeting to explain our recommendations and proposed structure for a revised Cybersecurity Management Program (CMP).

The client Director of Security and I waited patiently outside the Board Room while the “real” business of the Board was conducted inside. As is the case with many organizations, Information Security was not really taken seriously there, and the security team reported into IT way down the food chain with no direct representation at the ‘C’ Suite or the Board level.

The organization’s CMP had “evolved” over the years from anti-virus, patching and firewall management, into other domains of the ISO27002 framework but was by no means complete or taken seriously by those at the top. Attempts to build out a comprehensive holistic security program over the years, had met with funding and staff resource constraints, and Directors of Security had come and gone with nothing really changing.

The Security Director was enthusiastic, young and bright. He had memorized the magic quadrant leaders for each and every security tool that he felt he needed to round-out security across the organization. His approach to security was a shopping list of “shiny objects” each of which was a best-of-breed point solution. There was no strategy for integrating them and little understanding of the costs and efforts that would be involved. Proposed solutions were only loosely tied back to business objectives and drivers.

Right on time, an Executive Admin opened the double doors to the boardroom and we were ushered in; printed color copies of the Executive Brief I had prepared uppermost on a stack of papers in front of each member.

Like many healthcare boards, the membership was a mix of active physicians dressed in their whites and greens ready for their day shift, the CEO and his Executive team, and a collection of what looked to be retired Generals and corporate chieftains from various industries including one notable banker.

The CIO introduced me and I spent the next eight minutes walking the Board through the recommendations of our report, leaving two minutes on the clock for questions.
ecutive Team and most of the younger physicians nodded in agreement and understanding at each recommendation and the reason for it. Some of the older members required further explanation and a deeper understanding of the risk management context, which formed the basis of the suggested revisions.

All was going well and it looked at this point that funding would be approved for an update of the security program. Then one of the older physicians asked a question about a particular security application and the Director of Security who hadn’t said anything thus far, saw his opportunity to jump in and be heard. Unfortunately the language he used was full of technical security jargon that might just as well have been double-dutch for all the good it did in communicating his point. The Physician looked on with an irritated stare and I had to rescue the meeting before it deteriorated quickly.

It was at this point that I realized why all previous attempts to build out a robust holistic information security management program had met with failure. Security and the Board spoke totally different and highly incompatible languages and it had taken a seasoned consultant to bridge the chasm and to act as arbiter.

The importance of establishing a formal Cybersecurity Management Program written in neutral language that both sides could understand, and that was structured so as to address underlying business objectives rather than the latest security fads would be absolutely critical at this customer if it was to secure its business.

Fortunately the CMS was approved, but this example is all too typical of the interaction of information security professionals and boards of directors - especially in organizations afflicted with low levels of security maturity. There is a difference in language and often a generational gap that hampers understanding on both sides. Each views cybersecurity through a completely different conceptual lens.

Security professionals all too often attempt to explain risks in language that senior executives may not fully comprehend, using alien concepts and terminology. They fail to translate and communicate cybersecurity threats and vulnerabilities in terms of business enterprise risks and the potential future impact to the business unless mitigated. This is compounded by a lack of trust and a long-standing historic pattern by security professionals of using Fear, Uncertainty and Doubt, otherwise known as ‘FUD’ in these conversations.

Instead of muscling decision makers into procuring desired security tools with FUD, security professionals should define the probable costs of inaction, in comparison to the costs and benefits of action. This should include objective conversations about regulatory compliance, protecting corporate brand image and potential penalties, cleanup and restitution / compensation costs of breaches, including loss of reputation and brand damage.

Boards need to view cybersecurity as a critical business function and a critical business-enabler in an increasingly inter-networked world. They need to educate themselves so as to be able to make informed decisions on security strategy and policy and spend. Security needs representation at the senior executive level and to make regular reports to the Board so that the Board can make appropriate enterprise risk management decisions.

There is a wide lack of quantitative risk assessment and reporting across the industry to enable executives and their boards to view and weigh cyber risks in the format of a more familiar looking balance sheet rather than in a subjective report with only limited business risk context.

Above all, organizations need a formal cybersecurity management program in which security purchasing decisions can be understood from the context of addressing enterprise risks while following a previously approved cybersecurity management plan.

A newly published Cisco whitepaper lists 10 key success factors to building a successful cybersecurity management plan. These apply not only to organizations constructing their very first formal CMP, but also to those looking to update or to maintain their existing program. When followed in order, these will position the organization well for success.

The introduction of a CMP affects virtually every individual or group in an organization, so it’s essential that the final cybersecurity management program best address everyone’s needs.

This blog is also posted at the following locations: 
http://blogs.cisco.com/security/security-and-the-board
https://www.linkedin.com/pulse/security-board-richard-staynings