Marc Solomon writes that cybersecurity is becoming an increasingly important boardroom topic.
With members that bring technology and cybersecurity expertise, boards can start getting answers to tough questions about security controls: What controls do we have in place? How well have they been tested? Do we have a reporting process? How quickly can we detect and remediate the inevitable compromise? And perhaps, the most important question: What else should we know?
With this growing interest, security leaders need to be prepared to respond.
Even if they don’t currently hold a board seat, CIOs and CISOs need to be prepared to answer these questions from the board, and in terms that are meaningful to board members and outline business implications. They must be equally comfortable speaking about business strategy as they are about technology and security strategy. New business models such as direct to consumer, expansion into new channels and regions, and shifting supply chains can create significant business opportunities but also potential risk. Addressing how technology and security must align to support these models with budgetary concerns and risk management top of mind is critical.
Technology and security leaders must also possess knowledge of regulatory requirements and standards to help the board navigate and comply with new mandates. Insights into industry and technology trends, as well as strategies and experiences of similar organizations help provide board members with a frame of reference to evaluate current security postures and validate controls.
How to communicate is important as well. Every message should be delivered clearly, briefly, and with minimal technical jargon. For example, it’s expected that CIOs and CISOs understand threats and how the most recent attacks were successful. But translating the impact of those attacks into relevant business terms such as lost revenue, productivity, or profitability will help ensure the consequences are understood. Graphical tools like executive dashboards can also help focus discussions on metrics that are most relevant to the business.
These discussions are necessary at this level to equip board members and executives to make more informed security and risk management decisions. Security leaders can take advantage of these discussions as opportunities to set enterprise cybersecurity expectations, and provide the leadership to monitor and course correct progress against these expectations.