Should your board of directors be managing your security?
This is not a rhetorical question. Ensuring a good security posture requires that your board of directors and senior management are on board and support your efforts at securing corporate data.
Let’s pose a few questions:
Why you want your board of directors involved?
One fundamental reason is to provide ‘peace of mind’ to your board. Involving them fulfills their due diligence and demonstrates a standard of due care.
Involving your board also aligns senior management to your security program It aligns external and internal auditors to your security initiatives and priorities. It also eases challenges as board of director commitments, risk tolerance parameters and representations are taken seriously by senior management and other stakeholders.
Ensuring a good security posture requires that your board of directors and senior management support your efforts at securing corporate data.
Why your board should be concerned?
As the recent Target credit card breach demonstrated, security and privacy breaches can have significant and material financial impact to a business. Cyber threats and breaches are increasing in complexity, frequency and magnitude. Examples of risks associated with cyber threats include:
- Compromised customer data
- Diminished brand and reputation
- Loss of investor and consumer confidence and loyalty
- Stolen sensitive intellectual property
- Compliance and regulatory sanctions
- Network or systems outages and down time
- The Board of Directors and senior management have a significant responsibility to understand and support their organization security and privacy posture. In addition, both implicitly or explicitly set the risk tolerance level for the organization. Finally, they are responsible for ensuring those empowered to make information security risk decisions, on behalf of the company, stay within those risk tolerance parameters.
How should you align security to your business?
Aligning security to the business is key to gaining your board and senior management support. Document how information security projects and initiatives are aligned with the organization's strategic business objectives. Your information security strategy should have a forward looking aspect that embeds information security into the business and IT planning process and focuses on emerging trends and technology to address evolving risks and business changes.
You should also show how information security contributes to the organization's success. The role of information security in addressing market, privacy, technology and regulation risks. Illustrate how information security will enable business objectives and initiatives. Highlight how effective security governance can enhance the interests of all the stakeholders (e.g. customers, business units, employees, auditors, etc.) in a cost effective manner. Reflect the organization's risk appetite. Be consistent with the management and reporting of other types of risk in the organization (operational, financial, market).
My next post will talk about how you need to benchmark your security posture, align information security posture to the business objectives, have a risk assumption framework to effectively resolve contested risk issues, and report and communicate with your board and senior management.