In the boardroom, when it comes to addressing the topic of security, there's tension on both sides of the table.
It doesn't happen all the time, but when it does, the cause of the friction is usually security executives and board members — each with vastly different areas of expertise and interest — pushing to get what they want out of the discussion while keeping business goals intact.
Stephen Boyer, the co-founder and CTO of BitSight Technologies, a company that uses public data to rate the security performance of an organization, shared some thoughts with CSO recently, geared towards moving the discussions forward past the deadlock.
Since there are two sides to the issue, Boyer shared two sets of tips; one set for the board and the other set for the executives speaking to them.
As a board member
Frame expectations clearly
Communication goes both ways. It's essential to make sure the security team understands what information is required, how discussions should be framed, and the level of abstraction you require to make decisions. Otherwise, you risk sitting through conversations that fail to address the issues the business cares about most.
"In no way should every board member have to act as a security expert. But, in today's world, cyber risks are a major part of managing risk in a business. Therefore board members need to make it known what they see as critical and how to begin those conversations," Boyer explained.
Are you talking about security or risk?
Performance is important, but instead of focusing on specific technologies, policies and procedures, evaluate what the business is doing to proactively mitigate cyber risks and what those risk levels are.
For example, are there risks in the supply chain that your organization could be ignoring? With each strategic decision made, are the organization's risks increasing or decreasing?
"Understanding the security performance of a company is important, but managing the risks associated with security is crucial. As in other business areas, boards need to be aware of the sources of risk and communicate clearly what is acceptable for the business. From there, it's not up to the board to dictate what technologies and policies should be in place, but to guide their teams when it's necessary to take action to reduce or transfer security risks," Boyer said.
Decide on the key indicators you want to monitor and be consistent
You don't need to be in the trenches to understand security posture if you choose the right data points to assess. Work with your team to choose meaningful, data-driven metrics that demonstrate both performance and effectiveness. It matters less how frequently you are attacked if your team is effectively re-mediating threats before they become an issue.
Sign up for MIS Asia eNewsletters.