A panel of security professionals discuss the top three tips for how CISOs and risk officers can help improve board communication around security
CISOs and other executives are tasked with keeping the board of directors up-to-date on security-related matters. The board may not require granular details, but whether it's a report on the company's overall security posture, an analysis of the current threat landscape, an update to the organization's threat detection and response plan, or other broad policy matters, there's a lot to keep the board informed of. And when an organization is subject to regulations like PCI-DSS, SOX, HIPAA, or the GDPR, the board of directors may be hyper-vigilant and want more frequent updates on security and compliance issues to protect the organization's interests – and avoid costly consequences of non-compliance.
So, whether you're keeping the board informed of run-of-the-mill security concerns or providing detailed reports on how the company maintains regulatory compliance, improving board communication around security is a top concern for today's executives. To help you better communicate pressing security matters, we reached out to a panel of security leaders and asked them to answer this question:
"WHAT ARE YOUR TOP THREE TIPS FOR IMPROVING BOARD COMMUNICATION AROUND SECURITY?"
Avani Desai, President of Schellman & Company, LLC responds:
- Provide Metrics or a Progress Report - Progress reports are vital to communicate the changing situation of security concerns and remedies within an organization. They can inform security strategy going forward. Board members are likely to want to see how the company's cybersecurity policies are implemented and progressing. For example, if you've explained your company's vulnerabilities, the Board will want to see the progress in closing off those vulnerable areas. If possible, provide the Board with regular metrics on vulnerability scans, the network of known and authenticated devices and software or business measures quarterly.
- Know the CEO - The CEO will often be the person who delivers information about cybersecurity to your organization's Board. Keeping the CEO (or whomever relates this information to the Board) abreast of cybersecurity issues and company vulnerabilities is a vital part of the communication channel; hold regular forums where you can discuss security trends and threats.
- Get Everyone Involved - Cybersecurity protection needs to be handled in a holistic manner. The problems we face as organizations when managing the challenge of security and compliance do not just fall on the shoulders of one employee or department – it's a companywide effort, with employees across the organization playing an important role in security. When communicating this to Board members, make sure stakeholders from your legal, risk and PR departments understand their respective roles and can proficiently execute them both to prevent a breach and to mitigate the loss experienced when there is one.