With members that bring both technology and cybersecurity expertise, boards can start getting the answers to tough questions about security controls: What controls do we have in place? How well have they been tested? Do we have a reporting process? How quickly can we detect and remediate the inevitable compromise? And perhaps, the most important question: What else should we know?
Even if they don't currently hold a board seat, CIOs and CISOs need to be prepared to answer these questions from the board, in terms that are meaningful to board members, and outline business implications. They must be equally comfortable speaking about business strategy as they are about technology and security strategy. New business models such as direct to consumer, expansion into new channels and regions and shifting supply chains can create significant business opportunities but also potential risk. Addressing how technology and security must align to support these models with budgetary concerns and risk management top of mind is critical.
Technology and security leaders must also possess knowledge of regulatory requirements and standards to help the board navigate and comply with new mandates. Insights into industry and technology trends, as well as strategies and experiences of similar organisations help provide board members with a frame of reference to evaluate current security postures and validate controls.
Translating security into business
How to communicate is important as well. Every message should be delivered clearly, briefly and with minimal technical jargon. For example, it's expected that CIOs and CISOs understand threats and how the most recent attacks were successful. But translating the impact of those attacks into relevant business terms such as lost revenue, productivity, or profitability will help ensure the consequences are understood. Graphical tools like executive dashboards can also help focus discussions on metrics that are most relevant to the business.
Cybersecurity as a boardroom topic is not only a good thing, it is necessary. As defenders, it gives us an opportunity to better educate the highest levels of leadership on the cybersecurity issues facing the business. With that knowledge, boards are equipped to make more informed security and risk management decisions and, together, we can better protect valuable assets while achieving business goals.