Educating the Board of Directors on Information Security

June 3, 2021 | By IANS Faculty

For CISOs, explaining information security to the board of directors and aligning enterprise information security activities with board-level input can be challenging. Consider starting by gaining an understanding of what the board’s information security concerns are. Then, you can use that understanding as the fulcrum to ensure the board receives information relevant to those concerns and can put them into proper context.

Start with the Fundamentals of Information Security

Everything we do in information security involves managing risks. Since risk management is the foundation for information security – including deciding what to spend money and resources on – we need to do three things to ensure the foundation is firm:

  • Know the risks and their relative severity.
  • Ensure each risk is appropriately owned and addressed (accepted, rejected, transferred, mitigated). In a broader sense, this is the “governance” aspect of the risk management program.
  • Define and report on metrics to measure how the program is operating.

Consider the first element. A significant challenge is knowing, with confidence, what your information security risks really are and getting alignment internally, so the risks you believe to be the worst are indeed what the business units and executive leadership (including the board of directors) also believe.

The key here is to think beyond technical risks and consider management risks relevant to information security. For example, if information security risks are not properly owned (i.e., lack an appropriate accountable party), they are orphans and are likely to languish. Lack of strong ownership is itself a big management risk.

Help the Board Understand Information Security

Tackling the challenge of identifying risks and establishing their severity is not easy. Few people (the board included) understand information security covers the confidentiality, integrity and availability (CIA) of data. They are often familiar with the confidentiality element (which includes access control, data protection, etc.), but less so with integrity or availability.

It can be an eye-opening moment when executives suddenly discover that business continuity (availability – a very big topic owing to COVID-19) and financial data protections against unauthorized alteration (integrity) are both part of the information security framework. And their eyes grow even wider when learning information security risk management is, in part, striking the right balance among those elements, because the more you emphasize one (e.g., availability), the harder is to achieve the others (confidentiality and/or integrity), and vice versa.

Often, information security risks are recorded in a risk inventory or risk register. But how did those risks wind up there? Should you simply repeat the Center for Internet Security (CIS) Top 20 controls or something similar? (That can be a good starting point, but it reflects risk across all companies, not your specific enterprise.) Are risks inferred from data on what other companies spend on information security? (Again, such data is very useful, but may or may not be relevant to your specific circumstances.)

Building risks like that can be misleading. Instead, you should consider building a risk register. Focus first on eliciting the views of executives and business unit leaders, and then translate those views into information security risks, followed by building metrics that tie to those risks, and ultimately constructing a budget based on mitigating the worst risks.

This can be a good point of departure for explaining information security to the board. Consider, explaining that security:

  • Covers the CIA of data.
  • Is all based on risk management.

Inform how it starts with knowing and understanding our information security risks, and that is best done by listening first to the worries of the executive leadership (and in this case, the board itself), and building the risks based on those worries and hence building the presentation also on those worries.

Information Security & Business Alignment

Proceeding in this manner connects information security risks and executive areas of concern. That alignment can help facilitate asking for resources to mitigate risks. This process will tease out misconceptions between what executives may or may not worry about, and the most significant information security risks confronting the enterprise. It can also lay bare disparities within the executive ranks – i.e., the distribution of worries, which will show whether most executives are worried about the same things or a wide variety of things (the latter situation could make it especially difficult to construct an information security program, since executive thinking is all over the map).

If you look at this through another lens, you are not trying to get the board’s agreement on a list of risks; you are not trying to sell them on anything other than the idea that their worries need to be heard and understood, and then translated into risks. That can help put you in a strong position because you are not bringing a pre-ordained agenda to the table.

Understand Concerns of the Board of Directors

Once you have the board focused on the importance of information security risk management as the centerpiece for everything, you are now positioned to focus on the risks relevant to the board’s worst worries – and to juxtapose those against what the executive leadership of the company may worry about, which could be the same or very different. It is possible for the board, comprising members who have experience in other industries, has a very different perspective on information security than the company’s executives.

Approaching this entire topic from this “convert worries into risks and focus on the risks” perspective is to help identify what, in the very limited time you have with the board, is most likely to resonate and capture their attention. As we all know, there are a million and one things information security professionals can teach executives who are unfamiliar with information technology in general and information security (cybersecurity) in particular. Without knowing what their worries are, you may or may not hit topics that resonate with them.

If some board members are very worried about a potential phishing attack, great. You can talk about all the evil things that can happen (malware being implanted and spreading, passwords being stolen, funds being dispersed to fake accounts, etc.) and what the enterprise can or should be doing to guard against that (e.g., patching systems to guard against malware penetration and spread, training employees and using phishing campaigns, building safeguards into critical transactions and business processes so that a single person can’t disperse funds without checking with someone else, etc.).

If a board member is worried about compromise of sensitive information, you can cover all of the ways that can happen, ranging from an external attack to a malicious insider, to an innocent error, and what the enterprise is or should be doing to guard against those things.

Bottom line: Align what you are teaching with what their worries are, and what your risk calculus is.

Often board members want to hear about what your competitors are or are not doing, and how your company measures up against its competitors. To the extent you know this, you should also report that information.

Also, board members often want to hear about actual incidents, not just conjectural risks. If you have had actual incidents, these can be a gold mine of experience to help focus the board on what is really happening. Nothing concentrates one’s mind better than real events.

How to Explain Information Security to the Board

When explaining information security concepts to the board, try to use simple analogies to real life, such as risk mitigation when driving (using seat belts and airbags – multiple lines of defense), or the measures one takes to protect one’s home from burglars (e.g., locked doors – but who has the key(s)?; or keeping a low profile so your neighbor’s house looks like a more attractive target, etc.).

In that same vein, try to relate what you are explaining to behaviors that are good for them to practice in their private lives. For example, they should pick long passwords, don’t use the same password in multiple environments or applications, don’t share their password, and don’t use devices available to the public (because they may have malware on them), etc.

Second, deal with the fatalistic views some members may have (e.g., the bad guys will always get through, so why spend so much money trying to stop the inevitable?). The answer is: everything is risk management. The goal is to pay enough money to reduce risks to levels the executives find tolerable – which can include, of course, not just staying out the newspaper, but meeting government regulatory obligations and contractual obligations such as those imposed by the Payment Card Industry (PCI). One cannot eliminate risk, but one can reduce it.

Third, explain that information security spending is not like insurance. Insurance aims to make the insured party whole in the event of a covered accident. But spending money on cyber insurance does not reduce the likelihood or consequences of an accident; it just compensates for the consequences. Spending money on information security does reduce the likelihood and the consequences of a security incident.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.

Looking for additional IANS Faculty insights and resources?

Learn how IANS can help you and your security team.