Picture the scene: You’re at the monthly board of directors meeting when someone asks, “So, what are you guys doing about security?”
Even two years ago, a CSA survey found that security was a board-level concern at 61% of companies. Why?
High-profile breaches have certainly made everyone conscious of cyber security issues, and as awareness and knowledge have grown, boards have begun to take a direct interest in the security of the companies they have invested in. Given that there are very real monetary and reputational consequences to a security breach, board members want to know what steps you are taking to prevent one.
These days, boards understand that moving to the cloud can help businesses save money and maximize competitive advantages. But naturally, they want to see you take a secure approach to cloud adoption and operations. So the more cloud services become a topic in board meetings, the more security will too.
Additionally, some boards have started to realize that security can be an important business booster — opening up sales opportunities, helping to close deals faster, and enhancing a company’s reputation. So they may also be asking questions about security so they can understand how it will impact sales cycles, increase market share, boost revenue, and strengthen brand.
In this climate, organizations may find themselves unprepared to answer tough questions about how they are protecting their assets, including data, intellectual property, and customer information. If your company doesn’t have good answers to board-level security questions, now is the time to begin answering them internally and figuring out how to communicate those answers back to the board.
Here’s an approach you can use to prepare your company for communicating effectively with your board.
Identify Your Internal Stakeholders
The first step to communicating where you stand security-wise is to figure out who internally is involved with (or should be involved with) security. Depending on the size and structure of your organization, this may include representatives from the following teams:
- Development / DevOps
- Executive management
Once you have selected appropriate representatives, sit down and start to assess where you stand today. To do this, you’ll want to look at security from two perspectives: risks and opportunities. This way, you can talk to the board about how you are mitigating risks — while you are also maximizing opportunities. This helps to emphasize security as a business enabler and an investment rather than just a necessary expense.
You should also appoint one person from each of the teams above who can speak in depth about security measures if and when needed. This way, if a particular area requires more subject matter expertise, you have someone on hand who can describe your approach to the board.
Make a List of Priorities
Once you have identified internal stakeholders and put together a clear picture of risks and opportunities related to security, you’ll want to prepare a prioritized list of security measures that need to be taken. This will help you communicate to the board about action items and progress, and give them a sense of confidence in the approach you are taking.
We’ve written before about where to get started with cloud security (Part 1, Part 2). We have also described how you can use Threat Stack’s recently launched Config Audit tool to establish an accurate security baseline across your AWS infrastructure. This will help you develop a focused picture of your organization’s level of security maturity, which you can, in turn, communicate to the board.
Set up a Recurring Security Council Meeting
We recommend that you set up a regular security council meeting. Depending on the size of your company and the stage of its security maturity, the frequency can vary from, say, once a week to once a month. The meeting should involve the stakeholders identified above, as well as any company executives who sit on the board. The meeting doesn’t need to be long, but it should allow for time to go through a list of items that relate to your current security posture. The topics you cover should include:
- Physical structure security (e.g., RFID access to your office)
- IT infrastructure security
- Application security
- Customer and company data protection
- Compliance (if relevant)
Assign someone on the council to track progress against your overall security goals and to produce a brief summary of the meeting outcomes. Over the course of a month or a quarter, these summaries can be used to demonstrate to the board exactly what you are focused on and the progress you are making over time.
Appoint a Board Spokesperson
Someone who already has a seat at the board table (e.g., your CEO, CFO, or CSO) should be charged with taking the reports from your security council meetings and translating them into a concise summary for the board. Again, you may want to appoint a few internal stakeholders as spokespeople who can talk to the board in case any specific areas require a deeper dive.
Your reports may take the form of a couple of PowerPoint slides that are presented to the board in person. Depending on what type of security tools you use, you may even be able to show a checklist of actions taken along with prioritized next steps, or give them a glimpse at your security dashboard to demonstrate your security posture. Regardless of how you decide to report, keep in mind that you don’t need to get super-technical; you just need to communicate how you are addressing the relevant risks to your organization and making sure security is top-of-mind. And, of course, the more empirical or measurable your results, the more compelling your reports will be.
Get on Their Level
Not every board member has a background in security or is even well-versed in information technology. That means there may be a knowledge gap that needs to be bridged so you can communicate what your organization is doing on the security front.
The best approach to take here is to clearly outline the biggest risks and opportunities of the cloud, and then show how you are taking steps to mitigate each of the risks. You should be prepared to answer questions (or proactively provide talking points) about the following areas:
- Security policies and governance (clear ownership and communication internally)
- Security awareness training and education (for employees, partners, and customers)
- Common threats and business risks (unique to your company as well as those applying to companies of your organization’s size and industry). These may include:
- Cloud services in use and their security precautions
- Sensitive data types and how they are protected
- Incident response plans and processes
- Compliance frameworks in place (and new ones that may be applicable in the future)
If you are able to communicate how your organization stacks up in each of these categories in a clear and non-technical manner, you will be well on your way to satisfying your board’s concerns around security.
Proactivity is Key
Being proactive about your security posture and reporting to your board will help them develop a clear understanding of your organization’s security posture, the strategy you are using to drive it, and the value you are bringing to the company through security. This, in turn, will help you win the board’s confidence along with their resources and support.