SlideShare ist ein Scribd-Unternehmen logo

Board Security Risks in Business Terms

B
Bilha Diaz

This document provides guidance for chief information security officers (CISOs) on engaging with their organization's board of directors regarding cybersecurity. It notes that boards are increasingly involved in overseeing security due to regulatory pressures and high-profile data breaches. The document offers advice on how CISOs can establish effective communication with boards, including translating technical security topics into business impacts and risks, benchmarking the organization's security posture against industry peers, and quantifying security issues and their associated costs and risk exposure. The goal is for CISOs to gain board support for their security programs and help boards understand security's strategic importance in reducing risks to the business.

1 von 3
Downloaden Sie, um offline zu lesen
Speaking to the Board of Directors About Security | White Paper Speaking to the Board of Directors About Security Today's threat landscape has caused the paths of the Board of Directors and the CISO to intersect on a more frequent basis. Regulatory environments, FCC pressure and best practices have all impacted the Board of Directors, increasing their involvement in security and risk. Additionally, board members have seen what has happened when a company experiences a breach, when security was not a priority, and how these breaches have led to significantly damaging legal, financial and reputation consequences to the organization. This has led to many Board of Directors delving into cyber security risk and taking a more proactive stance. A recent SANS webinar with Carol Mills of WhiteHat Security's Board of Directors, vAmour's CISO Demetrios Lazarikos (Laz) and John Pescatore of SANS, dove deep into the increasingly important topic of speaking to the Board of Directors about security. The transcription of the webinar is what inspired this Q&A whitepaper. Q Why should a CISO want to talk to the Board of Directors Having CISO's presence with the Board of Directors will give the Board the visibility they need to provide support to a successful Information Security program. They need to understand what is at risk for their organization quantified in dollars, and need to be informed on what is happening in the environment that the CISO is working in. Q What could it mean if the Board of Directors is not talking to the CISO If a CISO is not being asked to present in front of the Board of Directors, it is likely that one of two possible things is happening. The first scenario is that the Board of Directors are getting their information some other way, possibly from an external expert or someone who is less informed about the security infrastructure and ongoings of the organization. This could mean the proper information is not being conveyed, and the Board of Directors has the wrong perception regarding the organization's Information Security program and current risk levels. The second possible explanation is that the maturity of the Board of Directors, and the maturity of the organization's InfoSec program, hasn't evolved to the point where security is in their line of sight. This could lead to a lack of support for the organization's InfoSec program, lack of awareness of the organization's risk posture and lack of proper measures being taken to ensure security. If a CISO has not been placed on the agenda for the Board of Directors, then the Board is lacking in their duties. If the CISO isn't the person presenting and answering questions relative to security and risk, then who is If the CISO is not part of developing what is being presented to the Board, things can get lost in translation.
Q Who usually gets the Board of Directors talking about security The eneral Council typically informs the Board of Directors on developments in best practices, regulatory environment and on going Board of Directors structure. If the Board does not already have a risk committee, the eneral Council would likely be the person advising that security be added to the agenda. Additionally, as part of the financial and fiscal responsibilities of the Board of Directors, there are likely private sessions between the CFO and the different audit committees of the Board to discuss internal audits and processes. Q How can the CISO get the Board of Directors to start speaking about security The CISO should suggest that an internal security audit of the organization could provide the Board with an understanding of where the organization is in the maturity model from an Information Security standpoint. Additionally, the results can be incorporated into the recurring presentation to the Board of Directors, establishing security as a regular topic. The caveat here, as a CISO, would be to prepare to address questions regarding security events and performance if there is an increase in attacks or if performance is poor. The key thing not to do to get the Board of Directors speaking about security is to go directly to the Board. oing around the eneral Council, C O or CFO can damage the relationship and lead to lack of confidence in the CISO. Q What should the CISO know before presenting to the Board of Directors Before presenting security to the Board of Directors, a CISO needs to understand the way risk is already being presented to the Board. Former Board decks or audit forms regarding risk from the eneral Council will provide guidance and direction. These reports should be used to comprise a framework about cyber risk, similar to the way the Board has seen other types of risk presented. Once you have established a successful framework when presenting to the Board, do not continue to change it. Maintain a similar framework as you continue to meet. The CISO needs to develop an understanding of what is driving the business, how the organization makes money and how the organization operationalizes and supports their existing or new clients. With that information, the CISO should be able to put Information Security into terms that the Board of Directors can relate to and be familiar with. Q What else should the CISO take into consideration when presenting to the Board of Directors Boards of Directors often think about spend, along with many other factors, as it relates to industry norms and how the competition is performing. The CISO should leverage the interest in benchmarking and present how the organization is performing as it relates to the industry, if the organization is behind the curve, if they are spending more or less than their peers and if the organization is more vulnerable.
Q: What should be discussed and what information can influence the Board of Directors? Members of the Board are intelligent and experienced in finance, business and strategy. These roles rarely include experience in cybersecurity and it is very likely that they do not have the background to understand the technical nature of Information Security. As a result, the discussion should not be a technical one; it should be a discussion about risk, loss and reducing loss exposure, expressed in business terms. Everything needs to be translated from the security perspective to what is happening at the Board level in terms they are familiar with without overwhelming them with technical terminology or appearing condescending. What should be presented to the Board of Directors is how the actions of the security team enable business initiatives and how they tie into the goals of the company. These presentations should demonstrate that these efforts could result in increased revenue, profit, market share, market penetration, and increased efficiency, similar to how other divisions in the business and the operations side of the organization would present to the Board. This discussion should include warnings of upcoming changes, threats and financial results if risk levels continue to rise, provide recommendations on actions required to avoid information loss, and demonstrate what is being done to prevent attacks or deal with attacks more quickly and efficiently. Information regarding what percent of the business is secure, if the data hosted is strongly protected (i.e. encryption, authentication, servers, networks, operating tools and applications, etc.) and what percent of the people and suppliers have been reviewed for security will demonstrate the value that the Information Security team provides to the organization. Additionally, the CISO Should prepare a dashboard of the major critical issues, minor issues, related loss exposure to those issues, what is being done today and over the next n months to address and resolve those issues, and what it would take financially to resolve them. These details, along with metrics demonstrating the strength of the Information Security program, the number of attacks the site is experiencing and the frequency of those events, will provide the Board of Directors a quantifiable measure of the performance of the Information Security program and actionable suggestions to support and improve the program. When speaking to the Board of Directors, it is essential to tie lower level technical security details together for a high level abstraction and translate them to be more meaningful. Q: What should the CISO's goal be in presenting to the Board of Directors? The goal in presenting security to the Board is to drive change that will increase the effectiveness of what is being done to reduce risk, to get their backing and to help them realize the strategic importance of security. A CISO should aim to say, "We are maintaining the same level of protection, keeping risk at a constant level while using less resources," or, "With risk increasing and with the increase in resources we've been given, we have been able to reduce risk to a tolerable level." The end result of this conversation is not necessarily to increase budget, but to gain support that would prevent impact to the business. This should be explained in terms of risk and expense calculations. This needs to cause the Board to consider what and how much they are willing to lose. 25 WhiteHat Security, Inc. Freedom Circle Santa Clara, CA . . . www.whitehatsec.com WhiteHat Security, Inc. All rights reserved. WhiteHat Security and the WhiteHat Security logo are registered trademarks of WhiteHat Security, Inc. All other trademarks are the property of their respective owners.

Empfohlen

CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainSanjay Chadha, CPA, CA
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsChristine Maligec, CRM-E, CRIS
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10David X Martin
 

Empfohlen

CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainSanjay Chadha, CPA, CA
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsChristine Maligec, CRM-E, CRIS
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10David X Martin
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksAndréanne Clarke
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionTripwire
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voiceIBM India Smarter Computing
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
Streamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White PaperStreamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White PaperNetIQ
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016John T. Araneo
 
ERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSMichel Rochette
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
GRC15620_Report_-_Third_party_risk_exposing_the_gaps
GRC15620_Report_-_Third_party_risk_exposing_the_gapsGRC15620_Report_-_Third_party_risk_exposing_the_gaps
GRC15620_Report_-_Third_party_risk_exposing_the_gapsKate Tomlinson
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
Why does-your-company-need-a-third-party-risk-management-program
Why does-your-company-need-a-third-party-risk-management-programWhy does-your-company-need-a-third-party-risk-management-program
Why does-your-company-need-a-third-party-risk-management-programCharles Steve
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise The Economist Media Businesses
 
Common Objectives of the CRO and the CAE
Common Objectives of the CRO and the CAECommon Objectives of the CRO and the CAE
Common Objectives of the CRO and the CAEWheelhouse Advisors LLC
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionRamón Gómez de Olea y Bustinza
 
The C-suite, the Board and Cyber-defense
The C-suite, the Board and Cyber-defenseThe C-suite, the Board and Cyber-defense
The C-suite, the Board and Cyber-defenseThe Economist Media Businesses
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Top 10 Annual Events in Nashville, TN, PowerPoint
Top 10 Annual Events in Nashville, TN, PowerPointTop 10 Annual Events in Nashville, TN, PowerPoint
Top 10 Annual Events in Nashville, TN, PowerPointBookUrban
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directorscentralohioissa
 
Taking it to the Top: How to Speak Digital with the Board of Directors
Taking it to the Top: How to Speak Digital with the Board of DirectorsTaking it to the Top: How to Speak Digital with the Board of Directors
Taking it to the Top: How to Speak Digital with the Board of DirectorsApigee | Google Cloud
 
NCUA Board of Directors Policies - Required Policies and Risk Assessment
NCUA Board of Directors Policies - Required Policies and Risk AssessmentNCUA Board of Directors Policies - Required Policies and Risk Assessment
NCUA Board of Directors Policies - Required Policies and Risk AssessmentE Andrew Keeney
 

Weitere ähnliche Inhalte

Was ist angesagt?

From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksAndréanne Clarke
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionTripwire
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
Streamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White PaperStreamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White PaperNetIQ
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016John T. Araneo
 
ERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSMichel Rochette
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
GRC15620_Report_-_Third_party_risk_exposing_the_gaps
GRC15620_Report_-_Third_party_risk_exposing_the_gapsGRC15620_Report_-_Third_party_risk_exposing_the_gaps
GRC15620_Report_-_Third_party_risk_exposing_the_gapsKate Tomlinson
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
Why does-your-company-need-a-third-party-risk-management-program
Why does-your-company-need-a-third-party-risk-management-programWhy does-your-company-need-a-third-party-risk-management-program
Why does-your-company-need-a-third-party-risk-management-programCharles Steve
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise The Economist Media Businesses
 
Common Objectives of the CRO and the CAE
Common Objectives of the CRO and the CAECommon Objectives of the CRO and the CAE
Common Objectives of the CRO and the CAEWheelhouse Advisors LLC
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionRamón Gómez de Olea y Bustinza
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 

Was ist angesagt? (18)

From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for Cybersecurity
 
Streamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White PaperStreamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White Paper
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016
 
ERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORS
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
 
GRC15620_Report_-_Third_party_risk_exposing_the_gaps
GRC15620_Report_-_Third_party_risk_exposing_the_gapsGRC15620_Report_-_Third_party_risk_exposing_the_gaps
GRC15620_Report_-_Third_party_risk_exposing_the_gaps
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
Why does-your-company-need-a-third-party-risk-management-program
Why does-your-company-need-a-third-party-risk-management-programWhy does-your-company-need-a-third-party-risk-management-program
Why does-your-company-need-a-third-party-risk-management-program
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise
 
Common Objectives of the CRO and the CAE
Common Objectives of the CRO and the CAECommon Objectives of the CRO and the CAE
Common Objectives of the CRO and the CAE
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
 
The C-suite, the Board and Cyber-defense
The C-suite, the Board and Cyber-defenseThe C-suite, the Board and Cyber-defense
The C-suite, the Board and Cyber-defense
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 

Andere mochten auch

Top 10 Annual Events in Nashville, TN, PowerPoint
Top 10 Annual Events in Nashville, TN, PowerPointTop 10 Annual Events in Nashville, TN, PowerPoint
Top 10 Annual Events in Nashville, TN, PowerPointBookUrban
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directorscentralohioissa
 
Taking it to the Top: How to Speak Digital with the Board of Directors
Taking it to the Top: How to Speak Digital with the Board of DirectorsTaking it to the Top: How to Speak Digital with the Board of Directors
Taking it to the Top: How to Speak Digital with the Board of DirectorsApigee | Google Cloud
 
NCUA Board of Directors Policies - Required Policies and Risk Assessment
NCUA Board of Directors Policies - Required Policies and Risk AssessmentNCUA Board of Directors Policies - Required Policies and Risk Assessment
NCUA Board of Directors Policies - Required Policies and Risk AssessmentE Andrew Keeney
 
Managing Risk - The Board and Cyber Security
Managing Risk - The Board and Cyber SecurityManaging Risk - The Board and Cyber Security
Managing Risk - The Board and Cyber SecuritySophia Stefanatto
 
Cybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to KnowCybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to KnowShawn Tuma
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
who_runs_silicon_valley-board_of_directors_edition_w17115 (1)
who_runs_silicon_valley-board_of_directors_edition_w17115 (1)who_runs_silicon_valley-board_of_directors_edition_w17115 (1)
who_runs_silicon_valley-board_of_directors_edition_w17115 (1)Mark Lonergan
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber SecurityLeon Fouche
 
NextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingNextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingJoe Nathans
 
Cybersecurity op de bestuurstafel
Cybersecurity op de bestuurstafelCybersecurity op de bestuurstafel
Cybersecurity op de bestuurstafelSURFnet
 
Being the best cybersecurity strategy - Failing Forward
Being the best cybersecurity strategy - Failing ForwardBeing the best cybersecurity strategy - Failing Forward
Being the best cybersecurity strategy - Failing ForwardJames DeLuccia IV
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomIBM Security
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResiliencePriyanka Aash
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boardsPaul McGillicuddy
 

Andere mochten auch (16)

Top 10 Annual Events in Nashville, TN, PowerPoint
Top 10 Annual Events in Nashville, TN, PowerPointTop 10 Annual Events in Nashville, TN, PowerPoint
Top 10 Annual Events in Nashville, TN, PowerPoint
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directors
 
Taking it to the Top: How to Speak Digital with the Board of Directors
Taking it to the Top: How to Speak Digital with the Board of DirectorsTaking it to the Top: How to Speak Digital with the Board of Directors
Taking it to the Top: How to Speak Digital with the Board of Directors
 
NCUA Board of Directors Policies - Required Policies and Risk Assessment
NCUA Board of Directors Policies - Required Policies and Risk AssessmentNCUA Board of Directors Policies - Required Policies and Risk Assessment
NCUA Board of Directors Policies - Required Policies and Risk Assessment
 
Managing Risk - The Board and Cyber Security
Managing Risk - The Board and Cyber SecurityManaging Risk - The Board and Cyber Security
Managing Risk - The Board and Cyber Security
 
Cybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to KnowCybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to Know
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
who_runs_silicon_valley-board_of_directors_edition_w17115 (1)
who_runs_silicon_valley-board_of_directors_edition_w17115 (1)who_runs_silicon_valley-board_of_directors_edition_w17115 (1)
who_runs_silicon_valley-board_of_directors_edition_w17115 (1)
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber Security
 
NextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingNextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive Briefing
 
Cybersecurity op de bestuurstafel
Cybersecurity op de bestuurstafelCybersecurity op de bestuurstafel
Cybersecurity op de bestuurstafel
 
Being the best cybersecurity strategy - Failing Forward
Being the best cybersecurity strategy - Failing ForwardBeing the best cybersecurity strategy - Failing Forward
Being the best cybersecurity strategy - Failing Forward
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
 

Ähnlich wie Board Security Risks in Business Terms

Cyber security: five leadership issues worthy of Board and executive attention
Cyber security: five leadership issues worthy of Board and executive attentionCyber security: five leadership issues worthy of Board and executive attention
Cyber security: five leadership issues worthy of Board and executive attentionRamón Gómez de Olea y Bustinza
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadsavassociates1
 
Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentIBM Security
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber SecurityStacy Willis
 
Four Key Attributes of a Successful CISO.pdf
Four Key Attributes of a Successful CISO.pdfFour Key Attributes of a Successful CISO.pdf
Four Key Attributes of a Successful CISO.pdfEnterprise Insider
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
10 ways to ensure your safety leadership journey towards vision zero
10 ways to ensure your safety leadership journey towards vision zero10 ways to ensure your safety leadership journey towards vision zero
10 ways to ensure your safety leadership journey towards vision zeroConsultivo
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondLydia Shepherd
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamEMC
 
Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security InvestmentRoger Johnston
 
IREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookIREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookChris Cornillie
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Niren Thanky
 
Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016CBIZ, Inc.
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 

Ähnlich wie Board Security Risks in Business Terms (20)

Cyber security: five leadership issues worthy of Board and executive attention
Cyber security: five leadership issues worthy of Board and executive attentionCyber security: five leadership issues worthy of Board and executive attention
Cyber security: five leadership issues worthy of Board and executive attention
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor upload
 
Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer Assessment
 
Websense
WebsenseWebsense
Websense
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber Security
 
Leading the way
Leading the wayLeading the way
Leading the way
 
Four Key Attributes of a Successful CISO.pdf
Four Key Attributes of a Successful CISO.pdfFour Key Attributes of a Successful CISO.pdf
Four Key Attributes of a Successful CISO.pdf
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
10 ways to ensure your safety leadership journey towards vision zero
10 ways to ensure your safety leadership journey towards vision zero10 ways to ensure your safety leadership journey towards vision zero
10 ways to ensure your safety leadership journey towards vision zero
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respond
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended Team
 
CIOReview
CIOReviewCIOReview
CIOReview
 
Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security Investment
 
IREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookIREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security Outlook
 
2015 IA survey - Protiviti
2015 IA survey - Protiviti2015 IA survey - Protiviti
2015 IA survey - Protiviti
 
Wisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGWisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LG
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...
 
Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
 

Board Security Risks in Business Terms

  • 1. Speaking to the Board of Directors About Security | White Paper Speaking to the Board of Directors About Security Today's threat landscape has caused the paths of the Board of Directors and the CISO to intersect on a more frequent basis. Regulatory environments, FCC pressure and best practices have all impacted the Board of Directors, increasing their involvement in security and risk. Additionally, board members have seen what has happened when a company experiences a breach, when security was not a priority, and how these breaches have led to significantly damaging legal, financial and reputation consequences to the organization. This has led to many Board of Directors delving into cyber security risk and taking a more proactive stance. A recent SANS webinar with Carol Mills of WhiteHat Security's Board of Directors, vAmour's CISO Demetrios Lazarikos (Laz) and John Pescatore of SANS, dove deep into the increasingly important topic of speaking to the Board of Directors about security. The transcription of the webinar is what inspired this Q&A whitepaper. Q Why should a CISO want to talk to the Board of Directors Having CISO's presence with the Board of Directors will give the Board the visibility they need to provide support to a successful Information Security program. They need to understand what is at risk for their organization quantified in dollars, and need to be informed on what is happening in the environment that the CISO is working in. Q What could it mean if the Board of Directors is not talking to the CISO If a CISO is not being asked to present in front of the Board of Directors, it is likely that one of two possible things is happening. The first scenario is that the Board of Directors are getting their information some other way, possibly from an external expert or someone who is less informed about the security infrastructure and ongoings of the organization. This could mean the proper information is not being conveyed, and the Board of Directors has the wrong perception regarding the organization's Information Security program and current risk levels. The second possible explanation is that the maturity of the Board of Directors, and the maturity of the organization's InfoSec program, hasn't evolved to the point where security is in their line of sight. This could lead to a lack of support for the organization's InfoSec program, lack of awareness of the organization's risk posture and lack of proper measures being taken to ensure security. If a CISO has not been placed on the agenda for the Board of Directors, then the Board is lacking in their duties. If the CISO isn't the person presenting and answering questions relative to security and risk, then who is If the CISO is not part of developing what is being presented to the Board, things can get lost in translation.
  • 2. Q Who usually gets the Board of Directors talking about security The eneral Council typically informs the Board of Directors on developments in best practices, regulatory environment and on going Board of Directors structure. If the Board does not already have a risk committee, the eneral Council would likely be the person advising that security be added to the agenda. Additionally, as part of the financial and fiscal responsibilities of the Board of Directors, there are likely private sessions between the CFO and the different audit committees of the Board to discuss internal audits and processes. Q How can the CISO get the Board of Directors to start speaking about security The CISO should suggest that an internal security audit of the organization could provide the Board with an understanding of where the organization is in the maturity model from an Information Security standpoint. Additionally, the results can be incorporated into the recurring presentation to the Board of Directors, establishing security as a regular topic. The caveat here, as a CISO, would be to prepare to address questions regarding security events and performance if there is an increase in attacks or if performance is poor. The key thing not to do to get the Board of Directors speaking about security is to go directly to the Board. oing around the eneral Council, C O or CFO can damage the relationship and lead to lack of confidence in the CISO. Q What should the CISO know before presenting to the Board of Directors Before presenting security to the Board of Directors, a CISO needs to understand the way risk is already being presented to the Board. Former Board decks or audit forms regarding risk from the eneral Council will provide guidance and direction. These reports should be used to comprise a framework about cyber risk, similar to the way the Board has seen other types of risk presented. Once you have established a successful framework when presenting to the Board, do not continue to change it. Maintain a similar framework as you continue to meet. The CISO needs to develop an understanding of what is driving the business, how the organization makes money and how the organization operationalizes and supports their existing or new clients. With that information, the CISO should be able to put Information Security into terms that the Board of Directors can relate to and be familiar with. Q What else should the CISO take into consideration when presenting to the Board of Directors Boards of Directors often think about spend, along with many other factors, as it relates to industry norms and how the competition is performing. The CISO should leverage the interest in benchmarking and present how the organization is performing as it relates to the industry, if the organization is behind the curve, if they are spending more or less than their peers and if the organization is more vulnerable.
  • 3. Q: What should be discussed and what information can influence the Board of Directors? Members of the Board are intelligent and experienced in finance, business and strategy. These roles rarely include experience in cybersecurity and it is very likely that they do not have the background to understand the technical nature of Information Security. As a result, the discussion should not be a technical one; it should be a discussion about risk, loss and reducing loss exposure, expressed in business terms. Everything needs to be translated from the security perspective to what is happening at the Board level in terms they are familiar with without overwhelming them with technical terminology or appearing condescending. What should be presented to the Board of Directors is how the actions of the security team enable business initiatives and how they tie into the goals of the company. These presentations should demonstrate that these efforts could result in increased revenue, profit, market share, market penetration, and increased efficiency, similar to how other divisions in the business and the operations side of the organization would present to the Board. This discussion should include warnings of upcoming changes, threats and financial results if risk levels continue to rise, provide recommendations on actions required to avoid information loss, and demonstrate what is being done to prevent attacks or deal with attacks more quickly and efficiently. Information regarding what percent of the business is secure, if the data hosted is strongly protected (i.e. encryption, authentication, servers, networks, operating tools and applications, etc.) and what percent of the people and suppliers have been reviewed for security will demonstrate the value that the Information Security team provides to the organization. Additionally, the CISO Should prepare a dashboard of the major critical issues, minor issues, related loss exposure to those issues, what is being done today and over the next n months to address and resolve those issues, and what it would take financially to resolve them. These details, along with metrics demonstrating the strength of the Information Security program, the number of attacks the site is experiencing and the frequency of those events, will provide the Board of Directors a quantifiable measure of the performance of the Information Security program and actionable suggestions to support and improve the program. When speaking to the Board of Directors, it is essential to tie lower level technical security details together for a high level abstraction and translate them to be more meaningful. Q: What should the CISO's goal be in presenting to the Board of Directors? The goal in presenting security to the Board is to drive change that will increase the effectiveness of what is being done to reduce risk, to get their backing and to help them realize the strategic importance of security. A CISO should aim to say, "We are maintaining the same level of protection, keeping risk at a constant level while using less resources," or, "With risk increasing and with the increase in resources we've been given, we have been able to reduce risk to a tolerable level." The end result of this conversation is not necessarily to increase budget, but to gain support that would prevent impact to the business. This should be explained in terms of risk and expense calculations. This needs to cause the Board to consider what and how much they are willing to lose. 25 WhiteHat Security, Inc. Freedom Circle Santa Clara, CA . . . www.whitehatsec.com WhiteHat Security, Inc. All rights reserved. WhiteHat Security and the WhiteHat Security logo are registered trademarks of WhiteHat Security, Inc. All other trademarks are the property of their respective owners.