CIOs must engage with the board about cyber-security opportunities and dangers so information strategy and risk are routinely seen as important board-level issues.
Increasingly, I'm seeing leading security chiefs aligning or merging security strategies with business-focused initiatives and projects. This continues to be challenging for those that are working through their IT departments where security is seen as a purely technical issue.
However, the more forward-thinking security leaders are asking five questions of themselves and their boards:
1. How does cyber-security in general and information security specifically support our business priorities, such as attracting and retaining customers, maintaining or growing a competitive advantage, and fostering innovation?
2. If the worst happened, could we honestly tell our customers, partners and regulators that we had done everything that was reasonably expected?
3. How can we validate our understanding of our information risks and how they are managed?
4. Should we as an organization or as a board be changing our approach?
5. Are we prepared for the future?
Engagement is about communicating the value of information security and delivering that value. Ideally, board engagement will be proactive, but it can also be reactive by, for example, responding to a board request for information about an incident.
Board engagement is a journey—and its path will vary. It will be easier, for instance, if you have high-level support, but it will be more difficult if the organization doesn't understand the value of information security. This journey requires careful planning, including identifying whom to influence, to changing the way executives talk about risk and information security, and choosing the right supporters.
Successful executives will be the ones who facilitate continuous engagement. Those who are seen as business enablers, and whose teams deliver successfully, will have a much easier engagement journey.
Better Engagement Equals Greater Benefits
The economic, social and technological landscape is vastly different than it was just a decade ago. CIOs must work with CISOs to safeguard information where increasingly volumes of the organization's sensitive data are outside traditional information security perimeters. Bring your own device and bring your own cloud initiatives present considerable challenges, as does the widespread adoption of social media, and today's executives must embrace these technologies or risk being sidelined by those who do.
Information security is typically not a goal or business objective—all activities should be aimed at enabling delivery of the strategy and benefits to stakeholders. As stakeholders apply mounting pressure, it's imperative that C-level executives continue to understand and deliver on heightened expectations relating to information security governance and information risk management.
When boards and executives engage successfully, organizations are more likely to realize the benefits of their strategic initiatives. Effective engagement enables organizations to take advantage of the opportunities presented by cyberspace and today's information technology while managing the associated security risks.
About the Author
Steve Durbin is global vice president of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber-security, BYOD, the cloud and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
You can read his previous CIO Insight article, "Defending Your Company’s Reputation in Cyberspace," by clicking here.