Briefing the board: Directing security evolvement

Published: Jul 21, 2017
Author: Joan Ross

If an organization’s CISO is not regularly updating the Board of Directors (BoD), there is an inherent disconnect in the security viability of the organization.  The function of the BoD is to act on the behalf of the best interests of shareholders and stakeholders in validating a well-managed company. A CISO’s agenda for the BoD begins with three primary areas:

  1. What we know and have tested recently regarding security controls.
  2. What we don’t know or haven’t effectively evaluated at this time.
  3. Priorities for risk, budget, and evolving strategy based on a combination of #1, #2, current and planned business model, and current threat intelligence for your industry.

Verizon publishes the Data Breach Investigations Report (DBIR) on an annual basis for the greater good of the security community at no cost. This intelligence is heavily leveraged for the empirical research and investigation findings it provides, including trends in the common attack patterns.  

Every security organization has it available to them to utilize as the basis for their BoD presentations and ongoing security awareness training for the organization. CISOs convey that the most important graphic for them to begin their BoD presentation is the DBIR Incident Classification Patterns and percentages for their industry.  

Annual budgets and periodic new budget needs can leverage the attack trends to justify requests.  While many security professionals may be aware of the proliferation of these patterns and methods, rarely is the BoD.  Today’s CISO educates their BoD as part of every briefing opportunity on how the organization remains potentially vulnerable. The BoD are responsible for gaining the understanding of the routine occurrence of many of these data breaches and asking their organization the tough questions on risk reduction to prevent, detect, defend against and mitigate these intrusions.  

Verizon’s Data Breach Digest illustrates twelve of the most common recurring attacks and methods, and six of the emerging more sophisticated attack types to guard against. With the publication of these reports and truly brief reads, there is no reason for top leadership, including the BoD, not to be aware of the risk, commonality and methods of the majority of security breaches to their industry.  The measurement of a well-managed company is evolving to where these attacks risks are mitigated based on BoD support.

About the author:

Joan Ross is Managing Principal for the Cybersecurity team at Verizon.