Should Your Board of Directors be Managing Your Security?
Should your board of directors be managing your security?
This is not a rhetorical question. Ensuring a good security posture requires that your board of directors and senior management are on board and support your efforts at securing corporate data.
Let’s pose a few questions:
Why you want your board of directors involved?
One fundamental reason is to provide ‘peace of mind’ to your board. Involving them fulfills their due diligence and demonstrates a standard of due care.
Involving your board also aligns senior management to your security program It aligns external and internal auditors to your security initiatives and priorities. It also eases challenges as board of director commitments, risk tolerance parameters and representations are taken seriously by senior management and other stakeholders.
Ensuring a good security posture requires that your board of directors and senior management support your efforts at securing corporate data.
Why your board should be concerned?
As the recent Target credit card breach demonstrated, security and privacy breaches can have significant and material financial impact to a business. Cyber threats and breaches are increasing in complexity, frequency and magnitude. Examples of risks associated with cyber threats include:
- Compromised customer data
- Diminished brand and reputation
- Loss of investor and consumer confidence and loyalty
- Stolen sensitive intellectual property
- Compliance and regulatory sanctions
- Network or systems outages and down time
- The Board of Directors and senior management have a significant responsibility to understand and support their organization security and privacy posture. In addition, both implicitly or explicitly set the risk tolerance level for the organization. Finally, they are responsible for ensuring those empowered to make information security risk decisions, on behalf of the company, stay within those risk tolerance parameters.
How should you align security to your business?
Aligning security to the business is key to gaining your board and senior management support. Document how information security projects and initiatives are aligned with the organization's strategic business objectives. Your information security strategy should have a forward looking aspect that embeds information security into the business and IT planning process and focuses on emerging trends and technology to address evolving risks and business changes.
You should also show how information security contributes to the organization's success. The role of information security in addressing market, privacy, technology and regulation risks. Illustrate how information security will enable business objectives and initiatives. Highlight how effective security governance can enhance the interests of all the stakeholders (e.g. customers, business units, employees, auditors, etc.) in a cost effective manner. Reflect the organization's risk appetite. Be consistent with the management and reporting of other types of risk in the organization (operational, financial, market).
My next post will talk about how you need to benchmark your security posture, align information security posture to the business objectives, have a risk assumption framework to effectively resolve contested risk issues, and report and communicate with your board and senior management.
Related Articles
Cybersecurity Snapshot: 6 Best Practices for Implementing AI Securely and Ethically
May 31, 2024Like many organizations, yours is likely using AI – or at least thinking about deploying it soon. But how can you ensure you use it securely, responsibly, ethically and in compliance with regulations? Check out best practices, guidelines and tips in this special edition of the Tenable Cybersecurity Snapshot!
Tenable Capture the Flag 2023: And the Winners Are...
August 14, 2023It's time to crown the winners of this year's Capture the Flag Event!
Cybersecurity Snapshot: SEC Wants More Cybersecurity Transparency from Public Companies
July 28, 2023Find out what’s in the SEC’s new cybersecurity disclosure rules. Plus, CISA analyzes the cyber risks impacting critical infrastructure organizations. Also, check out guidance for shadow IT and tips to boost your security awareness program. And much more!
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!
CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilities
September 26, 2024Frequently asked questions about multiple vulnerabilities in the Common UNIX Printing System (CUPS) that were disclosed as zero-days on September 26.
Establishing a Cloud Security Program: Best Practices and Lessons Learned
September 26, 2024As we’ve developed Tenable’s cloud security program, we in the Infosec team have asked many questions and faced interesting challenges. Along the way, we’ve learned valuable lessons and incorporated key best practices. In this blog, we’ll discuss how we’ve approached implementing our cloud security program using Tenable Cloud Security, and share recommendations that you may find helpful.
- Executive Management
- Security Policy