Security Professionals: Engaging the Board
In a changing environment with ever-evolving threats, security professionals continually find themselves needing to convince the board of the importance of security. Is the real issue that the board doesn't understand, or is it that security professionals do not understand the role of the board?
The ‘Security Skills’ Series investigates a different industry skill each month, sharing tips and tricks from various experts. This month, we investigate the importance of and skills required in convincing the board that proactive, not reactive, security is the best way to mitigate risk.
By Collin Robbins
Role of the Board
According to the Institute of Directors (IoD), the board’s key purpose “is to ensure the company’s prosperity by collectively directing the company’s affairs, whilst meeting the appropriate interests of its shareholders and relevant stakeholders.”
To do this, there are five key elements to a director’s role:
- stakeholder engagement
- strategy development
- setting policy
- monitoring management
- providing resources
The following looks at these elements from a security perspective, with a view to what it is reasonable to expect a director to do. Expectation is important here; security professionals may sometimes expect the director to understand the minutiae – is that reasonable? The security professionals are the experts, not the directors. A director’s expertise lies in understanding the overall business context.
- Stakeholder engagement
It is reasonable to expect a director to have an understanding of the differing security expectations of the various stakeholders; this would include understanding the key assets that create value and the impact an incident could have on stakeholders.
- Strategy development
To enable these stakeholder expectations to be met, the board will agree on a set of business strategies. These strategies will need to consider how stakeholders’ security interests are to be met.
- Setting policy
As part of implementing the strategies, the board will set policies. In the security context, this may include things like risk appetite. This might be about deciding where security professionals want to sit on the scale between doing everything possible to keep customers secure and taking a minimalistic, reactive approach.
- Monitoring management
Having set a strategy and policy, the expectation is the management team will ‘make it so’. As part of this, it is fair to expect that management reports to the board on security risks are being dealt with. The board’s role is to monitor the effectiveness of the management team in doing this and make changes if required.
- Authorising resources
To implement the policy, the management team will need resources. From a board’s perspective, this is about making the finance available to enable the management team to set about their tasks. It is a management function to identify the resources that are needed to implement the policies (including any trade-offs that need to be made) and request the appropriate budgets as part of a business plan.
Given this view, is it realistic to expect the board to engage on the finer points of security such as testing, evaluation, protective strategy and so on? If the security manager presents that he or she needs more cameras, or better access control, this won’t hit the board’s hot buttons. These may be your challenges as a security professional, but they are not the boards – a board expects the security manager to deal with it and report back on effectiveness.
So, How Should Security Professionals Engage?
Taking the above role description, first rethink the problem – what does the problem need to look like from the board’s perspective:
- Do they need help in seeing the value of an asset to the business, and the stakeholder impact of an attack on that asset?
- Do they need help in setting the right policies to protect the assets?
- Do they need help to see the current management practices may not be effective in addressing security risks?
Following on from this, security professionals need to be prepared for the ‘return on investment’ question, a question that security professionals might have trouble answering. Scare tactics like ‘support this initiative, or the bad guys will get us’ have been proven time and time again not to work. Put it into boardroom context – for example, in the case of a cyber attack:
“We estimate there is an X percent chance that ransomware could infect our systems. The average clean-up cost is put at $Y, plus the cost of two weeks’ lost productivity. Our proposal will reduce that risk. The choice is yours – accept the risk, or invest $Z now to reduce the likelihood of an attack.”
The values for X and Y can both be approximated based on knowledge of systems and open source reports readily available; it is hard, but possible. The ‘two weeks’ lost productivity’ needs to be put in the specific context of an individual business.
By thinking this way, security professionals can start to present your issue/problem/concern within the context of these sorts of questions. This will help the board understand it is their problem too, and they will need to demonstrate leadership by setting the stakeholder context, making sure the right policies are in place, and question management to make sure the relevant resources are deployed.
Collin Robbins is an executive board member of Nexor, leading the Qonex business unit. Collin’s current focus is to help customers solve cyber security problems by looking at their problems from a business outcome perspective, specifically with regard to cyber security aspects of their Internet of Things products and services.
To read more articles like this or to stay up to date with industry, subscribe to the Security Focus Newsletter and receive monthly updates.