CISOs Must Engage the Board About Information Security
With technology now at the center of nearly all business processes, information security is no longer simply an operational concern. It deserves a place on the board's strategic agenda. And that means the CISO needs to step up in the boardroom.
Fri, May 31, 2013
CIO — Your organization will come under attack. It's not a matter of "if." It's a matter of "when." And security is no longer simply an operational concern. As technology has become the central component of nearly all business processes, security has become a business concern. As a result, information security should sit firmly on the boardroom agenda.
"If the worst were to happen, could we honestly tell our customers, partners or regulators that we've done everything that was expected of us, especially in the face of some fairly hefty fines that could be levied by regulators," asks Steve Durbin, global vice president of the Information Security Forum, a nonprofit association that researches and analyzes security and risk management issues on behalf of its members, many of whom are counted among the Fortune Global 500 and Fortune Global 1000.
"We're seeing, I think, not only that boards need to get up to speed on this, but also they need to be preparing their organization for the future," Durbin says. "They need to be determining how they can be more secure tomorrow than they were today."
It's About Risk Management, Not Compliance
It's not just about compliance, he emphasizes. It's about overall risk management.
"If you're in a highly regulated industry, you need to be compliant," he says. "But that needs to be going hand-in-hand with your risk-based approach. It really is no good, if you have a breach or a problem, simply sitting back and saying, 'But we're compliant.'"
And this, Durbin says, requires the chief information security officer (CISO) to step up and engage the board.
"The CISO's function is certainly going through a process of pretty significant change, but I think businesses are as well," he says. "The role has evolved significantly from just being focused on pure technology to being focused on business risk and speaking the language of business to get the message across to boards that are probably not as technologically savvy as they ought to be."
Business-Savvy CISOs Have an Opportunity
"The bottom line here is that there is a bit of an opportunity for business-savvy, smart CISOs who are able to make that transition," he adds. "It is an opportunity in terms of how they can convey those messages to the board to really address this topic of resilience that we talk about over and over again."
"When boards and CISOs engage successfully, organizations are better able to take advantage of the opportunities presented by cyberspace and today's information technology while addressing the associated risk," says Michael de Crespigny, CEO of the ISF. "To manage the risk/reward balance, CISOs must drive engagement across their organizations, changing the conversation to convey the value of information security to the organization—in terms that resonate with top decision makers and align with business objectives."