Presenting security and risk to board members
Category : F5
Your board’s time—and attention—is limited. But the security of your company, its reputation, and its financial health can all depend on how well your board members understand the business risks you face, and how you plan to mitigate them. Keep it short, and make it matter. This article looks at IT and security budgets and explains how to balance against a risk security profile.
t’s that time. You have to report on the state of enterprise security to your board. The presentation is critical: the security of your company, its reputation, and its financial health all depend on you. Your board members need to understand the business risks you face, and how you plan to mitigate them. But their time—and attention—is limited. Keep it short, and make it matter.
Follow these six steps to achieve your goals.
1. Cyber threats are real—stick to the facts
They’ve heard the numbers. As much as $575 billion is lost to cyber crime annually. Data breaches can cost more than $400 million. Information like this falls on deaf ears. Board members are numb. But they need to understand the general risks of doing business online—which are endemic—versus the threats that face your industry, and your business specifically. If your organization’s largest risk is related to a lack of controls or inadequate processes, they need to know that. Most importantly, they need to know what you are doing about it. Don’t go to the board with problems for which you haven’t figured out solutions.
Tell a compelling story about a security breach, preferably in your industry. Give examples from your own company. Identify critical information assets—intellectual property, sensitive customer data—and paint a picture of what would happen and what it would cost if they were compromised.
2. Provide metrics that convince
If you have gaps in security control that you are struggling to get resources to fix, give them evidence proving that you are continuously under attack and your networks are constantly probed. Make it clear that sooner or later, the bad guys will succeed. Educate them. Surprise them.
- 73 percent of companies suffered at least one security breach in the past year
- About a third of employees targeted for phishing will open fraudulent emails
- More than one in 10 take the bait—and it only takes one
- Less than two minutes elapse from the hacker hitting send to your systems being compromised
- Hackers are inside your organization, on average, for at least four months before they’re discovered
- Web apps are the number one entry point for breaches
3. Get their support in adopting a culture of security
Human error accounts for 58 percent of cyber breaches. A secure business is a business in which everyone is educated about threats and does their part to reduce risk. This starts with rigorous—and repeated—training, and perhaps even commitment to a standard like ISO 27001.
4. Convince them they need incident response help
Encourage the board to face facts: all organizations today face the very real possibility they will be breached. How much damage you suffer depends on how quickly and effectively you respond, so why not get prepared? Most companies don’t have the skills for effective incident response (IR). You need technical, forensic, legal, and public relations support to get through the trauma. Your best bet: a third party with specialized expertise. A good IR firm will have your back.
5. Discuss cyber insurance
Cyber insurance is integral to your security strategy. Yet only 19 percent of companies have cyber insurance. And most are grossly underinsured, with only 12 percent of the total costs of a typical breach covered. Cyber insurance is the fastest-growing insurance in the world, projected to increase 300 percent from $2.5 billion today in annual premiums by 2020. Do the math for your board. Calculate how much your business can absorb from a breach without financial catastrophe. Pick a level of risk that you are comfortable with, and insure the rest.
6. Get them to champion those efforts for which you didn’t get budget approval
You have done your homework and already secured funds for some of your efforts. If you have risk areas that need addressing that you don’t have budget to address, board members need to know this and either accept the risk or champion a solution. There’s no better way to get something accomplished than by saying that “the board” requested it get done.
As you go through this exercise, be a little selfish. If you’re not getting the support you need to defend against existential threats, think of your own reputation and career. If your board doesn’t get it, it might be time for you to consider your options.
Author: Ryan Kearny