Making strategic decisions about cyber security, or any sort of security needs to be done a the board level. It is difficult to get company boards to focus on strategic issues, despite the fact that this is what they are theoretically meant to do. Companies are busy places and there are always minute issues that take time from board meetings. In some companies, the culture is such that managers avoid their responsibility by sending decisions to the board, again robbing the board of valuable time.
The Centre for the Protection of National Infrastructure, a UK Government organisation, has released a short document aimed at helping security managers get cyber security onto the corporate agenda. CPNI makes the somewhat obvious point that getting buy-in from a company board is crucial to the successful outcome of a cyber security implementation project.
Although the CPNI paper doesn’t spell it out quite this way, the key is to show in a concise manner why security is of importance to them and the company they are responsible for. Generally the key issues fall into three categories.
- Financial – the loss due to another entity (government, business, criminal) gaining commercially sensitive information. The effect of this can be short term where a negotiation is damaged or longer term where valuable intellectual property is lost.
- Legal – many organisations are subject to regulatory requirements to protect information that they hold on behalf of clients, stakeholders and staff. In Australia, the Australian Privacy Principles come into force in March 2014. Most private sector organisations will be required to adhere to them. Financial and professional organisations have been required to meet similar requirements for a number of years.
- Reputational – High profile privacy breaches have affected a number of large companies. Companies such as Sony, Heartland and RSA have suffered huge breaches which cost them millions of dollars to clean up and resulted in significant lost business. In some cases, they have resulted in tightened regulation which in turn increased the cost of doing business.
Things to remember
- most if not all board members will not have a good understanding of the Internet or information security (Tech companies are the exception of course).
- boards are generally made up of people who are very clever and need you to acknowledge it – presentations need to be logical but also require little subject specific knowledge.
- If you are the expert, you need to have the answer when one board member starts talking about “his daughter’s computer” or the spam she “gets on the company email” that she doesn’t get at home – this is where a well briefed chair is important
- the best briefings work when board members are given details of current, real world examples of similar companies’ misfortunes. You can bet that Microsoft looked very hard at the Sony hack at the board level and that CA examined the breach of RSA tokens carefully!
- Sometimes an outside expert needs to be brought in to tell the board what the security cell already knows. It is a funny quirk of human nature that we sometimes don’t give enough respect to the people in our own organisation.
That’s where you can call on us to help you get your message across. We have experience talking to boards and senior executives from government, councils, banks and companies including those in the DISP.
Australia’s CERT also publishes advisories which are useful (disclosure – Alex Webling was the founding director of Govcert.au) https://www.cert.gov.au/advisories