Security was once the exclusive province of IT departments. These days, with increasingly sophisticated threats proliferating across geographic boundaries, cloud computing, mobility, and everything “bring your own,” security has finally won the ultimate badge of corporate honor: a seat at the board of directors.

“Security has evolved from a technical issue into a broader issue of intense business interest to corporate boards.”

- Kurt Roemer, Chief security strategist, Citrix

That heightened interest is hardly surprising given the seriousness of security-related risks, which include exposure of sensitive information, damage to your company’s reputation, and—most important of all—serious harm to the bottom line. For IT leaders, the upshot is more frequent boardroom discussions about the core pillars of any solid security plan: policies, enforcement mechanisms, and monitoring/reporting. To lead those meetings successfully, follow these best practices:

1. Speak the language of the boardroom

Board members discuss business issues in business language rather than technical terms. Follow suit in board meetings by focusing on critical threats, the material risks they pose, the best options for mitigating them, and breach preparedness.

Be concise when discussing those topics, and avoid conjecture. Board members are interested strictly in facts. Use clear, easily understood charts and diagrams as well to illustrate important issues like your company’s current security posture and future goals.

“That way you can show the board exactly where you are, where you’re going, and how you’ll get there,” says Stan Black, chief information security officer at Citrix.

Be prepared for plenty of questions, too. Board members will want to know how your organization stacks up against peers in your industry, for instance. Crisp, informative, and thoroughly researched answers will reassure them that your strategies are sound.

2. Explain the core elements of your risk mitigation efforts

Well-designed risk mitigation strategies are also reassuring. Such strategies should take a “protect what matters” approach to safeguarding your company’s most important, vulnerable, and heavily regulated data. The board will want to know how you prioritized sensitive data, so describe the process you used. In addition, guide them through:

• Your policies for handling business information, in the cloud as well as on company-owned and personally owned devices both inside and outside the office
• How you enforce those policies and train employees to follow them
• How you prevent the loss of essential data

In particular, make certain board members understand that persons like themselves with access to an organization’s most sensitive information are high-value targets who must be especially diligent about following security policies. Be sure to update the board about any changes in your company’s governance obligations too, as well as the steps you’re taking in response.

Want more like this?

Want more like this?

Insight delivered to your inbox

Keep up to date with our free email. Hand picked whitepapers and posts from our blog, as well as exclusive videos and webinar invitations keep our Users one step ahead.

sign up

By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy

SIGN UP

By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy

Of course, new and emerging threats pose dangers no matter how good your mitigation strategy is, so deploy security technologies in layers that account for your network and your users, as well as their apps, data, and storage.

3. Describe your breach preparedness and incident response plan

Even the best security measures can fall prey to attacks, so show board members you’re ready by explaining your incident response plan, including who’s on the response team, who’s authorized to mobilize it, and under what conditions.

Describe your internal and external communication plan as well, and discuss your disclosure triggers for security incidents. Some disclosure thresholds are defined by law, but others rely on discretion, and board members should provide direction on how descriptive they need to be.

Should a breach occur, brief the board promptly about what happened, the potential impact on your company and your customers, how long it will take you to fix the problem, and what you’re doing to prevent repeat occurrences. Provide regular updates too, and set a clear schedule for when board members can expect your next report.

4. Use meaningful security metrics to measure success

Most boards wish to monitor security readiness on an ongoing basis. A security dashboard will provide them quick access to the most relevant information.

“The dashboard provides context to security risks and enables the board to oversee the reduction in critical exposures,” Black says.

Use metrics that are easy for board members to understand and relevant to their concerns, such as threats identified, time to response, end-user devices lost, and audit results. In addition, revisit your metrics periodically, adapt them to your company’s evolving threat landscape, and inform the board about any major changes to your architecture, technologies, and strategy.

Presenting to the board of directors may be a new experience for some in IT, but it doesn’t have to be a difficult one. With the help of the guidelines above, board meetings can be an opportunity to engage your company’s most senior leaders in a strategic dialogue not only about security, but about mobility, cloud computing, and the evolution of the workplace