More and more, security professionals are grumbling about boards not understanding security issues. Is this really the issue, or is the problem that security professionals do not understand the role of the board? Do security professionals sometimes confuse the board and the company’s senior management?
Role of the Board
According to the Institute of Directors (IoD), the board’s key purpose “is to ensure the company’s prosperity by collectively directing the company’s affairs, whilst meeting the appropriate interests of its shareholders and relevant stakeholders.”
To do this, there are five key elements to a director’s role:
- stakeholder engagement
- strategy development
- setting policy
- monitoring management
- providing resources
The following looks at these elements from a security perspective, with a view to what it is reasonable to expect a director to do. Expectation is important here; security professionals sometimes expect the director to understand the minutiae – is that reasonable? The security professionals are the experts, not the directors! A director’s expertise lies in understanding the overall business context.
- Stakeholder engagement
This is about understanding the key stakeholders and what they expect from the business. It is then about understanding the key business risks that may impact these expectations being met.
From a security perspective, it is reasonable to expect a director to have an understanding of the differing security expectations of the various stakeholders; this would include understanding the key assets that create value and the impact a cyber attack could have on stakeholders.
- Strategy development
To enable these stakeholder expectations to be met, the board will agree on a set of business strategies. These strategies will need to consider how stakeholders’ security interests are to be met.
- Setting policy
As part of implementing the strategies, the board will set policies. In the security context, this will be things like risk appetite. A cynical view would say this is about deciding where security professionals want to sit on the scale between doing everything possible to keep customers secure and taking a minimalistic approach, dealing with the fallout when something happens.
The risk appetite may manifest itself in specific policies, such as compliance, to a specific industry standard (27001, PCI-DSS, Cyber Essentials…).
- Monitoring management
Having set a strategy and policy, the expectation is the management team will ‘make it so’. As part of this, it is fair to expect that management reports to the board to present how they are dealing with security risks. The board’s role is to monitor the effectiveness of the management team in doing this and make changes if all is not working as expected.
- Authorising resources
To implement the policy, the management team will need resources. From a board’s perspective, this is about making the finance available to enable the management team to set about their tasks. It is a management function to identify the resources that are needed to implement the policies (and any trade-offs that need to be made), and request the appropriate budgets as part of a business plan. The resources may not necessarily be technology, but may be drawn from the full spectrum of activities, including security awareness campaigns.
Given this view, is it realistic to expect the board to engage on the finer points of security testing, protective monitoring, patching strategy or ransomware mitigation? If the security manager presents that he needs more money to implement GPG-13 monitoring, or that he would like to run a social engineering test, or he needs to upgrade all the firewalls, or he needs more people to run effective internal audit, or more training in business continuity approaches, he is not going to hit the board’s hot buttons. These may be his challenges as a security professional, but they are not the board challenges – they are expecting the security manager to deal with it and report back on the effectiveness of the solution.
How Should Security Professionals Engage?
Taking the above role description, first rethink the problem – what does the problem need to look like from the board’s perspective:
- Do they need help in seeing the value of an asset to the business, and the stakeholder impact of a cyber attack on that asset?
- Do they need help in setting the right policies to protect the assets?
- Do they need help to see the current management practices are not effective in addressing security risks?
Following on from this, security professionals need to be prepared for the ‘return on investment’ question, a question that most security people are not good at dealing with. The scare tactic of ‘unless you support this initiative, the hackers will get us and it will be doom’ has been proven time and time again not to work. This needs to be put into a boardroom context. For example:
“We estimate there is an X percent chance that ransomware could infect our systems. The average clean-up cost is put at $Y, plus the cost of two weeks’ lost productivity. Our proposal will reduce that risk. The choice is yours – accept the risk, or invest $Z now to reduce the likelihood of an attack.”
The values for X and Y can both be approximated based on knowledge of systems and open source reports readily available; it is hard, but possible. The ‘two weeks’ lost productivity’ part needs to be put in the specific context of an individual business.
By thinking this way, security professionals can start to present their issue/problem/concern within the context of one of these sorts of questions. This will help the board understand it is their problem and they will need to demonstrate leadership by setting the stakeholder context and making sure the right policies are in place, and question management to make sure the relevant resources are deployed to address the issue. This is not shifting the problem from the board to the management team. It is fundamentally the board’s role to ensure the company’s prosperity by ensuring a cyber attack does not destroy stakeholders’ interests in the business. The board does this by showing leadership by ensuring the stakeholder context is understood in the business, and the management team understand the policies to deal with the challenge and have the resources required to do so.
There can be confusion in many businesses, particularly small businesses, where the board are often the management team too. Security professionals need to recognise the difference between the roles. Security’s day-to-day engagement will largely be with them as a manager, so it would be very easy to slip into the mode of ‘to mitigate this risk, I need these resources’. The challenge is they are likely working to a budget, so security ends up competing with everything else and, being security, they do not get much to show for it. This is when they need to be forced to swap hats and put on their director hats, then the approaches described in this article can be used and the issue expressed in the wider context of the business, which will give security a much greater chance of success.
This is not easy and it takes time for a message to get through. Security professionals have not been taught to think like this. But it is a necessary journey to get the resources security professionals need to make their businesses secure and meet their responsibilities to keep data secure.
Collin Robbins is an executive board member of Nexor, leading the Qonex business unit. Collin’s current focus is to help customers solve cyber security problems by looking at their problems from a business outcome perspective, specifically with regard to cyber security aspects of their Internet of Things products and services.