After a recent presentation on “Security is not an IT problem”, which investigated the lacking relations between policies and measures within many organizations, we decided to have a World Cafe to discuss surrounding topics further. We separated the discussion into four topics, and had a debate on each one. In my previous blog in this series, I wrote about the 7 worst practices in Information Security. In this blog, I will present the outcomes of the discussion on Information Security in the Boardroom. Feel free to share your thoughts with us in the comments section below.
Present solutions, not just problems
Security issues, threats and challenges are an interesting topic for discussion, and very important. However, board members need to make decisions, and they need to make them fast. Therefore, it’s important to present the risks your organization is currently facing, but also present potential scenarios that could arise if the threat is not resolved, and advise them on how to move forward. Most of the attendees claimed that the board is not willing to engage in long, intellectual discussions on possible threats, but that they want clear messages and well prepared decisions.
The board isn’t one person… it’s a collection of individuals, each with his or her own agenda. It is your challenge, as the person responsible for organizational security, to understand their challenges and advise them on the measures they should take. If you are unsuccessful, it is likely that your “technical” messages will not find traction in the board.
Alignment with organization goals
Business goals are typically better documented than the personal goals and ambitions of members of the board. Some of the security architects at our workshop really worked out the reasoning from goals, to principles, to the elements in their secure architecture, to security measures. Others only dreamed of such a structured, formal path, but believed this would help them do their job.
Policies and measures can seem abstract to members of the board. Creating real cases of what happens when a hacker is knocking at your digital door, or what happens when a new employee is hired will make things come alive for the board. You could illustrate this with simulation. One of the attendees suggested that hacking the iPhone and tablet of a board member real-time would leave an unforgettable impression!
Pressure from regulators
According to some attendees, compliancy issues, rules and regulations are distracting companies from helping customers to improve their business. Some security architects indicated that the pressure from regulators helps them to put security and privacy aspects on the agenda of the board. Helping the organization to become compliant is seen as a real business value that security experts can bring to an organization.
Understand the context
Information risks and security is just one aspect of running an organization. If you do not understand that security is just one of the many aspects on the agenda of the board, you will not be successful in influencing them. Or you will get frustrated instantly. By presenting security in the context of business goals, you show that you understand that there is more to life than just security, risk, privacy and trust. There is also sales, ease of use and time to market. This will provide a great foundation for future collaboration.
Information security is not just about technology, but it is also a business issue that needs to be understood and endorsed by the board. The tips from the professionals joining our workshop might help you resolve the challenges you face.
We hope you enjoyed our blog series on Information Security, and we’d love to hear your comments below. What are your main challenges with Information Security?