When board members need to understand information security, risk, and vulnerabilities, they turn to the CIO. However, it’s the CISO who typically has the most up-to-date knowledge on the information related threats and opportunities facing the organization. With the right preparation, the CISO can engage the board with a streamlined security assessment that balances the need to deliver detailed information with operational outcomes.
In this article, Michael Zanga, former CAO of the Royal Bank of Scotland, uncovers the best practices for engaging the board. These practices include:
Addressing Budgetary Issues
The CISO needs to convey that the level of security provided is correlated to the IT security budget the board approves. At the same time, the CISO needs to inform the board that total security doesn’t exist no matter the level of the budget approved.
Measuring Security Posture
Operational risk, internal audit, technology risk, and third party assessments are all measurements the CISO needs to succinctly explain to the board.
Developing Presentation Frameworks
“Boards don’t need a monthly update,” says Zanga. Taking this tip, the CISO needs to develop a presentation framework that gives the board exactly what they need to know. Overloading the board with information only leads to confusion.
Explaining to the Board the Role of the CISO
Board members may have different expectations of what is required of the CISO on a day-to-day basis. It’s up to the CISO to explain the role through which actions are taken to continually improve security posture.
The role of CISO is too important to not operationally define to the Board.
Get access to the full article by becoming a member of Consortium today.