What the Board of Directors Wants to See in Your Security Report
By Mike Raia Posted April 11, 2016
In a recent TechTarget article, Mike Villegas covered a lot of ground while discussing what CISOs should include when reporting to their board of directors. Mike pointed out that the focus of a CISO's security reports, among other things, should be on "current risks, compliance, incident response."
Understandably, active boards of directors want to know that there are security policies in place that ensure the company is at a reduced risk of security breaches and potentially damaging cyber attacks. While the board's focus is on maximizing shareholder wealth, they are also responsible for the viability of the entire organization. Especially since the Target data breach, more board members are beginning to ask questions about how well protected the organization is, how incident management is handled, and what remediation plans are in place.
It's critical that a CISO (or CIO) can present a cohesive plan for both mitigating the risk of attacks and handling them when they invariably occur. Boards are more willing to fund security-related budget requests when they feel there is a comprehensive plan both to prevent and manage breaches.
How ironclad is your security response plan? Is it simply a written plan or do you have an automated, rule-based workflow that ensures a rapid and thorough response across the organization (yes, even outside the security and IT teams)?
Imagine being able to present your board and executive team with an illustrated overview of how the company will respond to a security incident and then explain that it's an actual automated workflow that kicks in if a threat is ever detected. That would certainly help your board sleep better at night and give them the incentive to fund more security measures.
For more on automating your security response, check out our recent post "Manage Security Incidents Better with Workflow Automation."