My last post discussed how to improve the cyber literacy of corporate boards, given the feedback from the Fidelis-commissioned Ponemon study that showed that the majority of board members are not as educated as they need to be about this important area of corporate risk. The study also showed that many board members were not even aware that there had been cybersecurity breaches at the companies they were directing. This post will offer guidance on how companies can address this situation with the right kind of internal transparency regarding the company’s cybersecurity posture.
Company management can foster this vital visibility through regular communication to the risk committee and board as a whole. This communication needs to be focused on board issues and you want to avoid data overload. A good approach is a summary report on incident trends at every risk committee and board meeting that would include topics such as:
Cybersecurity Posture. These would be updates regarding cyber risk assessments, the staffing of key cybersecurity positions, cybersecurity budget, changes in security infrastructure and the resulting impact on the security posture, as well as the results of compliance reviews.
Companies should have a board-approved, risk-based cybersecurity roadmap focused on enhancing their network security posture. Cybersecurity funding is directly linked to the roadmap, and security IT professionals should periodically report on progress toward the roadmap goals.
Security Events. Board members need to have visibility into cyber-events so they can understand both the significance of these breaches and the best ways to support and drive response efforts. The trigger criteria for these notifications are critical and can vary depending on the risk tolerance of the organization. The key is to advise the board of significant changes in the threat or risk posture, particularly when a breach may have occurred.
Establish Consistent, Formalized Reporting
A good way to foster transparency and common knowledge is to formalize sharing of information between the board and company management, including the CISO. This board-level reporting system gives directors the timely and usable information they need to make reliable high-level evaluations of the company’s cybersecurity status and risk profile. Some approaches to consider include: