Board of Directors – InfoSec Ostriches?

There’s no group of people in an organization who’s understanding of the value of Information Security (InfoSec) is more critical than the Board of Directors (BoD).

Dark Reading posted a thought provoking article about BoD and how they may think the company’s security posture is better than the reality.

Are they nothing more than InfoSec ostriches, burying their heads in the sand?

The author listed four items in support of this argument:

  1. Lack of baselines
  2. Overconfidence
  3. Don’t know about security incidents
  4. Don’t ask for metrics

I pose additions to the list.

I’d add a general lack of understanding. Boards often see InfoSec as overhead and not as core to the business. Every company is effectively open 24 by 7, whether as actually able to complete transactions (Retail, banking, etc.) or from a reputation perspective (Web site, social media, etc.). They don’t know the terms and acronyms (Security Operations Center [SOC], Security Event & Incident Management [SIEM], Virtual Private Network [VPN], Firewall, Identity & Access Management [IAM], Governance, Risk management & Compliance [GRC], etc.). Only the smart confident board members will ask.

Boards often don’t know or understand security projects, their objectives (what they mean to solve), and the positive impact to the business. This falls squarely on the Chief Security Officer (CSO) and/or the Chief Information Security Officer (CISO), but security managers and leaders can help with this, too.

BoD’s lack awareness of security risks. I find this most common in older companies that don’t possess a mature governance and oversight culture. The typical refrain is that “we’re flexible and move quickly; if we had a mature GRC with security-based risk management we’d lose that flexibility”.

Do you have anything to add to the list? What are some ways of combating the Board’s security ignorance?

Or do you completely disagree?

Over on PVCSec we discuss this topic. Check out the show.