NCSC: Time for Boards to Get Cyber Literate

NCSC: Time for Boards to Get Cyber Literate:

During the speech, Martin posed five basic questions board members should be asking of their technical teams.

These cover: how the organization deals with phishing, privileged IT accounts, software and device patching, supply chain security and authentication.

“Crucially, we are also telling you what to look for in the response,” he added.

“If the answer is: ‘We have hired X and bought Y to address the problem,’ ask the question again. You need to understand what is actually happening — not what activity has been bought.”

(Via Infosecurity)

Cannot agree more.

Martin admitted that the government’s strategy on providing businesses with cybersecurity advice and best practice hasn’t worked out as expected, with organizations focusing on good governance and simply outsourcing expertise.

Focusing on good governance is not a bad thing. Many organizations don’t do it well if at all. However, it might not help much independent of other activities.

Outsourcing expertise also isn’t a bad thing, but boards need to know that they cannot outsource ownership and responsibility. Finding a “trusted security advisor” is a great move, and any worth their salt will help educate the board.

Ultimately, this is the key take-away:

… board members can’t manage risk they don’t understand, so they must become more cyber-literate …


Also on:

Board of Directors – InfoSec Ostriches?

There’s no group of people in an organization who’s understanding of the value of Information Security (InfoSec) is more critical than the Board of Directors (BoD).

Dark Reading posted a thought provoking article about BoD and how they may think the company’s security posture is better than the reality.

Are they nothing more than InfoSec ostriches, burying their heads in the sand?

The author listed four items in support of this argument:

  1. Lack of baselines
  2. Overconfidence
  3. Don’t know about security incidents
  4. Don’t ask for metrics

I pose additions to the list.

I’d add a general lack of understanding. Boards often see InfoSec as overhead and not as core to the business. Every company is effectively open 24 by 7, whether as actually able to complete transactions (Retail, banking, etc.) or from a reputation perspective (Web site, social media, etc.). They don’t know the terms and acronyms (Security Operations Center [SOC], Security Event & Incident Management [SIEM], Virtual Private Network [VPN], Firewall, Identity & Access Management [IAM], Governance, Risk management & Compliance [GRC], etc.). Only the smart confident board members will ask.

Boards often don’t know or understand security projects, their objectives (what they mean to solve), and the positive impact to the business. This falls squarely on the Chief Security Officer (CSO) and/or the Chief Information Security Officer (CISO), but security managers and leaders can help with this, too.

BoD’s lack awareness of security risks. I find this most common in older companies that don’t possess a mature governance and oversight culture. The typical refrain is that “we’re flexible and move quickly; if we had a mature GRC with security-based risk management we’d lose that flexibility”.

Do you have anything to add to the list? What are some ways of combating the Board’s security ignorance?

Or do you completely disagree?

Over on PVCSec we discuss this topic. Check out the show.

Also on: