Security Ratings

How Practitioners Can Share Their Security Expertise With the Board

Alex Campanelli | July 11, 2017

There’s no doubt that organizations understand the value of implementing strong cybersecurity programs and encouraging their third parties to do the same. As data breaches continue worldwide, 63% of those breaches are caused through a third party vendoraccording to Soha Systems’ Third Party Advisory Group. As such, Boards of Directors realize the need to have security and risk practitioners such as Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) provide their expertise and guidance. In today’s landscape, cyber risks are at the front of Boards’ minds. This is why it is critical that security practitioners be in the room.

Here are three ways that security practitioners can get involved with Boards and help formulate a strong security program.

1. Stay up-to-date with current events and facilitate company alignment.  

Major global breach events are taking place almost weekly and Boards want to know if their own organizations are at risk. It’s a security practitioner’s job to stay up-to-date with these events and understand how they could affect their business. For example, with the recent WannaCry or NotPetya/GoldenEye ransomware attacks, it is critical to know if either your organization or one of your third or fourth party vendors is affected. The Board of Directors needs to know how any event such as this can affect daily operations and revenue.

2. Regularly provide updates on an existing security program and measures.

It’s important for the Board to be regularly updated on your organization’s security posture in terms that they can understand and relate directly back to business value. Providing this visibility shows the Board the importance and effectiveness of a strong security program. This ensures that an organization’s security team and Board are aligned in terms of allocating resources and budget for any cybersecurity practices that are a priority.

3. Use a clear reporting tool to convey security metrics.

How security practitioners convey information to a Board needs to be clear and effective, without technical jargon. A solution like BitSight Security Ratings allows your organization’s Board of Directors to clearly understand your security posture and performance in relation to your industry peers, and to see this over time. By presenting easy-to-understand metrics to the Board, they can clearly get a sense of how their business is performing from a security and risk perspective.

Today, organizations are using BitSight Security Ratings to monitor third party risks, benchmark security performance, assess and evaluate merger and acquisition targets, underwrite cyber insurance, and effectively communicate security performance to upper level management to drive data-driven risk management practices. Since BitSight’s data is continuously updated, the Board can easily stay updated on the organization’s performance.

The job of the security practitioner is to empower the Board of Directors to properly understand and manage cyber risks. By staying up-to-date on current events, providing regular security program updates, and presenting metrics in a clear way, Board members will stay apprised of the organization’s security posture and act as both an ally and advocate for cybersecurity programs.

Watch this on-demand webinar to learn best practices "superstar" CISOs and find out what top security leaders are doing to lead their companies successfully through some of today's most complex business and technology challenges.

Suggested Posts

Content Security Policy Limits Dangerous Activity… So Why Isn’t Everyone Doing It?

Online services, e-commerce sites, videoconference, delivery services, and all other kinds of services are growing exponentially, exposing users and data to new risks and threats.  Users expect that the sites and services they rely on are...


Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


Do You Need to Create Segmented Networks to Protect Critical Assets?

Network segmentation — the act of dividing a network into multiple smaller, isolated networks that are not visible from the outside — has long been used to reduce cyber risk. At its core, segmentation assumes a “zero trust” approach to...


Subscribe to get security news and updates in your inbox.