How to talk to your Board about IT Security - Can they handle the truth?

By Larry Jones, Executive Chairman, Coalfire

Bookmark and Share

One of Hollywood’s most memorable lines is uttered by Jack Nicholson in the movie, ”A Few Good Men.”  Great scene, great acting.  But when it comes to talking to your Board (or senior management, for that matter) about IT security, don’t believe Jack – they can indeed handle the truth.

Since joining Coalfire’s Board of Directors in 2011, I’ve thought a lot about security and compliance. It’s Coalfire’s job to present “the truth” to our clients, and that’s what I’ve always counted on over the years as I’ve served on various boards.  Outside directors are charged with assisting senior management as they work in the best interest of the company’s shareholders.  We oversee strategy, financing and operations, and we also spend a lot of time on risk management.  These days, there are a lot of risks to be considered, and to manage them well, we need reliable information.

Last year, the SEC published new guidelines on Cyber Risk Disclosure, and if you want a common-sense briefing on the topic, listen to this webinar from Coalfire’s CEO and Chief Security Strategist, Rick Dakin.  He’s an authority on the subject and has become a trusted advisor to many CISOs, CEOs and Directors.

I also want to highlight the wisdom from John South, CISO at Heartland Payment Systems, in an interview with Careers Info Security.  Heartland is one of many companies that suffered a very public data breach incident.  As the event ran its course, they spoke candidly about the incident and ultimately rebuilt and transformed the company.  Now, they can proudly declare that they have recovered complete shareholder value – and then some.  And as their auditor (they hired us after the breach), we consider their security and compliance program to be among the best in the business.

Highlights from the interview:

  1. Where there are security issues, it’s not a question of blame.  The issues need to be discussed openly so the board can fulfill its governance responsibility.

  2. Present the information in ways that can be easily understood – dashboards, scorecards and the like – so your points can be understood and decisions can be made.

  3. The board will have questions, and some of them may even be technical in nature based on their outside experiences.  But in general, they will look at security as a business function.  Don’t forget that security is really about business.

John’s words may not be the stuff movies are made of (sorry, John), but it’s rock-solid advice for any aspiring CISO.  Give them the truth and the whole truth; they can handle it.