Maksim Kabakou - Fotolia

Security Think Tank: Infosec letter to the board

How can security professionals communicate effectively with the board and senior business leaders – what works and what doesn’t?

Dear Board of Directors,

We are reviewing how we – as information security professionals – can have an effective dialogue that enables you to take informed risk decisions about cyber threats.

This has given us pause for reflection that perhaps we have underestimated you all these years. Technical jargon and acronyms are never useful, but we now realise that you are increasingly familiar with information security vocabulary and our initial belief that you suffered from colour blindness was, indeed, misplaced. Often, you may need more detail than the usual three colours of red, amber and green that we flash before you to explain the status of our security posture.

It’s more than likely, too, that you already have a heads-up of how one of our competitors almost went bust because of a cyber attack – you may even know more than us from social events you have attended with your peers.

In our endeavour to ensure you understand the evolving threat landscape and the importance of implementing effective security measures, we may have leaned towards giving you an overly simplistic, one-dimensional perspective – focusing primarily on what it all means in financial terms in our primitive attempt to speak in business language. This was not intended to insult your intelligence, but to speak in terms familiar to you and put the dollar amount up front.

So how do we do better? We know that you are short on time and have competing business priorities capturing your attention. Equally, we realise that as cyber attacks feature time and time again in media headlines, underscoring the detrimental business impact of poor security practices, you are willing to devote more than two minutes to this issue. We now appreciate that you have seen the career consequences of a cyber breach affecting your peers, and that this is consequently an issue that is very close to your heart.

We will continue to translate the technical detail to business speak in the most succinct way possible, explaining both the business value and requirement for security initiatives. We will not focus solely on information risks, but provide you with the broader context, including the impact on the customer experience, legal and regulatory implications, and how we compare to others in our industry. 

This means that we need to not only understand what is important to the business, including priority areas of focus, but we must also appreciate external factors, such as political changes, merger and acquisition activity, new markets and regulatory changes. To give you the most informed advice, it is important that we properly understand the company ethos, how the business operates (including how it makes money) and what we can do to help the business achieve its five-year plan.

We shall strive to give you a realistic perspective of how prepared our organisation is for handling a security incident. We will work closely with you to establish what is an acceptable risk appetite and develop formal statements to that effect, to be adjusted as necessary in line with business changes. We realise that the business is never static, so your business terms will change over time and, with that, your risk tolerance.

We will also commit to stop referring to the business. Together we all are the business. We will not overplay the fear, uncertainty and doubt that media coverage can perpetuate, but instead draw on the lessons learned from security breaches suffered by others to address our own vulnerabilities and mitigate the specific threats that we face.

Preparation is core to our success and you can expect that we will do a lot of groundwork before we brief you. This means proactively engaging with some of you outside of board meetings – campaigning, if you will, for our cause. We always appreciate board members championing our efforts to protect the enterprise in the best way possible. Moreover, messaging from the top down can significantly assist our aim of engendering a security-positive culture within the organisation.

In return, we hope you will keep us apprised of new business initiatives, proactively engage with us and support our information security activities with requisite funding and resources.

We look forward to continuing our conversations with you about information security for the overall benefit of us all.

Yours sincerely,

Information Security Function

Read more on IT risk management