The First Step in Engaging Your Board in the Cybersecurity Conversation

By Eric Noonan • October 5, 2015

The Wall Street Journal recently published a consolidated set of highlights from recent surveys and reports dealing with risk and compliance issues. The results will hardly be surprising to security professionals, but they are an abysmal reminder of just how much work still needs to be done before boardrooms are really engaged on the issue of cybersecurity. One report by AT&T found, “75% of companies don’t involve their full boards in cybersecurity oversight, saying it is an IT issue and not a core business concern.” That aligns with my experience with the exceptions being companies who suffer a significant breach, not so surprisingly post-breach companies see a substantial increase in board involvement.

How to Engage Your Board in the Conversation

Change has to come from both inside and out. Security leaders inside of companies have to continue advocating for board engagement and navigating corporate politics to effect change. This work is made harder due to the lack of agreed-upon metrics and success criteria in cybersecurity, leaving leaders wondering where to start the conversation with their boards.

First Step:  A Measurable Framework

My answer, start with a comprehensive security assessment against a framework you can explain like the Critical Security Controls and brief your board on the results. The results focus executive attention on the 20 most important things they should understand, support and invest in. Everything else is noise until you are implementing these 20 critical controls effectively, which is conveniently measured by metrics provided in the controls document. Security assessments are an effective way to get the board engagement for a sustained period of time.

Externally, real change will only come with comprehensive legislation designed to enforce investment in people, processes, and tools. I’m not a legislator so I don’t profess to know all of the elements that the policy should entail, but I do know without said legislation investment will continue to be disproportionately allocated toward tools without a long-term plan to sustain those investments with the people and processes necessary to drive success.

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.