Increasingly, I hear information security professionals citing a lack of interest from the board room as a critical reason for their failure to address IT risk and security concerns.
That many C-suite executives have historically not been interested in the technical aspects of IT, and indeed have not truly understood the role of the CIO and CISO in an organisation, is a fact.
In a large number of companies, information security is presented to the board once a year, if at all, and even then only to help the board tick boxes and demonstrate compliance of corporate governance with reviews of strategic and operational risk.
But, as the threat landscape is changing, the real question for me lies in what infosec professionals can do to engage with the board and gain their attention.
Recently the pace of technology change, the effect of breaches and the need for highly effective response plans have signalled a change of culture in the C-suite. Boards can no longer afford to be ignorant of the risks as technology plays an ever increasing role at the heart of business operations.
As a result, information security and risk management are presented with a unique opportunity to be at the heart of business decision-making.
The need for information security to start addressing strategic issues such as financial performance, shareholder confidence, brand reputation and customer loyalty all ensure that board members are becoming cognisant of the role that risk management and information security can play.
Boards can no longer afford to be ignorant of the risks as technology plays an ever increasing role at the heart of business operations
Information security rouses interest at board level
Recent UK government and international efforts to raise awareness of the importance of cyber security are paying significant dividends and changing the role of risk management in the board room. You will no longer come across bored C-suite members, but demanding individuals asking educated and insightful questions that need to be answered.
In my experience, this is starting to realise significant knock-on effects, with a transition from a compliance and restrictive practice view of risk management to one focused on balancing risk with costs to optimise the value to the business.
True board oversight brings with it a need to recognise the opportunity upside from risk. After all, businesses make profits by taking decision based on calculated risk. Being aware of both the risk landscape and threats to their business, as well as the opportunities that exist, allows a board to drive new thinking in information security and information risk management.
A compliance-focused information security function will maintain a reactive posture where innovation is limited and little additional value is realised to the business. However, an acute awareness of the risks and opportunity upsides, balanced with a truly reflective risk appetite and risk management posture, can allow an infosec function to move beyond reactive to one of reward and true innovation and revenue generation.
Align risk management with business goals
Yet, how many infosec professionals have aligned their information security postures to corporate risk appetites? How many infosec professionals knowingly operate a function which looks at the operational needs of the business first and foremost, in an enabling manner, identifying opportunities to enhance the efficiency of a business? How many infosec professionals are looking at the positive opportunities of technology advancement and suggesting ideas to their companies as to how the modern cyber connected world can create new ways of operation?
The inflection point has arrived, as the C-suite has identified the need to ensure that they are fully aware of the risk management needs of the business. As such, there is a newfound willingness and desire from boards and C-suite executives to engage on issues which for far too long struggled to get five minutes on a board agenda. Many boards are now dedicating hours to discussing the changing cyber threat and their response plans.
This provides an opportunity for the infosec professional, and indeed the profession as a whole, to be recognised as adding value to the business. The transition from “bored oversight” to “board oversight” is therefore a welcome opportunity for the profession to shine and gain access to the funding required for delivering the necessary visions of cyber defence and response to tackle tomorrow’s threats.
A wise man once said “a vision without funding is hallucination”, and given the new interest at board level, we finally have the opportunity to stop dreaming and start delivering to business needs.
Mark Brown is director of risk and information security at Ernst & Young.