Board members want to know! The news is out – neighboring countries are stealing your client’s stuff. Ten years of R&D investment can be out the window in a few seconds when another country decides to take their data and duplicate their products at a fraction of the cost.
I returned last night from a week in Chicago, having met with several business leaders; CEOs running financial companies, to directors overseeing the IT aspects of manufacturing. In several cases people were looking for some way to measure their risk – a directive given straight from the board of directors. What is it exactly that the board wants to see? If you have never presented to a board, you want to. This is where the decision making happens, and it is guaranteed to short cut a lengthy decision making process if well presented.
1. First, they want to know what their exposure is. Exposure is risk, not impact or vulnerability (which is what most people will present if asked). A calculation of risk requires, not only understanding the impact on certain business metrics – such as production, shareholder value, stock price, and brand – but the likelihood it will happen. If you can’t explain the likelihood, the value of the data is nearly zero.
2. Then, knowing the top 4 to 6 threats is important. There are thousands of threats, but only a few matter. The board wants to know what systems/data is at risk, and why.
3. Given a list of top threats relevant to this specific business, and an expert’s opinion on the likelihood, the question of trending must be addressed. “Are things improving, or getting worse?” “How do you know?” and “How are we managing this?”
4. Obviously, if things are getting worse, there needs to be a get well plan. It takes an average of 14 months to detect a breach according to recent FBI reports, so how do we know this data is accurate, and we are not one of the average companies who will discover when it’s just too late that, “We’ve been hacked?”
Before going forward with an assessment, make sure you have the right people involved, make sure you are measuring the right things, and make sure you are putting this into a format that will make sense to your target audience. If you’re target audience seems to be IT, chances are you are simply providing a security education to those looking to enhance their resumes. On the other hand, if you are there to measure risk for those in charge, make sure you are delivering something that speaks to the executive level. IT rarely gets what they need in terms of support and funding on the security side – and it’s the fault of those making the case. Change the approach and you’ll find a greater adoption of the things that matter.
I you are serious about getting this right the first time – I highly recommend attending my upcoming workshop, Making Money w/ Security…a nationally recognize program designed for those who want to advise executives on their data security strategy.
© 2013, David Stelzl