Information Technology Risk Management

State of Information Security: Educating Your Board

I have sat through numerous presentations meant to present the 'state of (information security) affairs' to the board members. More often than not, these presentations were used as a venue to do another checkmark for a variety of audience - federal and state regulators, external auditors and the board/committee members themselves. In most cases, these presentations did function well as another check-mark. However, they failed to truly showcase the issues that needed attention from the very top of the organization. In extreme cases, I have witnessed (and not something I am proud of) gory details of how each device in the institution is missing a certain 'software patch.' Neither did the board members understand the impact of those missing patches on the bank's processes, nor did they make the connection that there was a root-cause behind all the missing patches. But the presentation did serve one purpose - it was recorded in the meeting minutes as key evidence that the board was briefed on the state of information security at the institution.

Another lost opportunity to have an honest conversation about the good, bad and the ugly

I spoke of the board's responsibilities. Are there any responsibilities on part of the advisors or senior management? 

So, I spoke of the board's responsibilities. Are there any responsibilities on part of the advisors or senior management? Shouldn't it be their responsibility to present a clear and concise report to the board about where the institution stands with regards to protecting its customers' information?

Have you had this conversation with your board lately?

Having sat through these presentations for years, I thought I would put together a quick list of how to present this information effectively to board members:

Speak their language. I have yet to come across a board member who doesn't understand the concept of Risk Management. Describe the risk to the organization. Present what the organization has done. Is it effective? If not, offer a list of recommended steps with suggested time-frames.
Do not make assumptions about the remediation steps. As I mentioned earlier, the board of an institution is responsible for its Information Security program oversight. Now, if you have explained the risks to the board members precisely, the decisions for managing these risks fall on them. Provide ample information for a board member to understand the risks facing the institution and the ways to manage that risk. Don't make risk management decisions for them.
Methodology still matters. Either quantitative or qualitative approach for assessing risks can produce comparable results, if applied consistently. Describe risk in terms of transaction, reputation, regulatory or strategic, and not in terms of technology.
All risks are not created equal. The level of risk is crucial to the Risk Management process.
History does provide some indication of the future. Don't forget to provide a description of the steps undertaken (or not) by the institution to remediate risks identified in previous analysis. Always include an assessment of the effectiveness of these steps.

Now, you can sleep well at night knowing that you have done what's right for your institution, its customers and yes, even the board members. Give them the tools to make decisions; don't make the decisions for them!

About the Author

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.