This year has exploded out of the gate, starting on Jan 4 (the first business day of the year) with a flurry of activity. Sure, some of this is just new budget money that is available. However, I’m seeing a lot of organizations in my part of the world (California, Oregon, Washington, Idaho, Montana, Alberta, British Columbia, and Alaska) asking for help on the topic of communicating to executive management and the board of directors.
It’s about time.
Really, though, this makes sense. Boards of directors aren’t interested in fads in business management. They rely upon their tried-and-true methods of managing businesses through board meetings, audit and risk committees, and meetings with executives. Until recently, board members perceived information security as a tactical matter not requiring their attention. However, with so many organizations suffering from colossal breaches, board members are starting to ask questions, which is a step in the right direction.
Let me say this again. Board members’ asking questions is a big sign of progress. And it doesn’t matter, mostly, what those questions are. It’s a sign they are thinking about information security, perhaps for the first time. And they’re bold enough to ask questions, even if they fear they are asking stupid questions.
The National Association of Corporate Directors (NACD) has an excellent publication on the topic of boards of directors attention on information security, called the Cyber Risk Oversight Handbook. Last I checked, a soft copy is free. Whether you are a board member or an infosec staffer, I highly recommend this for your reading list in early 2016.