In recent years we've seen an increase in public company boards' responsibilities over Information Security. This is mostly due to the dramatic increase in attacks over the past seven years or so as well as the increase on compliance to attempt to remediate that risk. The recent public discussions of Hydraq and Stuxnet have also drawn more focused attention of board members to understand what their companies risk is related to Information Security.
Unfortunately, most directors or audit committees are not prepared or equiped to understand or handle these issues. Most notably this is due to their dependence on the internal and external audit groups to inform them of what those issues are. These groups struggle to find, let alone maintain, appropriate security skillsets and typically focused on the infamous "best practices" typically results in little to no "security" value. Passing a SoX audit is very different from defending from an organized cyber attack.
It's these gaps that need to be addressed and unlock the 20+ year desire by practitioners to implement rational and good practices to protect our customer and company data. To do this we need to ensure there are some initial steps to help out.
Top 5 Corporate Board New Years resolutions
1) Ensure there's an experienced security practitioner who's an advisor to the Audit Committee. There needs to be an experienced practitioner to ensure both the board is educated as well as a guidance to the in house practitioner.
2) Establish a relationship with the company's physical and information security department heads. Most boards do not know of let alone understand the company's security organizations. By facilitating, at least, an annual presenation on the issues to the Board or Audit Committee would go a long way.
3) Establish a defined description and methodology for risk. It's not very useful to have a discussion over the various bits and bytes relating to security. Having a well defined risk methodology to translate the security "isms" is key.
4) Ensure consistant reporting of the risk areas to the Audit Committee. Having the management reporting on security risks quarterly would both educate as well as guide the issues to resolution.
5) Educate and be educated. The field of Information Security is a challenging one and can be confusing. Spending some time to educate oneself and having the experienced security practitioner advisor educate is important. This will help go a long way in ensuring applicability of the issues to the overall business but better guide the discussion to the larger risk areas.