During my four month vacation I spent a lot of time with VC's and startups. It's something I wanted to do for a long time and have had an absolute blast. With that I joined the advisory boards of a few companies to help them formulate their products and business strategies. It got me thinking of an article I did years ago about corporate governance bodies and security and it couldn't be more appropriate today.
We currently have two significant issues within corporations that need to be resolved together. The first is the threat landscape that has resulted int he continued compromise of networks and data. The reasons and attackers are long and well discussed so I won't go into it here but the resolution has not been very forthcoming. Corporations need to take security seriously in order to mitigate the threats. To do this it requires funding, staffing and, most importantly, culture change. No change can be more impactful than at the board. Yet, when we look at the board makeups, in particular the audit committee's, there are no security experts to be found.
Now this is not a obvious failing of the board but an opportunity to drive a resolution. The audit committee, primarily, is there to ensure the governance of the company from a financial aspect. To that end you see a great amount of CFO's, CEO's and other financial experts. I feel it's time that security, or Information Risk, is more than a conversation but a key component of the committee's makeup. To that end having experts in that discipline, specifically CSO and CISO's, to guide the security and governance conversation points is critical. It's time that Institutional Shareholder Services (ISS) and the National Association of Corporate Directors (NACD) focus on this and help drive this into the industry.