There should be a better connect between the board, security team and employees – sound familiar?
This is a recurring theme in the news when it comes to budgeting, appreciation of IT and security by businesses' board of directors. Statistics released this week by Swivel Secure found that 51 per cent of business owners are ‘unconcerned' with the security of their corporate systems, so are they as disconnected as ever?
At this week's Infosecurity Europe 2013 press conference in London, Sue Milton, president of the ISACA London Chapter, said that board members should walk with the security team around businesses in order for the board to realise that security can be an enabler as opposed to a cost saver.
In another session at the conference, the concept of board acceptance came up again. Thom Langford, director at the global security office at Sapient, said that "getting people down is challenging but vital" and that a group of professionals bringing their concept of risk from across the business who can help filter the conversation is also important.
“The moment the CISO reports into the CIO, nothing will happen - the more independent you get, the better,” he said.
He later agreed with the concept of the board walking around the business, saying: “In any good company you need the board walking around and in my experience it is done and it is very effective. Everyone has their own problems, not just us, but any good company will engage the board as they have challenges and motivations. It is important to address challenges, just don't think you are going to get all of their time.”
A part of the UK Cyber Security Strategy was an executive briefing on cyber security to UK businesses, with the aim of putting cyber security on the agenda. An analysis by Trustwave of the UK FTSE 100 companies examined the most recent annual reports and whether the board had explicitly itemised cyber security as a material risk to their business.
It found that 49 per cent highlighted cyber risk in their annual reports, with healthcare and basic materials companies giving little or no attention to cyber risk. It did find a good take up in the consumer services sector, and a 100 per cent appreciation in technology and telecommunications, but perhaps it should be expected in these more ‘connected' industries.
As for Langford's point that independence is key within the board and getting security woven into the fabric of the business, well surely this is the whole point of an awareness campaign – to get people thinking security?
In the meantime, watch out for the walking board members, they're there to learn you know.