Secure change by changing security; how to express security value to boards so they make it part of their change strategies
Presentation by Jamie Rees from Government of New Brunswick Canada
The process they followed is outlines below, along with some thoughts for what you can do to make use of this process;
- The Challenge – For them this was around multiple boards and ensuring the CISO has access to all of these
- The executive office – CISO – Managed to get the CISO onto all the boards (health authorities, transport, education etc.)
- For you – define your challenges in your business – not ensure board representation? Politics? Lack of budget?
- What do we want to tell the the board?
- How do we get ready to tell them?
- They created roadshows, had one on one discussions, practiced a lot – eve practicing in the actual rooms they would present in, made point to appear very professional.
- Also created hand outs, collaboration sites, follow on messaging, got involved in local security events to raise profile, research online and magazines – be prepared for surprise questions. They even published an actual book of their architecture.
- Everything they do is now vetted through the execs, no surprises on either side. Security now has a dedicated security architecture slide on the government strategy and EA roadmap.
- Utilised SOMIA – Strategy, Objective, Measure, Initiative, Action plans
- What do they want to hear?
- Aligning what we want to say with what they want to hear!
- They formalised the relationship between the risk and the outcome – link key operational items to the outcomes the board expect, this included results of threat and risk assessments, public body (ISF) health check results, number of outstanding security exceptions
- The primary message is “risk exists and it threatens your expected outcomes in this way”
- Bring Solutions!
- The second message needs to be “if you are uncomfortable with the potential impacts on your outcomes, we have some solutions for reducing them”
- What have we learned?
- Welcome the regular 5-10 minutes on the board agenda over the 1 hour irregular meetings – this helps you become one of them, and keeps your issues at the top of their minds.
- If they start talking amongst themselves – don’t interrupt, let them generate their understanding organically. It is their meeting, not yours, don’t try to ‘get them back on track’
This all aligns with the ISF framework for board engagement;
In addition, the below is very worthwhile extra reading on this topic
You may need an ISF account to access this document.
This is valid information, and in line with other discussions on this topic. The main message is that we need to understand the key issues and concerns of our board. We then must translate security issues into language they understand and then relate these back to how they will impact the key concerns of the board.