Based in San Francisco Bay Area, Securesql is a blog by John Menerick. His insights dissect complex systems, offering a masterclass in cyber guardianship through expert analysis and cutting-edge protective strategies.

Board of Directors face-time opportunities

John Menerick

Board of Directors

Organizations need board members who know the issues they are facing, from product requirements to competitive landscapes. Becoming a board member is a serious commitment of time, energy and creativity. It demands that board members add tangible value to discussions ranging from long-range product planning and competitive strategies to budget prioritization and deepening customer relationships. Competent board members are fortunate enough to be nominated and elected to a board. The engaged members listen closely, ask probing questions, promote collaboration and offer rational ideas. Being a board member is about making a real difference in the organization’s path to success, not collecting a director’s fee for attending a few in-person meetings or listening in on monthly conference calls.

Boards are no different from any other hierarchical organizations, from huge corporations to small, non-profit associations. Some board members are outspoken, assertive and aggressive, while others are contemplative, thoughtful and introspective. And while the days of board members routinely acceding to the CEO’s wishes are mostly behind us, there often remains a strong political environment among board members. Be cognizant of this as one interacts from a security perspective.

Why

Boards play a crucial role in cyber risk that goes beyond mere compliance tracking: they must set an acceptable level of risk for the organization and ensure that executive management mitigates cyber risk to that level. In the end, boards must be willing to stand behind the security program its management team enacts. This requires that boards:

  • Establish an appropriate level of cybersecurity oversight which enables them to understand and track enterprise risk and remediation efforts

  • Require continuing education and briefings for board members on new and emerging threats to the organization

  • Regularly review the collective experience and skills of the board in regard to cybersecurity and technology to ensure the board has members with an appropriate background for guiding management in security matters

What to expect?

In theory, boards are proactive and request a briefing to discuss the board’s attitudes about risk, governance, and security. They will address their concerns around risk and security. This discussion will shape future talking points, conversations, and meaningful board meetings. The questions one may wish to ask the board member(s) are below;

GRC

  • Which role or responsibilities does the board want to have in security?

  • Is there an established objective for security risk?

  • Is there a management security program the board will stand behind?

  • Does the security program incorporate elements from security standards such as ISO and NIST?

  • Which mechanisms are in place for tracking security status and progress?

  • Prior to mergers, acquisitions, partnerships, and alliances; is there a thorough security due diligence analysis performed?

  • How is third party arrangements’ risks managed on an ongoing basis? Is it approached as a continuous effort?

Investments

  • How is management tracking the latest security technologies?

Process

  • Does the board receive frequent and regular updates on evolving threats?

  • Is there an established objective for security risk?

  • Is an incident response plan in place? If so, when was it tested?

  • Are business continuity plans in place?

  • Are they up to date and tested across all shifts?

  • Is there a security awareness training program in place?

2023 update to 2021 White House Cybersecurity Executive Order