<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Security Ratings

How Practitioners Can Share Their Security Expertise With the Board

Alex Campanelli | July 11, 2017

There’s no doubt that organizations understand the value of implementing strong cybersecurity programs and encouraging their third parties to do the same. As data breaches continue worldwide, 63% of those breaches are caused through a third party vendoraccording to Soha Systems’ Third Party Advisory Group. As such, Boards of Directors realize the need to have security and risk practitioners such as Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) provide their expertise and guidance. In today’s landscape, cyber risks are at the front of Boards’ minds. This is why it is critical that security practitioners be in the room.

Here are three ways that security practitioners can get involved with Boards and help formulate a strong security program.

1. Stay up-to-date with current events and facilitate company alignment.  

Major global breach events are taking place almost weekly and Boards want to know if their own organizations are at risk. It’s a security practitioner’s job to stay up-to-date with these events and understand how they could affect their business. For example, with the recent WannaCry or NotPetya/GoldenEye ransomware attacks, it is critical to know if either your organization or one of your third or fourth party vendors is affected. The Board of Directors needs to know how any event such as this can affect daily operations and revenue.

2. Regularly provide updates on an existing security program and measures.

It’s important for the Board to be regularly updated on your organization’s security posture in terms that they can understand and relate directly back to business value. Providing this visibility shows the Board the importance and effectiveness of a strong security program. This ensures that an organization’s security team and Board are aligned in terms of allocating resources and budget for any cybersecurity practices that are a priority.

3. Use a clear reporting tool to convey security metrics.

How security practitioners convey information to a Board needs to be clear and effective, without technical jargon. A solution like BitSight Security Ratings allows your organization’s Board of Directors to clearly understand your security posture and performance in relation to your industry peers, and to see this over time. By presenting easy-to-understand metrics to the Board, they can clearly get a sense of how their business is performing from a security and risk perspective.

Today, organizations are using BitSight Security Ratings to monitor third party risks, benchmark security performance, assess and evaluate merger and acquisition targets, underwrite cyber insurance, and effectively communicate security performance to upper level management to drive data-driven risk management practices. Since BitSight’s data is continuously updated, the Board can easily stay updated on the organization’s performance.

The job of the security practitioner is to empower the Board of Directors to properly understand and manage cyber risks. By staying up-to-date on current events, providing regular security program updates, and presenting metrics in a clear way, Board members will stay apprised of the organization’s security posture and act as both an ally and advocate for cybersecurity programs.

Watch this on-demand webinar to learn best practices "superstar" CISOs and find out what top security leaders are doing to lead their companies successfully through some of today's most complex business and technology challenges.

Suggested Posts

What Are Security Ratings?

Security ratings are valuable, objective indicators of an organization’s security performance, especially when you’re looking to mitigate third-party risk, assess the cybersecurity posture of a potential acquisition, or benchmark...

READ MORE »

How BitSight Helps Drive Quick Risk Reduction Across Third Party Ecosystems

At a recent BitSight Roadshow, a customer with an advanced third party risk management program declared “assessments are not risk reduction.” The statement was not meant to convey that assessments are useless for third party risk; rather,...

READ MORE »

Security Ratings Services & “Traditional” Security Solutions: What You Need to Know

It’s no surprise that cybersecurity remains a top concern for business leaders today. In fact, PwC’s 2018 CEO Survey showed cyber threats rose from its position as the #10 organizational threat in 2017 to #4. As such, the market for...

READ MORE »

Subscribe to get security news and updates in your inbox.