Everyone has a unique view of what a board meeting is like and what the board actually care about. Here, I'm going to explore how to communicate with the board, and how one should communicate the board's wishes. I'll consider that the reader is a CISO or InfoSec executive.
Over the years I've attended hundreds of board meetings as variously exec, non-exec and advisor roles. Mostly I'm a 'doing' director, this means that I report on the functions I look after; I wrote that code, I created that blog, I filmed that video, I dealt with that incident. Its probably why I'm at the board meeting, to condense an activity or incident into a summary with threats, opportunities and costs.
If you've never attended a board meeting before I'll try to give you a flavour of what happens. In general each board meeting is very different, not every board member is generally present. It's likely that every board meeting will have a theme, for example a new product launch, end of a quarter, data breach and so on.
Every board member is expected to know what the core of a business is (excluding start-ups, they are a special case). The core is what needs to be protected and evaluated to ensure that its fit for market. If you are going to address a board you should have a good understanding of what they believe is core.
Every board is responsible to its shareholders: which is why a lot of attention is paid to what will and won't bring in business and what the competitive landscape looks like.
The board has to execute the legal responsibilities of the organisation; this of course assumes that they know what they are. In terms of reporting and accounting they have financial expertise to call upon. However in terms of privacy and cookie laws you are expected to be the knowledgeable resource.
Now, when we're called to account by the board can use this as a basis to build on.
Let's say we're looking to increase the InfoSec spend. Here's a typical board member's reaction:
Nothing particularly technical there. Here's how we could address those concerns for a simple case of Anti-Malware:
Now lets look at a more complex case: Privileged Access Management:
Lets look at communication the other way around: after a data breach the board will be feeling very sore and very vulnerable, the reputation of their core business will have been damaged and heads are likely to fall.
The board members themselves know the 'rules' they have zero employment protection and full responsibility, they know when they need to go. The obvious reaction is: 'This must never happen again' although the practical reaction is more likely: 'Make us such hard targets that the criminals go elsewhere'.
InfoSec will be in the limelight for a much shorter time that you'd expect. As soon as you present the measures to remediate an attack a good board will move immediately to business recovery - its their job. For the most part you'll only get one bite at the cherry, so get it right!
Its not practical to say to your InfoSec staff 'this must never happen again'. They'll get demotivated because they know its an impossible task. Worse still they'll use it as a reason to block business projects because they are not 100% secure. A better approach would be 'The board have taken this very seriously and are giving us the go-ahead to use the tools we need, we have to do this in concert with the urgent needs of re-building the business.'
From here is a case of building specific plans from the board imperative. It means looking at what happened and where your biggest risks are. In general the people side be more important than the technology. All attacks start with technology but end with privileged accounts being stolen or otherwise compromised.
It may help to think the same way the board do, firewalls and anti-malware are the first lines of defence removing the bulk of low level threat. Protecting the privileged accounts is the key to protecting the core.