From Securities to Security: The SEC is Bringing IT Security to the Boardroom

From Securities to Security: The SEC is Bringing IT Security to the Boardroom

Cyber security breaches have become a weekly news item that has riveted the attention of both regulators and boards of directors on cyber security. Recognizing that regulators are not cyber security experts, recommendations for educating and working with regulators include:

Increase transparency in your dealings with regulators. Be proactive to build rapport and establish a trust-based relationship.

Regulators can still be narrowly focused on transactional parts of a security program and on compliance standards rather than evolving security issues. Work to educate the regulators on the current threat environment and cyber security reality.

If direction from regulators is vague, talk about how you interpreted their direction. Allow them to clarify what they meant, and use the delta to establish a point from which to move forward.

Boards of directors are gaining awareness of cyber security issues and events via external sources, such as the Wall Street Journal, online media and regulators. Recommendations for educating the board and guiding the conversation around cyber security issues include:

Be proactive and establish rapport. Maintain a high level of transparency with the board to forge a relationship built on confidence and trust.

Establish and maintain steady communications with the board. Consider distributing a weekly newsletter and/or forwarding pertinent news items.

Make use of educational resources available from the DHS and other regulatory authorities.

Transition a board’s typical question of “Are we secure?” to a conversation on how mature the organization is in its information security program.

Leverage security frameworks (NIST, C2M2, ISO) to frame the conversation and advance key messages about cyber security maturity at the application, organization and portfolio levels.

Talk about information security in a way that it becomes part of the board-level risk register. Address the potential for brand and reputation damage.