The group started out by discussing how the nature of frequent, almost daily breaches have been something of a wakeup call for their respective board members. Customers are also getting smarter and more concerned about these issues. So how do we provide them with meaningful information and advice? With more boards now getting involved, it’s key that CISO and security professionals ensure that board members also receive meaningful and critical information.
So how do we determine which risks are board appropriate. Many of the people at the table had developed GRC programs to help determine what risks needed to be brought to their board’s attention and which ones were minor incidents that the security teams could handle without the need to report. They discussed what the general criteria for each risk scenario are and also determined that it’s important to not only address risks to the board, but also go in with a plan of attack regarding how you plan to deal with said risks.