Ben McGuire, Senior Analyst
Last month’s article in Harvard Business Review, “All Boards Need A Technology Expert,” caught my eye, because we often hear from IT Forum members about challenges in communicating with their boards on critical IT issues.
One of the thorniest challenges is cyber security. According to a recent survey by the Ponemon Institute, an organization that conducts independent research on privacy, data protection, and information security policy, only 22 percent of boards in all industries receive briefings on cyber security strategy.
However, security experts interviewed by Ponemon expect that number to triple in three years, and believe that by 2018, 66 percent of boards will receive regular briefings on cyber security issues. In other words, many more of our members will need to explain cyber security to their governing boards, and this will require making cyber risks relevant at the executive level.
Get board members to an appropriate level of security awareness
Too often, boards might misunderstand data security as a purely technical issue that is controlled by the IT function, or overreact when an irrelevant breach in a different industry generates headlines. IT leaders need to keep executive engagement at an appropriate, constructive level that acknowledges the possibility of losses and seeks the best ways to minimize the impact and cost of security incidents.
At Brown University, the IT team uses just-in-time memos about recent breaches to instantly educate executives about the incident, root cause vulnerability, potential impact, institution protections for similar issues, and remaining exposure. The memos are at their most effective when following two simple rules:
1. Prioritize most relevant events
- Incidents that involve a security vulnerability of particular importance for your own institution should take precedence, followed by those involving neighbors or aspirant peers
- If executives are likely to learn about a breach in the mainstream media (e.g., New York Times, CNN, Chronicle of Higher Education), pre-empt their questions and help them understand if that event really matters for your institution
2. Send no more than six per semester
- Too infrequent, and boards will remain unaware about risks; too often, and the lesson will become diluted—use six per semester as your maximum memo distribution rule
- When possible, use multiple distribution lists; the board should learn about high-profile, public, and very important issues, but the provost should also be aware of incidents involving local schools and peer institutions
IT Forum Members, Log In to Learn More
To find out more about Brown’s use of board education memos and download a template to use at your institution, access our implementation toolkit and related study, Elevating Security Awareness.