Security awareness among executives and boards tends to spike when mainstream media covers an incident or the institution suffers an attack, but some leaders may also misunderstand data security as a technical issue that is controlled by the IT function. Chief information officers (CIOs) and chief information security officers (CISOs) struggle to keep leadership engagement at an appropriate, constructive level that acknowledges the possibility of data losses and seeks the best ways to minimize the impact and cost of incidents.
At Brown University, the CISO takes news stories about data breaches and converts them into one-page education memos that the CIO distributes to the cabinet and board. Incidents that involve a real campus vulnerability or those that affect Brown directly are prioritized, but the CISO also writes memos (primarily for the president and provost) when peer institutions are affected and when breaches receive media attention in mainstream publications that trustees are likely to read.
Brown’s focus on getting relevant information to leaders as events occur saves time by keeping executives and trustees up to date, and also achieves a goal set by many CIOs: make sure executives are appropriately informed and educated about security, and approach new funding and initiatives proactively.