13 traits of a security-conscious board of directors

CISO turnover rates are legendary, so let’s say you’re one of the many job-hunting CISOs, and you have two or three targets on your short list. Or maybe you’re being recruited by a prospective employer to be their next CISO. Or you’re a security exec looking to move up to the CISO level. Or you’re just trying to benchmark how your board stacks up when it comes to security. One of the first things to consider is the security mindset of the company’s board of directors.

While the board doesn’t manage day-to-day security activities, it does set the culture, it signs off on financial and policy decisions related to cybersecurity, and it is ultimately responsible if there’s a breach.

So, how do you tell if a board is cybersecurity savvy? What are the traits to look for?

1. Does the board have at least one security expert?

Some companies have chosen to put a designated security guru on their boards, but William Guenther, head of the non-profit Advanced Cyber Security Center, says that’s merely a first step on the road to having a security savvy board. One key indicator of a board that’s really cyber-savvy is whether there is more than one board member with a security/technical background.

For example, the board of directors of General Motors includes the former VP of IS at Lockheed Martin, the co-founder and co-CEO of Workday, and the former CEO of Lucent Technologies, now current chairwoman at HPE.

2. Does the board ask good questions?

Nobody expects board members to know how to configure a firewall, but you do want board members who can not only take in information from a detailed presentation by the CISO, but also come back with probing questions, says Michael Figueroa, an independent security consultant.

An even better trait, and one that is rare, is a board that isn’t driven by the “incident du jour,” but is able to ask questions that corporate management hasn’t even thought of, says Guenther.

3. Does the board’s chain of command and reporting structure put the CISO in a position of authority?

For example, if the board has a security question, does that flow of information get filtered through a CFO or other intermediary, or is there direct communication between the board and the CISO. Also, in terms of the formal organizational structure of the company, does the CISO, who probably reports to the CIO or CEO, also have a ‘dotted line’ directly to the board, says Guenther.

4. Does the board conduct regular and detailed risk assessments?

Security-conscious boards are able to identify and categorize their “crown jewels,” the company’s most critical data assets, and set policies to protect those assets. However, companies can’t protect everything and often have to make decisions on what level of risk to accept. Another key trait of a security savvy board is having procedures in place to document those risk-based decisions, says Trip Hillman, director of cybersecurity service at Weaver, an IT advisory services company. He says it’s important to capture that “tribal knowledge” in writing, so that if a security incident should occur, the board can go back and analyze the decisions that were made along the way.

5. Does the board have security-focused subcommittees?

Many boards have subcommittees that target specific areas such risk management, audit and compliance. Figueroa says security-savvy companies will loop in the CISO because all these areas have a major security component. Figueroa adds that the most security-conscious boards also have a specific subcommittee on cybersecurity, although that’s rare.

6. Does the board meet regularly with the CISO?

Guenther says he’s aware of some organizations where the CISO might get only 45 minutes once a year in front of the board, which is clearly not enough, particularly with the threat landscape changing so fast. What ends up happening is that the CISO tries to cram 50 slides into a presentation that ends up going over everyone’s head. Boards should have CISO updates on the agenda multiple times a year, says Guenther.

7. Are the IT budgets and cybersecurity budgets presented to the board together?

Cyber budgets need to be viewed as part of the overall IT budget and the CISO needs to be allowed to present the cybersecurity budget alongside the CIO. Guenther points out that if boards view security as simply an expense, they’re missing out on opportunities to improve the overall security posture of the organization. For example, one of the best security-related moves a company can make is simply de-commissioning a legacy system that is no longer supported by the vendor and has become a security risk.

8. Does the board integrate security concerns into all its discussion?

Boards make critical strategic decisions with respect to digital transformation, mergers and acquisitions, partnerships with third parties, etc. A security-savvy board will include the security angle in all of those discussions. When the CIO presents a digital transformation initiative, the CISO should be part of that presentation. When a business leader presents any type of plan, there should be a discussion of the security implications.

9. Does the board receive security training?

No matter how sophisticated the board is, there is always value in regular security training for board members, so they can keep up with the ways in which changing conditions – COVID-19, remote working, supply chain bottlenecks – can create new security challenges. This type of training should be conducted by an outside expert who can provide a broad industrywide perspective, says Hillman.

10. Does the board practice sound cybersecurity hygiene in its own communications?

One trait of a security consciousness board is whether its own internal communications are conducted securely, says Hillman. Does the board communicate over private channels? Are sensitive documents encrypted? Do they use secure methods for videoconferencing or collaboration? If the company is using data loss prevention (DLP) technology or deploying zero trust for all its employees, are those security measures being applied to the board?

11. Does the board use benchmarks to measure security preparedness?

Companies routinely conduct all types of security-related exercises such as penetration testing, vulnerability assessments, defender team or red team exercises. Are the results of those activities communicated up to the board and used as benchmarks to help measure security preparedness over time? Hillman says boards need to benchmark things like patch management rates, vulnerability controls, and incident response.

12. Does the board make a determined effort to drive security culture throughout the company?

For example, is there a strong cybersecurity education program? Does the board push for cybersecurity to be part of all activities at the company, from onboarding new employees to ongoing anti-phishing training.

13. Does the board create a climate of open, honest information sharing? 

Boards set the tone, not only in what they do, but also in the way that they conduct business, in the atmosphere, and the environment that they create. For example, if there’s a breach, does the board look for a scapegoat to blame or do they launch an objective fact-finding mission to determine what went wrong and what mitigation steps can be taken to prevent further incidents? Can the CISO come to the board and deliver bad news without fear of being ignored or punished? Does the relationship between board and CISO allow for quick, informal communications on an as-needed basis, outside of the regularly scheduled meetings. (“Hey, what does the SolarWinds hack means for us, if anything?”) Security conscious boards should have a strong, trusted relationship with the CISO that supports two-way communication.