State of Information Security: Educating Your Board
The Section 501(B) of Gramm-Leach-Bliley Act clearly defines Board of Directors' responsibilities re: developing Information Security program for a financial services institution. It calls for significant board involvement in the creation and the oversight of the information security program.
I have sat through numerous presentations meant to present the 'state of (information security) affairs' to the board members. More often than not, these presentations were used as a venue to do another checkmark for a variety of audience - federal and state regulators, external auditors and the board/committee members themselves. In most cases, these presentations did function well as another check-mark. However, they failed to truly showcase the issues that needed attention from the very top of the organization. In extreme cases, I have witnessed (and not something I am proud of) gory details of how each device in the institution is missing a certain 'software patch.' Neither did the board members understand the impact of those missing patches on the bank's processes, nor did they make the connection that there was a root-cause behind all the missing patches. But the presentation did serve one purpose - it was recorded in the meeting minutes as key evidence that the board was briefed on the state of information security at the institution.
Another lost opportunity to have an honest conversation about the good, bad and the ugly
So, I spoke of the board's responsibilities. Are there any responsibilities on part of the advisors or senior management? Shouldn't it be their responsibility to present a clear and concise report to the board about where the institution stands with regards to protecting its customers' information?
Have you had this conversation with your board lately?
Having sat through these presentations for years, I thought I would put together a quick list of how to present this information effectively to board members:
Now, you can sleep well at night knowing that you have done what's right for your institution, its customers and yes, even the board members. Give them the tools to make decisions; don't make the decisions for them!