| | March 20159CIOReviewprinciples as follows:1. Protect customer data2. Ensure device integrity3. Protect the supply chain4. Protect our intellectual propertyAs CIOs and CISOs are increasingly asked to provide reports to the Board, this kind of framework can help to structure discussions in ways that resonate strongly and clearly for these influential stakeholders. Board members are looking to come up-to-speed quickly on the topic of cybersecurity and looking for security leadership to help them understand the risk profiles of their companies. As security leaders, we must succeed in presenting an accurate snapshot of the security business without using fear as a driving motivator. Security decisions should be presented and made within a solid business case. Without a clear understanding of your security business and how it relates to the rest of your company, there is a risk that board members will overcompensate in trying to mitigate cybersecurity threats - at the cost of innovation for your company, your partners and your customers. While building and maintaining a comprehensive security program is a fluid and ongoing process, it must be balanced with how you operate your business, and the degree of flexibility, agility and progress that you want to allow for your company to thrive.Digestible metrics are key to selling your vision and program to the Board. Be able to demonstrate progress and return on investment for these stakeholders, to reinforce the value of having a sustainable and comprehensive security program. We can no longer talk about security in the confines of IT, but need to up-level the conversation and relate it to the broader business. Board members want you to highlight keystrengths and weaknesses, so that they can immediately grasp the current state of the business' security posture. Identifying the top risk indicators and measuring performance against these metrics can provide the right level of assurance. At the same time, this exercise can be used to identify known gaps in the security program and open the door for resource requests that you need to make.As we look at today's current security landscape, where brand-name companies are being compromised on an increasingly frequent basis, you have the board's attention. It is no longer a matter of "if" your company will be compromised by bad actors, but rather "when" and "how." Use this opportunity to reinforce the work that you are driving to protect your company's assets and to secure staffing, budget and the other support you need to minimize identified risks. Importantly, also ensure that you aim high when forecasting for resources. In today's environment, the unexpected is the new norm, and as security leaders we need to be arming our companies to detect, protect and respond more aggressively and with more sophistication than ever before.We have the opportunity to leverage this new, high-level and pointed interest in cybersecurity, and we should be grabbing hold of it with both arms. We have been offered a window to drive security forward in leaps and bounds. Priorities that haven't made it "above the line" for budgeting or other reasons should now be accelerated to strengthen the security of our companies in new and exciting ways. This will oftentimes require you to shift employee mindset or change established behaviors, but these are challenges that are well worth the effort if we are to keep pace ­ or stay ahead ­ of the current threat landscape. With security in the spotlight, we need to use this time to innovate and share best practices across our industry. As John F. Kennedy said, "A rising tide lifts all boats,"and this is our time to advance the state of security, together."Without a clear understanding of your security business and how it relates to the rest of your company, there is a risk of resource overcompensation in trying to mitigate cyber security threats
< Page 8 | Page 10 >