Thursday, February 19, 2015

Boards Not Briefed on Strategy?

I'd like to make a quick note on strategy, after reading After high-profile hacks, many companies still nonchalant about cybersecurity in the Christian Science Monitor today. The article says:

In a survey commissioned by defense contractor Raytheon of 1,006 chief information officers, chief information security officers, and other technology executives, 78 percent said their boards had not been briefed even once on their organization’s cybersecurity strategy over the past 12 months...

The findings are similar to those reported by PricewaterhouseCoopers in its Global State of Information Security Survey last year in which fewer that 42 percent of respondents said their board actively participates in overall security strategy.

Does this worry you? Do you want to introduce strategic thinking into your board discussion? If the answer is yes, consider these resources.

1. Check out my earlier blog posts on strategy, especially the first two articles.

2. Watch the keynote I delivered at ArchC0n last year. My section starts around 8:30.

3. For those who want to apply strategic thought to network security monitoring, I addressed that in a Webcast for O'Reilly last year.

At the end of the day, we need to be talking in strategic terms with business leaders, not technical terms. They are not having the conversations they need, and too few of us know how to speak a language that aligns with their interests and goals.

We need to convince boards and CxOs that we are understand their goals, and that security teams are implementing the correct strategy and running the right campaigns to achieve business objectives. We should not be talking to them about the tactics and tools to support the strategy and campaigns. Sell executives on your strategy, not your technical knowledge.

No comments: