1. securiTy is a Boardroom issue
Contrary to what some CEOs may think, information security is absolutely a boardroom issue. Even though it sometimes may seem as if security issues end up being mired in technical details, it is clear that ignoring them altogether can impact the bottom line, the brand and shareholder value. These aren’t technology issues; these are core business issues.
If a business chooses not to set security policies, or sets them so loosely that they suffer a highly publicized attack, it could find itself ostracized by its largest customers and partners. These types of risks are boardroom issues and they should be discussed by you and your advisors, no matter what their technical background looks like. If a business chooses not to set security policies or sets them so loosely that they suffer a highly publicized attack, it could find itself ostracized by its largest customers and its partners.
Currently, most executives only focus on security in relation to complying with security regulations such as HIPAA, Sarbanes-Oxley and PCI data Security Standards. In last year’s 10th annual Ernst & Young global information security survey, approximately 64 percent of corporate executives reported compliance as the principal information security driver.
Clearly, your peers are standing up and listening because their feet are being held to the fire by regulators. In some ways, this can be a good thing. It has definitely helped bump up overall awareness of security topics amongst the C-suite. As one of my customers puts it, his department is starting to finally get the input he believes information security personnel should have.
“In the last few years, I’ve started to see a change. Traditionally, we’d be ignored,” he says. “Even if you’re a C-level person, you never really got the inclusion that the rest of the C-suite did. That’s starting to change. I find my department becoming included in more business decisions. Anytime people are looking to do their due diligence in acquisitions and mergers, we’re consulted.”
64% of corporate executives reported compliance as the principal information security driver.
But compliance as a security driver is a double-edged sword. According to John Pescatore, analyst with Gartner Research, executives and board members should not be so quick to throw their security spend on compliance efforts.
“Really, it is dangerous to hang your hat on compliance as a justification for everything,” Pescatore says. “From a boardroom point of view, we think security should be protection-driven, not compliance-driven.”
7 THINGS EvEry CEO SHOuld KNOw AbOuT INfOrmATION SECurITy
Lumension Security’s Chairman and CEO Pat Clawson sits down to provide executive-level insight into effective and data-centric corporate security.