editione1.0.0
Updated October 9, 2023While you may handle the day-to-day responsibilities of managing security in your organization, your executive and board members hold the accountability and overall responsibility for them, and all other sorts of risks faced by the business.
This role is well defined by both national and international directors’ institutes and is governed by law in most countries. In fact, a director’s responsibility is so well defined and important that many organizations take out specific insurance to cover this risk.
important It is this legal responsibility that makes choosing when and how you communicate security risks with your board of directors and executive teams incredibly important. Once a director has been informed of a risk, they must take actions to either mitigate, reduce, or otherwise eliminate it. It’s not optional, it’s their legal obligation to do so.
Let’s say that you found that one of your live production systems is using a third-party library with a known critical vulnerability.
When communicating with your development leads and team to get it addressed, you may provide a technical brief on the issue and a proposed solution. This issue will get recorded on the backlog and will be prioritized along with the other issues and tickets of a similar priority.
What would be different about communicating this to the executive team and board?
In this case, the executive team is less concerned about the technical brief that you would give the development team. They want to understand:
What is the issue?
What is the risk associated with this issue?
How long has this been an issue and how long have we known about it?
What are the impacts of this issue?
Is this a notifiable event (an event that is serious enough that it needs to be disclosed to the public/market/shareholders)?
What steps have been taken to address this issue?
When will it be resolved?
Please understand, while some of these seem like the same level of detail you would give to your development team, they are not the same.
The focus in these answers is to be concise, objective, and fact based. Remember, your board members are non-technical and focused on the risk to the organization. They are taking a much higher-level view than your implementation team.
You should also remember that anything formally reported to the board is recorded as part of the board records. These records are then visible to shareholders and stakeholders at certain times of the company’s life and may be analyzed by potential investors and acquirers. This is not the place for careless words that will trigger questions later.