This article is the sixth in a series of articles by Nav Canada vice-president and chief information officer Claudio Silvestri about talking to your board about cybersecurity.
Clearly define your capabilities across all related areas and identify where you have gaps
With a clear understanding of your adversary and a good sense of how mature your cybersecurity program is, you will then be able to map out your current capabilities and gaps against those insights.
However, for the purposes of discussing this with your Board as part of your overall program and future requirements, you must not fall into describing your capabilities from a technology lens or get into the minute details.
When describing your requirements to your Board you must take into consideration some of the points I described above in the “Know Your Board” section. For instance, you should understand the level of detail preferred by your Board.
In general, I would say work towards a single page visual that outlines all the core elements of your cyber program — a heat map of sorts. A good overall cybersecurity capability heat map might cover the following capabilities:
- High-level functional services that make up the cyber program;
- Technology component capabilities;
- Independent assurance provider programs and external services;
- Employee awareness programs;
- Event preparedness, event response and communication plan;
- Integration programs with facilities and corporate security;
- Internal governance structures and policy framework.
A heat map structure allows you to use colour to convey specific messages without the need for detailed descriptions. For instance, you could highlight areas where you are weak or have concerns in red, or use green for areas where you have future initiatives planned or require investment.
This will allow you to present your overall program in a structured and informative manner, while at the same time set up the conversation on your planned initiatives and investment requirements.
This offers your Board a higher level view of where you are and where you would propose to go with your cyber program.
It outlines this in very clear and easy-tounderstand format which you can speak to. Further, in one simple view, your Board sees how extensive your program is, and gains a greater appreciation for all the pieces that make up a robust cybersecurity program.
Next article in the series: “Cybersecurity essentials – investment and initiative“