Information Security

and the Changing Role of the Board of Directors

 

Organizations today face a number of new risks that didn’t exist or were unimaginable a decade ago. Although the Board of Directors was always responsible for these risks, they often left the details to the management of the company. Previously, board discussions didn’t include agenda items like pandemic response, terrorist attack, business continuity planning, and information security alongside with financing alternatives.

Several years ago, with the founding of the Public Company Accounting Oversight Board (PCAOB), new standards for board composition were established. In hindsight, the PCAOB realized that the typical board included executives with extensive experience; just not many of them with financial expertise. The PCAOB also addresses the “closed” nature of most boards; not many people outside the current or prior management teams were included. Although it was argued that this practice improved the industry and company knowledge that was available to the board, the end result was limited dissent and evaluation that comes from outside members. The new standards established criteria for independence and financial acumen for board composition.

Fast forward a few years and these same boards are now facing additional challenges; including the current credit crunch, a slowing economy and new regulations. Add to the mix an evolving and complex regulatory environment and the role of a board member is even more difficult than it was before the PCAOB was established.

One of the challenges facing organizations is how to best protect the assets of the company; including information assets. The recent press surrounding data breaches and the corresponding costs in fines and reputation loss has served to highlight the concern. With the increased visibility and scrutiny on the board, how can board members be effective at providing governance over such a complex topic? There are some significant barriers to overcome, including:

  1. Integration of Information Technology and Information Security into corporate strategy. Effective security can only be implemented if the results (safe data) support the business strategy in some way. If the organization does not value the relationship, security will depend on the effort, diligence and integrity of individuals within the organization.
  2. Priority on board agenda. With so many competing agenda items how much time and energy should the board dedicate to Information Security discussions? If Information Security isn’t integrated into the business objectives of the organization, then it might not matter. If the discussion is framed around achieving significant business objectives, the priority becomes clear.
  3. Communicating information technology and security issues to the board effectively remains a challenge. It is easy to let the conversation turn to technology options and the associated costs.  Maintaining organizational perspective would be much less confusing with a common language and framework for evaluating risks and the effectiveness at mitigating those risks.
  4. For a topic to rise to the board level, it needs to be of strategic importance. A difficult issue is evaluating current performance, emerging risks and business changes. Utilizing a common framework and language should allow the establishment of meaningful metrics to evaluate when an item should be escalated for board review.

Finally, the capabilities of board members vary significantly in tenure, experience, and familiarity with technology. This can lead to significant differences in board composition; some with exceptional capacity for oversight over information assets and others that will struggle. Until this element of board composition is mandated, boards should consider steps to categorize, prioritize, measure and communicate information security risks and mitigation measures to the management and board.

Our Team
Our team is comprised of experienced executives, managers and consultants who will assist your banking organization in the development, implementation and execution of comprehensive risk management and compliance strategies.  From the initial passage of  Sarbanes-Oxley in 2002, Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals. 

Our Value 

    • Utilizing our proprietary SingleVue™ compliance methodology, we tailor comprehensive, cost-effective and flexible solutions to our clients.
    • Our solutions enhance your current business processes, rather than adding unnecessary overhead, thus creating measurable long-term value.
    • We involve your executive team, including your internal and external advisors, to guarantee solutions are absolutely consistent with your requirements.

    • We allow you to concentrate on managing your business.

            For More information, visit our home page:  www.visagesolutions.com
 


To subscribe to our newsletter. Enter your Email ID in the box below.

f you would no longer like to receive periodic updates from VisageSolutions, please follow the unsubscription instructions at the bottom of the email.
Copyright © 2007 Visage Solutions, LLC.