In the last month, I have shared four posts about cyber security, with special attention to the board:
XX
I was planning to move to a different topic, but then two more pieces hit my screen (and came close to damaging it):
These are both pieces that rely on and share the perspective of practitioners. They also demonstrate an unhealthy failure to understand what directors need (recognizing that most don’t know what they need – they are poorly advised by consultants, etc.) – actionable business-focused information.
XX
Sadly, I find little of value to quote from the first piece. While it seems to recognize that cyber should not be left to the CISO to handle by him or herself, it doesn’t reflect any understanding that, as I explained in my earlier posts, money and time spent on cyber is at the cost of spending those limited resources on something else: another source of risk or an opportunity.
Executives and the board need to be able to decide where to spend time and money based on risk and reward and how to best achieve objectives.
XX
The second piece has at least one useful sentence:
As fiduciaries of all their company’s assets, Board members must increasingly look to their business judgements in making tactical and longer-term decisions regarding cybersecurity.
However, the author goes astray when…
