The Why and How of High ROI Security Advisory Boards
Creating a strong Security Advisory Board (SAB) for your organization can be a challenge, but it has the potential to yield a significant reward. In a two-part SecurityWeek article series, I discuss my recent experience assembling an advisory board and explore the various ways to ensure that yours brings value to your business.
Part 1: Why a Security Advisory Board is worth the effort
In the first article, I discuss the four key benefits to having an SAB. First, it is a rare opportunity to get away from the daily scramble and think strategically. It is a time you set aside to ask, “What should we be doing?” rather than thinking about how to accomplish the next task on a seemingly never-ending list. Second, the process of working with your SAB forces introspection. You need to ask yourself questions about how you want to use these people and make the most of the time you will have with them. The SAB is a limited and expensive resource. Third, the tempo of SAB meetings ensures that the company re-focuses its attention on security issues on a regular basis. Finally, it enables the speaking of truth to power. In most organizations, it is difficult or dangerous to express some hard realities to the executives. Because the members of the SAB don’t work in the company, they can tell it like it is. They can, will, and should tell you that your baby is ugly. Every company has ugly security babies.
SAB meetings provide an opportunity to bring senior leadership into the security discussion and process. The more the C-Suite is involved in the conversation, the more likely they are to support the resulting conclusions and suggestions. In addition, the SAB provides an opportunity for people in the organization to shine in front of leadership. I often delegate the presentations to various different teams working closest to the issues. The visibility provided to the speakers can also be a huge morale and career boost for them, giving a sense of importance and involvement in the decision-making processes.
Part 2: How to make your SAB actually work
The first order of business is to choose who will be on the advisory board. Though company employees will participate, the board should be comprised of outsiders. It is important, when deciding, to take a systematic approach and not just choose the smartest and most famous people you know.
Compile a list of characteristics that you are looking for (e.g. systems engineering, government experience, cryptography, large network, incident response, etc.). Work with your networks to identify a list of prospects, score the importance of each capability, and hold several rounds of interviews.
Once your board is developed, it is most crucial to actually engage with them, holding full-day meetings about four times a year. Keep questions and topics big and open-ended, and assign someone to take notes during the meeting. Provide a read-ahead packet that includes the agenda, notes from previous meetings, and any context information they will need for the upcoming meeting. Additionally, assign homework to the members of the SAB for questions that require some research. Follow-up on issues that come up promptly after the meeting by setting up conference calls with the most appropriate members.
Make a habit of reaching out to your SAB when you are grinding on a hard security problem to see if there is an easy way around it before investing a huge amount of time.
In my experience, the biggest mistake people make with advisory boards is not using them. People may create advisory boards with the best of intentions, but then a year passes between meetings. If strategic thinking, introspection, re-focusing, and hard truths sounds worth the effort, you can very easily maximize the value of your Security Advisory Board.