Another short post to break up the big essays I tend to write.
These are the questions any Security Manager worth his salt needs to have prepared answers for anytime he attends the board of the company or socialises with board members:
- Are we safe ?
- Can I take responsibility for the actions of the company ?
- Who handles our data ?
- Who are we doing business with ?
- Are they accountable ?
- What is everyone else in our sector doing ?
If you focus your metrics away from the numbers of technical security events and away from the numbers of deployed security controls and towards answering those questions you’ll get a much more engaged board who will be happier to hear you speak.