teissTalk: Getting the Board on board

teissTalk host Jenny Radcliffe was joined by Jon Herd, VP of Information Security, Paddle as lead guest; Henry Jiang, Chief Information Security Officer, Diligent; and Chris Dunning-Walton, Founder & MD, InfoSec People.

Views on news

You might be unaware of 28 January being Data Protection Day. The first internationally binding data protection instrument, Convention 108, was signed forty-one years ago, while GDPR, the EU’s data protection law, serving as a template for other regions as well, came into force in May 2018. GDPR has certainly contributed to raising individuals’ awareness of their data rights, as well as of what can be done if they are not respected. Also, the right to data protection is becoming increasingly important as new technologies keep making their appearance in our digital landscape.

Although it seems there are no established ways of marking Data Protection Day among the Teiss panel or the audience, there have been some viable suggestions such as making a spring clean of your weak passwords or the subscriptions you don’t need any more for a start.

Information security risk should be a joint responsibility

The panel agreed that Boards engagement in cyber security matters has improved considerably in the past few years. However, although the Board today is more likely to be familiar with key security issues, their knowledge about them is often rather limited.

As for data security, the first step is to define what exactly is meant by PII (personally identifiable information), as there is some disagreement about it in the industry. Awareness of where a business’s data is, how it’s accessed and shared and when it needs to be deleted has certainly increased as a result of various data protection legislation. Getting cyber risks across to the Board has always been a challenging task for CISOs requiring strong communication skills and an ability to translate techy language into that of business performance. Some security professionals, like Jon from our panel,  may even want to get some training designed for executives in order to improve their leadership skills and develop better understanding of the Board’s approach.

However, managing cyber risk should be the joint responsibility of security professionals, the C-suite and the Board and shouldn’t normally involve CISOs battling to get heard.