Over the next few months, Information Security leaders will be presenting their annual security update to the Board as required by the Gramm Leach Bliley Act (GLBA). It is meant to provide a summary of the information security program over the previous year and to provide recommended changes for the upcoming year.
As someone who has presented his fair share of GLBA reports, I can tell you that it’s definitely easier to share a positive report, but some of my most impactful work has come in the form of constructive criticism. It is important to tell the Board what they need to hear, not necessarily what they want to hear. Omitting key information or overstating the maturity of the cybersecurity program to avoid having tough conversations is irresponsible and reckless.
Many Boards do not have an overabundance of cyber security expertise; hence, they rely heavily on Management to report information in a meaningful and non-technical manner. We shouldn’t bury them in raw data for the sake of reporting to “check a box” for the next audit or exam. Simply put, the annual update should help the Board understand the threats, the risk they present, and how Management mitigates those threats and risks.
In addition to presenting the regulatory-required report, use your time in front of the Board to conduct high-level cybersecurity training. Know your audience and attempt to make the material relatable to them. For example; many Boards consist of local business leaders that may face similar challenges such as phishing emails and email takeovers. Speak to highly publicized security events and provide examples of how the financial institution and they should protect themselves.
Bedel Security assists our clients in various capacities to develop and/or deliver independent annual GLBA reports for Board presentations. We would be happy to review your program and provide feedback as appropriate. Send us an email at support@bedelsecurity.com to learn more.