Security Experts:

Getting ROI From a Security Advisory Board That Works: Part 1 - Why

The Biggest Mistake People Make With Security Advisory Boards is Not Using Them

In 2016, my CEO asked me to work with an outside advisor, Gary McGraw, to create a Security Advisory Board (SAB) for our company. Right away, I realized that creating a strong advisory board to effectively support the company would take a lot of work. We spent significant time thinking about how this board could add value to the business, and how to ensure that the board’s ideas and solutions were implemented. First, let me note that credit for many of the ideas in these articles should go to Gary. He was instrumental in the creation and continued success of our SAB. In the first article of this two-parter, I will explore the kinds of value a SAB can bring to a company, and why its creation is worth all the effort. In the next article, I will talk about the nuts and bolts of executing a successful SAB. 

Before embarking on the project, it is important to understand why you are creating a SAB in the first place. I see four key benefits from having a SAB. First, it is a rare opportunity to get away from the daily scramble and think strategically. It is a time you set aside to ask, “What should we be doing?” rather than thinking about how to accomplish the next task on a seemingly never-ending list. Second, the process of working with your SAB forces introspection. You need to ask yourself questions about how you want to use these people and make the most of the time you will have with them. The SAB is a limited and expensive resource. Third, the tempo of SAB meetings ensures that the company re-focuses its attention on security issues on a regular basis. Finally, it enables the speaking of truth to power. In most organizations, it is difficult or dangerous to express some hard realities to the executives. Because the members of the SAB don’t work in the company, they can tell it like it is. They can, will, and should tell you that your baby is ugly. Every company has ugly security babies.

The SAB meetings provide an opportunity to bring senior leadership into the security discussion and process. Because the discussions are often at a strategic level, the whole C-Suite can understand and appreciate the information. The more they are involved, the more likely it is that they will support the resulting conclusions and suggestions. This is extremely helpful in getting executive buy-in for major security initiatives at risk of meeting resistance from other constituencies within the organization.

The SAB also provides an opportunity for people in the organization to shine in front of leadership. I usually start by crowdsourcing topics from within the company, asking for the biggest security concerns, issues, and initiatives. I also ask about any strategic plans or visions that will need executive support. Then, I delegate the actual presentations out to people closest to those issues or who suggested the topics. By delegating the presentations to others, you are free to participate in and listen closely to the discussions. The visibility provided to the speakers can also be a huge morale and career boost for them, giving a sense of importance and involvement in the decision-making processes.

In my experience, the biggest mistake people make with Security Advisory Boards is not using them. People may create advisory boards with the best of intentions, but then a year passes between meetings. If the meetings do happen, they are thrown together at the last moment without deep thought about the agenda and goals. Even if there are good ideas in the meeting, they just languish without being captured within the organization or used in a plan of action.

If strategic thinking, introspection, re-focusing, and hard truths sound worth the effort, the next question is how to make sure you get that value from your SAB. Stay tuned for my next article to learn more!

view counter
Lance Cottrell founded Anonymizer in 1995, which was acquired by Ntrepid (then Abraxas) in 2008. As Chief Scientist, Lance continues to push the envelope with the new technologies and capabilities required to stay ahead of rapidly evolving threats. Lance is a well-known expert on security, privacy, anonymity, misattribution and cryptography. He speaks frequently at conferences and in interviews. Lance is the principle author on multiple Internet anonymity and security technology patents. He holds an M.S. in physics from the University of California, San Diego and a B.S. in physics from the University of California, Santa Cruz. In his spare time Lance grows high-end pinot noir grapes in the Russian River Valley AVA.