Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Getting ROI From a Security Advisory Board That Works: Part 1 – Why

The Biggest Mistake People Make With Security Advisory Boards is Not Using Them

The Biggest Mistake People Make With Security Advisory Boards is Not Using Them

In 2016, my CEO asked me to work with an outside advisor, Gary McGraw, to create a Security Advisory Board (SAB) for our company. Right away, I realized that creating a strong advisory board to effectively support the company would take a lot of work. We spent significant time thinking about how this board could add value to the business, and how to ensure that the board’s ideas and solutions were implemented. First, let me note that credit for many of the ideas in these articles should go to Gary. He was instrumental in the creation and continued success of our SAB. In the first article of this two-parter, I will explore the kinds of value a SAB can bring to a company, and why its creation is worth all the effort. In the next article, I will talk about the nuts and bolts of executing a successful SAB. 

Before embarking on the project, it is important to understand why you are creating a SAB in the first place. I see four key benefits from having a SAB. First, it is a rare opportunity to get away from the daily scramble and think strategically. It is a time you set aside to ask, “What should we be doing?” rather than thinking about how to accomplish the next task on a seemingly never-ending list. Second, the process of working with your SAB forces introspection. You need to ask yourself questions about how you want to use these people and make the most of the time you will have with them. The SAB is a limited and expensive resource. Third, the tempo of SAB meetings ensures that the company re-focuses its attention on security issues on a regular basis. Finally, it enables the speaking of truth to power. In most organizations, it is difficult or dangerous to express some hard realities to the executives. Because the members of the SAB don’t work in the company, they can tell it like it is. They can, will, and should tell you that your baby is ugly. Every company has ugly security babies.

The SAB meetings provide an opportunity to bring senior leadership into the security discussion and process. Because the discussions are often at a strategic level, the whole C-Suite can understand and appreciate the information. The more they are involved, the more likely it is that they will support the resulting conclusions and suggestions. This is extremely helpful in getting executive buy-in for major security initiatives at risk of meeting resistance from other constituencies within the organization.

The SAB also provides an opportunity for people in the organization to shine in front of leadership. I usually start by crowdsourcing topics from within the company, asking for the biggest security concerns, issues, and initiatives. I also ask about any strategic plans or visions that will need executive support. Then, I delegate the actual presentations out to people closest to those issues or who suggested the topics. By delegating the presentations to others, you are free to participate in and listen closely to the discussions. The visibility provided to the speakers can also be a huge morale and career boost for them, giving a sense of importance and involvement in the decision-making processes.

In my experience, the biggest mistake people make with Security Advisory Boards is not using them. People may create advisory boards with the best of intentions, but then a year passes between meetings. If the meetings do happen, they are thrown together at the last moment without deep thought about the agenda and goals. Even if there are good ideas in the meeting, they just languish without being captured within the organization or used in a plan of action.

If strategic thinking, introspection, re-focusing, and hard truths sound worth the effort, the next question is how to make sure you get that value from your SAB. Stay tuned for my next article to learn more!

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

SecurityWeek speaks with two leading CISOs in the aviation industry – Mitch Cyrus of Honda Aircraft, and Mark Ferguson of Bombardier.