Getting ROI From a Security Advisory Board That Works: Part 2

Over the years, I have participated in many advisory boards. In every case, I have been a strong supporter of the business and wanted to contribute. However, in almost every case, I ended up feeling like I provided little more than my name on a pitch deck slide. In 2016, I was tasked with working with outside advisor Gary McGraw to create an advisory board focused on improving security for Ntrepid. I was committed to doing it right and ensuring that it made a meaningful impact on the company.

In this first part of this series, I talked about why a Security Advisory Board (SAB) is worth the time and effort. Now, it is time to dive into the details of how to actually make one work.

Step zero is picking who will be on the advisory board. Although people inside the company will participate, the board should be composed of outsiders. Take a systematic approach to creating your SAB. Don’t just invite the smartest, most famous people you happen to know and like.

Start with a list of the characteristics you are looking for in your board. Some capabilities we prioritized were: systems engineering; commercial experience; government experience; incident response; a big rolodex; name recognition; and cryptography. We then worked our direct and indirect networks to identify a list of prospects. No one person was going to meet our whole wish list, and we wanted both specialists and generalists. We scored the importance of each capability, then created a spreadsheet of all the candidates and what they could bring to the table. From that, we picked a list of people to invite.

After a few rounds of interviews and rejections on both sides, we ended up with a SAB composed of six rockstar security experts with very diverse backgrounds, perfectly tailored to our needs.

To get value from your SAB, you need to actually engage with them. My experience is that in-person, all-day meetings two to four times per year is about right. Less frequently, and they will forget details about what you are doing. More frequently, and you may spend too much time on the meetings and not enough time leveraging their suggestions.

When posing questions and topics for the SAB, keep them big and open-ended. This is not a good place to get into small details of your implementations or approaches. These people are generally not far enough in the weeds of your organization to provide helpful feedback. Rather, focus on the big picture. Why are you doing security in your organization? What should your security priorities be? How can you structure the company to improve your effectiveness at security? What approaches to security will be most effective given your situation?

Provide a read-ahead packet to the SAB. It should include the agenda, notes on the previous meeting, and any information they should have to put the meeting presentation in context. It saves a huge amount of meeting time if you don’t need to cover the basics of your products or technologies and can dive directly into the issue at hand.

In addition to assigned reading, it is absolutely appropriate to assign homework to the SAB. If there are questions that will require some research, make sure you get those out to the members well in advance. If you find that some SAB members don’t do this work, consider finding replacements.

Assign someone—again, not you—to take notes on the meeting, either live or from a recording. Trying to capture all the value from SAB discussion by memory is extremely inefficient. Good notes allow you to capture key ideas, arguments, tasks, and topics for future discussion. These notes should be distributed internally shortly after the meeting and included in the packet distributed before the next meeting.

Don’t wait for the next quarterly or semi-annual meeting to follow up on issues that come up. In general, SAB members have committed to help you far beyond just preparing for and attending the regular meetings. Set up conference calls with the most appropriate members to drill down on issues that showed up in the most recent meeting, or that have cropped up between meetings.

The SAB members can also be a fantastic resource for answers to ad-hoc questions. Even without a meeting or conference call, a quick email with a specific question can save you huge amounts of headache. Make a habit of reaching out to your SAB when you are grinding on a hard security problem to see if there is an easy way around it before investing a huge amount of time.