Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Getting ROI From a Security Advisory Board That Works: Part 2

Over the years, I have participated in many advisory boards. In every case, I have been a strong supporter of the business and wanted to contribute. However, in almost every case, I ended up feeling like I provided little more than my name on a pitch deck slide. In 2016, I was tasked with working with outside advisor Gary McGraw to create an advisory board focused on improving security for Ntrepid.

Over the years, I have participated in many advisory boards. In every case, I have been a strong supporter of the business and wanted to contribute. However, in almost every case, I ended up feeling like I provided little more than my name on a pitch deck slide. In 2016, I was tasked with working with outside advisor Gary McGraw to create an advisory board focused on improving security for Ntrepid. I was committed to doing it right and ensuring that it made a meaningful impact on the company.

In this first part of this series, I talked about why a Security Advisory Board (SAB) is worth the time and effort. Now, it is time to dive into the details of how to actually make one work.

Step zero is picking who will be on the advisory board. Although people inside the company will participate, the board should be composed of outsiders. Take a systematic approach to creating your SAB. Don’t just invite the smartest, most famous people you happen to know and like.

Start with a list of the characteristics you are looking for in your board. Some capabilities we prioritized were: systems engineering; commercial experience; government experience; incident response; a big rolodex; name recognition; and cryptography. We then worked our direct and indirect networks to identify a list of prospects. No one person was going to meet our whole wish list, and we wanted both specialists and generalists. We scored the importance of each capability, then created a spreadsheet of all the candidates and what they could bring to the table. From that, we picked a list of people to invite.

After a few rounds of interviews and rejections on both sides, we ended up with a SAB composed of six rockstar security experts with very diverse backgrounds, perfectly tailored to our needs.

To get value from your SAB, you need to actually engage with them. My experience is that in-person, all-day meetings two to four times per year is about right. Less frequently, and they will forget details about what you are doing. More frequently, and you may spend too much time on the meetings and not enough time leveraging their suggestions.

Advertisement. Scroll to continue reading.

When posing questions and topics for the SAB, keep them big and open-ended. This is not a good place to get into small details of your implementations or approaches. These people are generally not far enough in the weeds of your organization to provide helpful feedback. Rather, focus on the big picture. Why are you doing security in your organization? What should your security priorities be? How can you structure the company to improve your effectiveness at security? What approaches to security will be most effective given your situation?

Provide a read-ahead packet to the SAB. It should include the agenda, notes on the previous meeting, and any information they should have to put the meeting presentation in context. It saves a huge amount of meeting time if you don’t need to cover the basics of your products or technologies and can dive directly into the issue at hand.

In addition to assigned reading, it is absolutely appropriate to assign homework to the SAB. If there are questions that will require some research, make sure you get those out to the members well in advance. If you find that some SAB members don’t do this work, consider finding replacements.

Assign someone—again, not you—to take notes on the meeting, either live or from a recording. Trying to capture all the value from SAB discussion by memory is extremely inefficient. Good notes allow you to capture key ideas, arguments, tasks, and topics for future discussion. These notes should be distributed internally shortly after the meeting and included in the packet distributed before the next meeting.

Don’t wait for the next quarterly or semi-annual meeting to follow up on issues that come up. In general, SAB members have committed to help you far beyond just preparing for and attending the regular meetings. Set up conference calls with the most appropriate members to drill down on issues that showed up in the most recent meeting, or that have cropped up between meetings.

The SAB members can also be a fantastic resource for answers to ad-hoc questions. Even without a meeting or conference call, a quick email with a specific question can save you huge amounts of headache. Make a habit of reaching out to your SAB when you are grinding on a hard security problem to see if there is an easy way around it before investing a huge amount of time.

Written By

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.