Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Getting ROI From a Security Advisory Board That Works: Part 2

Over the years, I have participated in many advisory boards. In every case, I have been a strong supporter of the business and wanted to contribute. However, in almost every case, I ended up feeling like I provided little more than my name on a pitch deck slide. In 2016, I was tasked with working with outside advisor Gary McGraw to create an advisory board focused on improving security for Ntrepid.

Over the years, I have participated in many advisory boards. In every case, I have been a strong supporter of the business and wanted to contribute. However, in almost every case, I ended up feeling like I provided little more than my name on a pitch deck slide. In 2016, I was tasked with working with outside advisor Gary McGraw to create an advisory board focused on improving security for Ntrepid. I was committed to doing it right and ensuring that it made a meaningful impact on the company.

In this first part of this series, I talked about why a Security Advisory Board (SAB) is worth the time and effort. Now, it is time to dive into the details of how to actually make one work.

Step zero is picking who will be on the advisory board. Although people inside the company will participate, the board should be composed of outsiders. Take a systematic approach to creating your SAB. Don’t just invite the smartest, most famous people you happen to know and like.

Start with a list of the characteristics you are looking for in your board. Some capabilities we prioritized were: systems engineering; commercial experience; government experience; incident response; a big rolodex; name recognition; and cryptography. We then worked our direct and indirect networks to identify a list of prospects. No one person was going to meet our whole wish list, and we wanted both specialists and generalists. We scored the importance of each capability, then created a spreadsheet of all the candidates and what they could bring to the table. From that, we picked a list of people to invite.

After a few rounds of interviews and rejections on both sides, we ended up with a SAB composed of six rockstar security experts with very diverse backgrounds, perfectly tailored to our needs.

To get value from your SAB, you need to actually engage with them. My experience is that in-person, all-day meetings two to four times per year is about right. Less frequently, and they will forget details about what you are doing. More frequently, and you may spend too much time on the meetings and not enough time leveraging their suggestions.

When posing questions and topics for the SAB, keep them big and open-ended. This is not a good place to get into small details of your implementations or approaches. These people are generally not far enough in the weeds of your organization to provide helpful feedback. Rather, focus on the big picture. Why are you doing security in your organization? What should your security priorities be? How can you structure the company to improve your effectiveness at security? What approaches to security will be most effective given your situation?

Provide a read-ahead packet to the SAB. It should include the agenda, notes on the previous meeting, and any information they should have to put the meeting presentation in context. It saves a huge amount of meeting time if you don’t need to cover the basics of your products or technologies and can dive directly into the issue at hand.

In addition to assigned reading, it is absolutely appropriate to assign homework to the SAB. If there are questions that will require some research, make sure you get those out to the members well in advance. If you find that some SAB members don’t do this work, consider finding replacements.

Assign someone—again, not you—to take notes on the meeting, either live or from a recording. Trying to capture all the value from SAB discussion by memory is extremely inefficient. Good notes allow you to capture key ideas, arguments, tasks, and topics for future discussion. These notes should be distributed internally shortly after the meeting and included in the packet distributed before the next meeting.

Don’t wait for the next quarterly or semi-annual meeting to follow up on issues that come up. In general, SAB members have committed to help you far beyond just preparing for and attending the regular meetings. Set up conference calls with the most appropriate members to drill down on issues that showed up in the most recent meeting, or that have cropped up between meetings.

The SAB members can also be a fantastic resource for answers to ad-hoc questions. Even without a meeting or conference call, a quick email with a specific question can save you huge amounts of headache. Make a habit of reaching out to your SAB when you are grinding on a hard security problem to see if there is an easy way around it before investing a huge amount of time.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

CISO Conversations

In this edition of CISO Conversations, SecurityWeek speaks to two city CISOs, from the City of Tampa, and from Tallahassee. 

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.