Re: Member question re: board presentations on security

[Alfred Barker <Alfred.Barker () USG EDU>]

In addition to Brad’s wonderful comments, I’ve had great success by first understanding the key motivators of the 
“board.” For example, our Chancellor has three imperatives that are held dear: 1) commitment to academic excellence and 
degree completion, 2) commitment to economic development and world class research and 3) commitment to accountability, 
efficiency, and innovation in higher education.  Understanding this, when presenting I craft my discussion around these 
imperatives showing either how we align, advance and bring value or how we might be missing the mark and may risk not 
achieving the imperatives.

Also, do not underestimate the power of quantitative analysis… having hard empirical in lieu on anecdotal information 
builds credibility.  Lastly, prepare and rehearse “elevator” proposals – a nod to Brad’s comment to have “succinct” 
responses to potential questions.  This is also helpful if you are fortunate to have follow-on discussions resulting 
from your presentation.

Preparation is Key… Great Success!

Alfred S. Barker, MSIS
Assistant Vice Chancellor / CISO
Cybersecurity, Board of Regents
University System of Georgia
2500 Daniels Bridge Rd. Building 300
Athens, Georgia 30606
706-583-2032

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy
Sent: Wednesday, December 14, 2016 1:48 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Member question re: board presentations on security

Make sure to ask about the preferred format and length of time for presenting to the board.  Many boards still like 
hard copies of documents and agendas might be very tightly run for time.  For an initial presentation, a very high 
level (just a few minutes) overview of the structure of your information security program is a great place to start.  
The content depends highly on the type of program you have, but simple statements like these are probably good to 
consider:

(who are you, what do you do, where are we now, where are we headed, how will we know when we get there)


·         Very high level review of your team/program’s scope and responsibilities

·         High level overview of process for establishing these policies/procedures/standards

o   Ownership of security policies/procedures/standards resides with group X

o   Input and feedback for these policies/procedures/standards includes representation from these groups…

o   Final approval is given by this group/individual…

o   New items and changes are communicated in this way…

·         We have established policies/processes for these high level areas: acceptable use, incident response, data 
classification, etc. (don’t dig into details even if asked – defer to following up with documents via email)

·         The high level goals for the program over the coming year are…

·         We intend to measure our progress and success through these methods….

·         We would like to return to report on our progress toward these goals in X months…

Keep each top level bullet to 1-2 minutes for a total of less than 10 minutes.

Anticipate as many questions ahead of time as you can so you have quick, succinct answers.  What are the hot topics 
which executives in your organization at the moment?  How do they connect to your program?  Have there been any recent 
major security news items and how would you answer “could this happen to us?” or “does this impact us?”?

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[u-logo_fl]



From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of 
Joanna Grama <jgrama () EDUCAUSE EDU<mailto:jgrama () EDUCAUSE EDU>>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Wednesday, December 14, 2016 at 11:31 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Member question re: board presentations on security

Hello,
I received a request from a member today, who wishes to remain anonymous, to ask this group the following question:

What types of information would you provide to your institution’s board in an information security presentation/report? 
 Especially if it were the first-ever information security report to the board?  For context, this was a request to 
present for informational purposes only and not in response to an institutional breach.

For those of you that are veterans of reporting to your institutional boards, what advice do you have to share?

Kind regards,
Joanna


Joanna Grama, JD, CISSP, CRISC, CIPT
Director of Cybersecurity and IT GRC Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 80027
direct: 720.406.6769 | main: 303.449.4430 | jgrama () educause edu<mailto:jgrama () educause edu>