Who should be on an enterprise cybersecurity advisory board?

After suffering data breaches, the Democratic National Committee formed a so-called cybersecurity advisory board. Some experts questioned the expertise of the members of the advisory board, raising doubts about their security experience. Are advisory boards like this effective for organizations struggling with cybersecurity? If an organization suffers multiple data breaches and forms an advisory board to help it get on track, what sort of background should its members have?

An advisory board is a body that provides informal expert and strategic advice to executive management on a particular subject matter. The advantage of an advisory board is its focus on a subject into which executive management would not necessarily have the expertise or time to deep dive, as they are dealing with issues and decisions that require management attention.

The Democratic National Committee (DNC) cybersecurity advisory board's mission is to have the knowledge and experience to "prevent future attacks and ensure the DNC" is secure. The DNC cybersecurity advisory board is made up of the following four individuals:

• Rand Beers, deputy homeland security advisor to President Obama and former acting secretary of the U.S. Department of Homeland Security;
• Aneesh Chopra, executive vice president and co-founder of data analytics firm Hunch Analytics and former U.S. Chief Technology Officer (CTO);
• Michael Sussmann, partner in the privacy and data security practice at law firm Perkins Coie since September 2005; and
• Nicole Wong, former U.S. Deputy CTO and former vice president and deputy general counsel at Google.

The concern some cybersecurity professionals voiced regarding the experience of these advisory board members at the outset may seem understandable, since they don't have the cybersecurity certifications you might expect an expert to have. However, their work experience should be sufficient.

One strong point that these four individuals bring to the table is an understanding of U.S. government bureaucracy and the red tape involved with getting things accomplished. Whether they will call upon subject matter experts to deploy the right level of protection over the DNC servers is the real question. Based on their experience, it will likely not be an issue, but only time will tell.

At an enterprise level, a cybersecurity advisory board member needs certain experience and qualifications to be successful, including:

• A working knowledge of both business objectives and cybersecurity technology. This combination is always helpful in developing viable and pertinent cybersecurity deployments.
• Previous experience in cybersecurity. Academia and professional certifications are a must, but if the person lacks the experience, then their recommendations for securing critical assets may be in doubt.
• Independence from any influence from IT management in making cybersecurity recommendations, while also having a vested interest in ensuring critical assets are protected. For example, an advisory board member may be a department head where his personnel require access to critical data.

Familiarity with laws, regulations and other compliance requirements, like the National Institute of Standards and Technology, the Payment Card Industry Data Security Standard, HIPAA and others, is important. This familiarity helps members to adequately support and assist in correlating the cybersecurity program with compliance.

If an enterprise is considering creating a cybersecurity advisory board, then it should focus on the makeup and experience of the prospective board members.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)