Dear Wazee Logunleko,

It really depends on a particular subject matter under discussion. However, at least one person at the level of CISO should be present at a C-level meetings. See some opinions below:

https://resources.tugboatlogic.com/request-demo-essentials?utm_campaign=FY21-Q2-GRO-DGEN-TF-Security-Assurance-EBOOK&utm_source=google&utm_medium=PPC-Text&utm_term=policies%20of%20cyber%20security&utm_campaign=ENT-Security-Assurance&utm_source=adwords&utm_medium=ppc&hsa_acc=2837158837&hsa_net=adwords&hsa_grp=127234234011&hsa_ver=3&hsa_kw=policies%20of%20cyber%20security&hsa_tgt=kwd-1417405689110&hsa_mt=p&hsa_ad=558608271288&hsa_src=g&hsa_cam=12886505657&gclid=CjwKCAiAvaGRBhBlEiwAiY-yMGtHjXGdsw6wBbx_suXe6HB49ZNvUXht2h7dKaY3ieaH8drIRPO-AxoC9eoQAvD_BwE

https://www.splunk.com/en_us/form/the-essential-guide-to-security.html?utm_campaign=google_amer_usa_en_search_generic_pubsec&utm_source=google&utm_medium=cpc&utm_content=Essential_guide_security_eb_EN&utm_term=government%20cybersecurity&_bk=government%20cybersecurity&_bt=292846545278&_bm=b&_bn=g&_bg=55669828933&device=c&gclid=CjwKCAiAvaGRBhBlEiwAiY-yMA5fOM3D-xo2tPkN1dnU2jCxDRAL0HRExQ_QnE0JpHd_DfUMUYxYSRoCQE4QAvD_BwE

Dear Wazee Logunleko,

You may want to look at some additional info:

A cybersecurity committee is often tasked with overseeing the development and implementation of an organization's cybersecurity policy, laying out the standards to which employees must adhere to mitigate the company's vulnerability.

https://landing.directorpoint.com/blog/does-your-board-need-a-cybersecurity-or-it-committee/#:~:text=A%20cybersecurity%20committee%20is%20often,to%20mitigate%20the%20company%27s%20vulnerability.

The Information Security Committee is responsible for the implementation and compliance of the. security related to that information as identified in the Information Security Policy.

Wazee Logunleko ,

I have seen the effectiveness of inclusion of cyber auditors reporting to board members (when the board members do listen). The problem faced in these instances is that most board members will not be literate in cyber lingo so effective communications skill is a must.

On the flip side, I have also seen board members that are more focused on reducing cost and improving profits rather than seeing a raise in costs (yes, most security measures are seen as costs not investments). My experience is that talking ROI is of limited effect on these board members that only see short term profits.

As a final note, in my former experience as a computer forensic investigator and security professional I found that frequently those who violate and bypass security mechanisms are management members themselves.

An organization that depends, to some extent, on Information Systems would have Information Technology (IT) specialists representatives at appropriate levels. This should suffice.

I will rather believe that organizations will not deliberately ignore important things to their detriment. Top level managers are more charged with strategic duties requiring anticipating the future; they rarely just seek short-term gains, except for survival.

IT specialists should do whatever is needed to be, and relate effectively, at whatever level necessary.

Adebayo, A.O,

I appreciate your response but I'd like to test the validity of the assumption that having "IT specialists’ representatives at appropriate levels should suffice" as you suggested. Suffice, relative to framing corporate cybersecurity policy, governance or compliance across the board or at the workforce threshold? Granted that cybersecurity expertise should count at all levels but will the boardroom management oversight trump sound implementation guidelines? Have we seen this scenario before or is this a preventable oversight? Just for consideration, but I’d like to explore the premise.

Cyber Security experts could be, and some are and had been, board members.