Cybersecurity Insights: Essential Questions Board of Directors Should Ask

Board of Directors and Cyber Security

The awareness of Board of Directors (BOD) of companies on the risks of cyber threats and the need to stay updated is rising rapidly. Historically, Boards were often perceived as lacking the competence to understand cyber risks or as finding cybersecurity too technical. They frequently failed to recognize the ongoing importance of cybersecurity, reacting only to high-profile breaches highlighted in the media, then quickly shifting focus to other pressing matters. As a result, cybersecurity often became a priority only when it was already too late.

In my career and roles over the past several years, it has become part of my duty to stay in touch with BODs and advise them on various statuses and trends related to cyber threats. Boards typically care about several key areas:

- Strategic positioning and growth of the organization

- Shareholder value and brand protection

- Strategic plans, resource allocation, and management compensation

- Oversight of compliance (government and sector regulations, ESG)

- Critical business risks, including cybersecurity

- Comparison with sector peers

- Individual Board members’ fiduciary liability

Given these priorities, Board members often ask how they can effectively address cyber risks. Here are the top seven questions that BODs can ask to ensure the organization's cyber risk is managed well:

1. Do we have an inventory of key assets?

- Understanding what critical assets need protection is fundamental. This includes data, intellectual property, and IT infrastructure.

2. Who is targeting us (key adversaries) and why?

- Identifying potential adversaries helps in understanding the nature of threats. This could range from cybercriminals to state-sponsored actors.

3. Which are our key controls and what is their status?

- Knowing the current security controls and their effectiveness is crucial. Regular audits and assessments help in this evaluation.

4. Where are the gaps and how do we plan to close them?

- Identifying vulnerabilities and having a concrete plan to address them is essential for maintaining robust security posture.

5. Do we have an incident response/business continuity/resilience plan?

- Preparedness for cyber incidents includes having a well-documented and tested incident response plan, ensuring business continuity, and building organizational resilience.

6. How much is at risk?

- Quantifying potential losses in case of a cyber incident helps in understanding the financial implications and preparing adequate responses.

7. How do we compare with our peers?

- Benchmarking against industry standards and peers provides insight into where the organization stands and areas needing improvement.

Additional Considerations for the Board of Directors

To extend and enhance the understanding and engagement of the Board in cybersecurity, consider the following points:

Cybersecurity as a Strategic Business Enabler

- Proactive Cybersecurity Strategy:

Emphasize that robust cybersecurity can be a strategic advantage, enhancing customer trust and opening up new business opportunities.

- Integration with Business Goals:

Align cybersecurity initiatives with business objectives, ensuring that security measures support the overall strategy and growth plans.

Regular Cybersecurity Training and Simulations

- Board Training:

Regularly scheduled training sessions for Board members to stay updated on the latest cyber threats and trends.

- Simulated Cyber Attacks:

Conduct tabletop exercises and simulations to prepare the Board and executive team for potential cyber incidents. This helps in refining the incident response plan and improving readiness.

Cybersecurity Metrics and Reporting

- Key Performance Indicators (KPIs):

Develop KPIs for cybersecurity that are regularly reported to the Board. Metrics could include the number of incidents detected, response times, and results of vulnerability assessments.

- Regular Updates:

Ensure that cybersecurity is a standing agenda item in Board meetings, with regular updates provided by the Chief Information Security Officer (CISO) or equivalent.

Collaboration with External Experts

- Advisory Councils:

Establish cybersecurity advisory councils comprising external experts to provide independent insights and recommendations.

- Third-Party Assessments:

Regular third-party assessments and audits to provide an unbiased view of the organization's cybersecurity posture.

Conclusion

Some fundamental cybersecurity knowledge is crucial for BOD members to function competently and effectively oversee the organization's cyber risk management. Engaging with cybersecurity professionals, staying informed on the latest trends, and integrating cybersecurity into the overall business strategy are key steps in building a resilient organization.

For further assistance, please reach out to Netassist at [email protected] .