With businesses having to navigate a global pandemic, increased phishing threats and a quick shift to a remote workforce, board of directors have been asking, “How secure are we?”
Studies indicate that boards today are more informed about cyber-risk than ever and are using the increased focus on cybersecurity to guide business decisions. As boards become more informed and more prepared to challenge the effectiveness of their companies’ programs, they are asking leaders more complex and nuanced questions.
According to Gartner, most board questions can be categorized into five areas:
1. Security Incidents
Q. “How did this happen?” “I thought you had this under control?” “What went wrong?”
A. Acknowledge the incident, provide details on business impact, outline weaknesses or gaps that need to be worked out, and provide a mitigation plan. Be cautious not to endorse one option as the ultimate choice when in front of the board. The responsibility for oversight of security and risk remains with the security leader, but the accountability has to always be defined at the board/executive level.
2. Security status
Q. “Are we 100% secure?” “Are you sure?”
A. It’s impossible to be 100% secure or protected. The CISO’s role is to identify the highest-risk areas and allocate finite resources toward managing them based on business appetite. Gartner suggest beginning with something like: “Considering the ever-evolving nature of the threat landscape, it’s impossible to eliminate all sources of information risk. My role is to implement controls to manage the risk. As our business grows, we have to continually reassess how much risk is appropriate. Our goal is to build a sustainable program that balances the need to protect against the need to run our business.”
3. Security landscape
Q. “How bad is it out there?” “What about what happened at X company?” “How are we compared to others?”
A. Avoid guessing at the root cause of a security issue at a different company. Consider discussing a series of broader security responses such as identifying a similar weakness and how it’s being fixed or updating business continuity plans.
Q. “Do we know what our risks are?” “What keeps you up at night?”
A. Explain the business impact of risk management decisions and ensure that your positions are supported by evidence. The board will be seeking assurances that material risks are being adequately managed, and that subtle, long-term approaches may be appropriate in some instances. Focus on the big-ticket items that you control (Loss of IP / Regulation / Third-party risk).
5. Performance & Budget Allocation
Q. “Are we appropriately allocating resources?” “Are we spending enough?” “Why are we spending so much?”
A. Board members will want to know about metrics and ROI. As much as possible, explain aspirations in terms of business performance, not technology. Performance is underpinned by a series of security measurements that are evaluated using a set of objective criteria.
ACE IT Solutions offers vCISO, cybersecurity and risk management services to help ensure boards that their cybersecurity plans are strategic and effective. Contact us at firstname.lastname@example.org or 646.558.5575 to set up a cybersecurity risk consultation.