CYE Strategy

Board Members, Start Asking the Right Questions on Security

May 1, 2021

Board Members, Start Asking the Right Questions on Security

Over the last several years, business leaders and Boards of Directors have had to face an uncomfortable truth: It’s become impossible to sit at the head of a company and not address cybersecurity. Addressing cyber risks no longer sits solely on the shoulders of the IT department. A CISO and his or her team cannot do the job alone. To tackle cyber risks, the board of directors, business leaders, the IT department, as well as senior management all need to be involved and work together. Indeed, cybersecurity is an enterprise-wide issue and directors should expect everyone to be accountable for managing the risks.

However, according to research conducted by EY, only 29% of board members understand the organization’s cybersecurity risk exposure in terms of dollars and cents, or financial risk.

Board Members, Start Asking the Right Questions on Security

While the board may not understand the intricacies of cybersecurity, it needs to understand the business impact that a cyber breach can have on the organization and what the organization’s cyber risk exposure means in terms of dollars and cents, as well as legal and reputational damage. In order to do this, they need to educate themselves and learn how to ask the right questions. 

We gathered a list of questions that board members should ask management in order to gain a better understanding of their companies cybersecurity postures.

1. How did you create your cybersecurity roadmap?

2. How often does management test the plan and apply any lessons learned from that testing?

3. What is the company’s overall cybersecurity strategy?

4.How do you measure the efficiency of the security controls that are already in place?

5. How agile are you in your ability to react to ever evolving threats and trends in the market?

6. What processes and tools are in place to alert management when a breach attempt is underway?

7. What is the company’s crisis management and incident response plan?

8. Are threats given a dollar value, based on the damage the threat can cause to the business, its critical assets and continuity?

9. What is the company doing to protect its most sensitive data and business critical assets?

10. What is the ongoing practice for gathering, monitoring, analyzing and reporting risks?

11. Has management indicated where the next cybersecurity dollars should be invested and why?

12. Has management made any updates based on recent incidents at other companies?

13. How does management evaluate and categorize identified incidents and determine which to escalate to the board?

14. Does the board understand the company’s total risk exposure of a cyber attack, including financial, legal and reputational impacts?

15. Is the company assessing the cybersecurity postures of third-party vendors?

16. Is the company using a framework, such as NIST, or a maturity model to help with cyber risk management?

17. Do you have an employee cyber training program? If so, do you assess how effective it is?

Boards of directors should take it upon themselves to integrate cybersecurity into regular discussions about strategy and risk, seek external advice, and ensure that prioritizing cybersecurity is part of the company’s DNA.