Cyber Security Is the Board’s Business: The Top Five Questions Every Corporate Director Should Ask the CISO
As part of your fiduciary responsibility as a board member, you are expected to establish and govern business policies and practices that drive your company’s financial performance and growth. While the scope of your oversight may now mandate periodic cyber security briefings on board meeting agendas, would you say you have a comprehensive view of your enterprise’s defense posture to assure your ability to serve as a conscientious steward of the business?
Perhaps in the past you viewed cyber security primarily as an IT responsibility but now realize the challenge extends far beyond the bounds of technology. Cyber security is a critical component of enterprise risk management and a top-level business priority. Corporate boards face elevating legal liability for underperforming on their fiduciary obligations if they fail to adequately govern risk and protect their businesses from cyber attacks. With so much at stake, are you getting the information you need to make sure security strategies and initiatives comply with increasingly zealous regulatory requirements, prioritize threats based on consequences to help your business stay in business, and ensure shareholder return on investment? 40 percent of board member respondents in the Wall Street Journal CIO Report are dissatisfied with the information they receive from their security teams.
Now is the time to start a conversation with your security leaders. Ask them the questions that will yield the vital insight you need to guide informed, cyber-conscious risk management decisions that must be made with diligent care. Rather than reactively signing off on proposed cyber security strategies presented with limited evidence of business value, proactively dig deeper and start looking under the hood. Ask the experts to tell you what you don’t know. Request additional information and challenge assumptions so that you are better prepared to successfully oversee your company’s cyber security posture, and ensure that your organization strikes the optimal balance between minimizing risk and propelling the innovation that fuels competitive advantage.
Ask Your CISO the Tough Questions about Security
The Bottom Line Depends on Board Vigilance
Consider asking the following questions to initiate an ongoing dialogue with your CISO and other security experts. This actionable risk intelligence will allow you to provide guidance on the allocation of scarce resources and empower your security practitioners to combat increasingly complex and malicious cyber threats so they can protect what matters most to the enterprise.
1. All companies are vulnerable to major data breaches like the recent high-profile incidents impacting companies in the retail, healthcare, financial services and entertainment sectors; what are we doing to minimize potential damage, avoid disruption of business operations, and keep our name out of the headlines?
Probe deeply to understand what measures are in place to protect brand reputation and shareholder value, and maintain customer confidence. Given the absence of a common vocabulary or clearly established standards for cyber risk management and board oversight, this inquiry may lead to a discussion about best practices for information security management. What lessons can be learned from how peer companies and competitors are addressing the cyber security challenge? How does your company’s cyber defense program compare with others in the industry?
“While breaches seem inevitable, managing them—long before they happen, while they are happening, and after they have happened—is critical for maintaining shareholder, customer, and employee trust. Right now, boards and CEOs play the most crucial role in getting this right, and we must lead.”
2. How prepared are we for a cyber attack? What plans do we have in place for threat prevention and detection and incident response and containment?
The first order of business involves discovering your assets and risks so you can protect your most valuable business data and applications from cyber attacks. Then find out what capabilities exist to identify and mitigate malicious events in real time. This remains a challenge for many organizations: Verizon’s annual Data Breach Investigations Report found that nearly 70 percent of companies discover data breaches via a third party, and they typically don’t learn of compromises until months after they occurred.
What roles and responsibilities are assigned to specific stakeholder groups during and after a breach? Have relationships been established with third parties so they can spring into action should the company need external assistance? Is there a crisis communications plan that outlines the process for disclosing incidents and sharing information with peers, regulators, law enforcement, shareholders and media contacts? Is the legal team poised to advise and handle reporting requirements? It makes sense to ask for details, including if and how incident response plans have been rehearsed
“If the worst were to happen, could we honestly tell our customers, partners or regulators that we’ve done everything that was expected of us?”
3. How do we effectively protect our “crown jewels”—the valuable digital data and applications that are most critical to our business and most vulnerable to attack?
Ask how the organization is anticipating emerging threats, identifying trends, and establishing early-warning mechanisms. Companies must rank cyber risks that jeopardize business-critical assets in the same way they prioritize other vulnerabilities. It’s a risk-reward balancing equation that involves implementing tiered security measures designed to focus on the highest-value targets that must be protected since any breach of these assets would significantly harm the organization.
“Identifying and mitigating the cyber risks that would have the most significant economic impact to the business can help reduce the likelihood that a company will have to disclose incidents to its shareholders, thereby protecting business value and reducing liability exposure.”
4. Where on the cyber threat spectrum should our needle point? What is our risk appetite and our acceptable risk tolerance?
According to Matteo Tonello, managing director of corporate leadership at The Conference Board, there is little guidance on how boards should assess the risk culture of an entire organization. Corporate directors may rely too heavily on people, processes and technologies that do not deliver the concise, enterprise-level information linked to key business objectives. Do the company’s risk targets and thresholds allow it to seize opportunities for differentiation and growth? Quantify the organization’s appetite and tolerance; ensure that the risk strategy is in alignment and sufficient resources have been allocated. Revisit the critical elements that are core to the company’s success and ensure they are rigorously protected.
“Well-managed companies… have a robust enterprise risk management program focused on thinking about risk in real time, standardizing the risk language used across the organization, and continuously mapping risks to regulations, controls, processes and strategic objectives.”
5. We spend millions of dollars on cyber security every year; what are the highest-priority initiatives the board should support to stay ahead of adversaries?”
The board and senior management set the tone and define core values and expectations for the company’s risk culture. The organization’s risk tolerance must be clearly communicated across the enterprise. All employees need to know specifically what falls within and outside acceptable boundaries. Embedding cyber security awareness across all levels of the organization encompasses intermittently training employees and ensuring they are familiar with security policies and demonstrate secure behaviors regarding system and data access. To ensure alignment, directors should ask the CISO and security experts for a roadmap that incorporates risks into a technology acquisition strategy.
“Boards play an important role in ensuring that their companies acquire and embed the appropriate technologies to protect the most critical elements of the business,” –The Corporate Board
If you continuously ask these questions, not only will your cyber security literacy dramatically improve, so too will your ability to successfully fulfill your responsibilities as a corporate director. Moreover, the security gurus helping to educate you and other board members will become more conversant in business dialogue and will gain greater visibility of the critical challenges facing the enterprise. When corporate directors and information security leaders understand each other’s language and engage in a business-focused dialogue, they dramatically improve their ability to collaboratively develop and implement risk management strategies and technologies that will protect the enterprise and sustain marketplace success.