You’re in town for a board meeting, and run into the CISO in the lift. Or, better yet, he or she is in the board meeting to give a rundown on cyber security. You’d like to take an active role in data governance. First off, kudos for that-but what are they supposed to ask? You’re not a cyber security expert …
In fact, many board members may not understand that the CISO’s role entails or the specifics of how the CISO’s responsibilities differ from those of the CIO and CTO. CIOs and CTOs make the technology work, CISOs identify and manage technology-related threats to the business’s operations or reputation. They must obtain a 360-degree view of the threats and how much they might end up costing the company, as well as the costs of reducing the probability of a cyber attack to an acceptable level.
Given the prevalence of security breaches and the scope of the consequences, getting “up close and personal” with your CISO should not require a chance encounter in the lift. You should request direct access to the CISO on a formal and regular basis.
But that does not mean you have to dig into the technical details about risks and mitigation plans. By asking a high-level questions, you can gather information that positions you to be an active participant in key.
1. What are the top information-security threats facing your company? These are the “icebergs” that have the potential to severely damage the business’s viability. Theft of data often grabs the headlines, but cyber attacks are alarmingly diverse. Other potential threats include a “denial of service” attack that could stop your company from operating its business, as well as malware injection and phishing, to name just a few.
2. For each of these major threats, what are your high-level mitigation strategies and the costs for executing them? The costs of mitigation do not outweigh the expected benefits. The CISO should therefore be able to explain the performance of the mitigation actions.
3. How often does your company reevaluate previously identified risks and seek to identify new ones? The information security team should never assume that it knows all the major threats or is mitigating them effectively. Ensure that the team reevaluates which icebergs are out there at least annually, and then reexamines whether their mitigation strategies are still effective.
4. What is the crisis response plan when risk management fails? It’s a question of when, not if, your company wants a cyber attack. How it responds to make a huge difference in terms of both financial and reputational damage. The CISO should be a brief summary of the response plan for the top-three threat scenarios. In the process, the potential fallout from attacks is aggressively managed.
5. To what extent are the budgets for technology spending and proportionately scaled? Security spending should grow proportionately with technology spending. You do not want your technology to grow faster than the information security team’s ability to mitigate the risks. Ensure that the team has the resources it needs to keep pace.
Remember, you do not have to be a cyber-security expert to talk to the CISO. If the discussion strays into the technical weeds, steer the CISO back to business issues. The same common-sense principles and risk-versus-reward assessments that drive discussions when you’re planning on getting your hands on CISO.
In upcoming posts, we’ll dig deeper into what you should look for when discussing each of these issues with your CISO.