You’re in town for a board meeting, and run into the CISO in the lift. Or, better yet, he or she is in the board meeting to give a rundown on cyber security. You’d like to take an active role in data governance. First off, kudos for that—but what are you supposed to ask? You’re not a cyber security expert…
In fact, many board members may not understand everything that the CISO’s role entails or the specifics of how the CISO’s responsibilities differ from those of the CIO and CTO. Whereas CIOs and CTOs make the technology work, CISOs identify and manage technology-related threats to the business’s operations or reputation. They must obtain a 360-degree view of the threats and how much they might end up costing the company, as well as the costs of reducing the probability of a cyber attack to an acceptable level.
Given the prevalence of security breaches and the scope and magnitude of the consequences, getting “up close and personal” with your CISO shouldn’t require a chance encounter in the lift. You should demand direct access to the CISO on a formal—and regular—basis.
But that doesn’t mean you need to dig into the technical details about risks and mitigation plans. By asking a set of high-level questions, you can gather information that positions you to be an active participant in key strategic decisions relating to information security:
1. What are the top information-security threats facing your company? These are the “icebergs” that have the potential to severely damage the business’s viability. Theft of data often grabs the headlines, but cyber attacks are alarmingly diverse. Other potential threats include a “denial of service” attack that could stop your company from operating its business, as well as malware injection and phishing, to name just a few.
2. For each of these major threats, what are your company’s high-level mitigation strategies and the costs for executing them? Find out how the information security team plans to reduce these threats to a tolerable level and ensure that the costs of mitigation don’t outweigh the expected benefits. The CISO should also be able to explain how the team monitors the performance of the mitigation actions.
3. How frequently does your company reevaluate previously identified risks and seek to identify new ones? The information security team should never assume that it knows all the major threats or is mitigating them effectively. Ensure that the team reevaluates which icebergs are out there at least annually, and then reexamines whether its mitigation strategies are still effective.
4. What is the crisis response plan when risk management fails? It’s a question of when, not if, your company will experience a cyber attack. How it responds will make a huge difference in terms of both financial and reputational damage. The CISO should be able to present a few slides that summarise the response plan for the top-three threat scenarios. Make sure the information security team is applying lessons from previous incidents that occurred at your company and others in their efforts to aggressively manage the potential fallout from attacks.
5. To what extent are the budgets for technology spending and security spending aligned and proportionately scaled? Security spending should grow proportionately with technology spending. You don’t want your technology infrastructure to grow faster than the information security team’s ability to mitigate the risks. Ensure that the team has the resources it needs to keep pace.
Remember, you don’t have to be a cyber-security expert to talk to the CISO. If the discussion strays into the technical weeds, steer the CISO back to business issues. The same common-sense principles and risk-versus-reward assessments that drive discussions when you’re planning a merger or acquisition are just as helpful if you’re talking about information security risks with your CISO.
In upcoming posts, we’ll delve deeper into what you should look for when discussing each of these issues with your CISO.
December 28, 2020
What Role Does the Board Play in Business Continuity Planning?
Continuing in the face of adversity has been the dominant theme of the past year. When the scale of disruption caused by COVID-19 became clear, businesses worldwide were forced to adapt rapidly to the restrictions that came into force overnight. While many organisations have business continuity plans designed to keep…
December 21, 2020
Business Continuity Plan Maintenance: A Step-by-Step Guide
A business continuity plan (BCP) is a living, evolving document. Designed to be activated when unplanned disruption strikes, it must be flexible enough to guide actions regardless of the specifics of the situation. In a fast-changing environment, business continuity plan maintenance is an essential part of the business continuity programme…
December 8, 2020
Board Meeting Minutes Best Practices and Guidelines
Guidelines for Board Meeting Minute Taking In order to keep the courtroom from invading the boardroom, the most basic rule is, “saying less is often better,” warns the London-based law firm Bricker & Eckler in a recent note. “Today’s business climate places heightened…