You’re in town for a board meeting, and run into the CISO in the lift. Or, better yet, he or she is in the board meeting to give a rundown on cyber security. You’d like to take an active role in data governance. First off, kudos for that—but what are you supposed to ask? You’re not a cyber security expert…
In fact, many board members may not understand everything that the CISO’s role entails or the specifics of how the CISO’s responsibilities differ from those of the CIO and CTO. Whereas CIOs and CTOs make the technology work, CISOs identify and manage technology-related threats to the business’s operations or reputation. They must obtain a 360-degree view of the threats and how much they might end up costing the company, as well as the costs of reducing the probability of a cyber attack to an acceptable level.
Given the prevalence of security breaches and the scope and magnitude of the consequences, getting “up close and personal” with your CISO shouldn’t require a chance encounter in the lift. You should demand direct access to the CISO on a formal—and regular—basis.
But that doesn’t mean you need to dig into the technical details about risks and mitigation plans. By asking a set of high-level questions, you can gather information that positions you to be an active participant in key strategic decisions relating to information security:
1. What are the top information-security threats facing your company? These are the “icebergs” that have the potential to severely damage the business’s viability. Theft of data often grabs the headlines, but cyber attacks are alarmingly diverse. Other potential threats include a “denial of service” attack that could stop your company from operating its business, as well as malware injection and phishing, to name just a few.
2. For each of these major threats, what are your company’s high-level mitigation strategies and the costs for executing them? Find out how the information security team plans to reduce these threats to a tolerable level and ensure that the costs of mitigation don’t outweigh the expected benefits. The CISO should also be able to explain how the team monitors the performance of the mitigation actions.
3. How frequently does your company reevaluate previously identified risks and seek to identify new ones? The information security team should never assume that it knows all the major threats or is mitigating them effectively. Ensure that the team reevaluates which icebergs are out there at least annually, and then reexamines whether its mitigation strategies are still effective.
4. What is the crisis response plan when risk management fails? It’s a question of when, not if, your company will experience a cyber attack. How it responds will make a huge difference in terms of both financial and reputational damage. The CISO should be able to present a few slides that summarise the response plan for the top-three threat scenarios. Make sure the information security team is applying lessons from previous incidents that occurred at your company and others in their efforts to aggressively manage the potential fallout from attacks.
5. To what extent are the budgets for technology spending and security spending aligned and proportionately scaled? Security spending should grow proportionately with technology spending. You don’t want your technology infrastructure to grow faster than the information security team’s ability to mitigate the risks. Ensure that the team has the resources it needs to keep pace.
Remember, you don’t have to be a cyber-security expert to talk to the CISO. If the discussion strays into the technical weeds, steer the CISO back to business issues. The same common-sense principles and risk-versus-reward assessments that drive discussions when you’re planning a merger or acquisition are just as helpful if you’re talking about information security risks with your CISO.
In upcoming posts, we’ll delve deeper into what you should look for when discussing each of these issues with your CISO.
March 30, 2020
Board Diversity in the Middle East: A Push For Progress
Diverse boards pay dividends – often literally. There is a growing body of evidence demonstrating that heterogenous Boards with multiple perspectives generate better business outcomes than their homogenous counterparts. Yet, establishing Board diversity continues to prove a challenge in businesses worldwide. We talked to Dr Ashraf Gamal El Din, CEO…
March 30, 2020
The Corporate Governance Outlook In The Middle East For 2020
The Middle East is a diverse and fascinating region. A century of rapid development built on a foundation of rich history has shaped an attractive entrepreneurial business environment. The fast pace of corporate evolution against a strong cultural backdrop presents unique challenges for corporate governance in the region and there’s…
March 15, 2020
Non-Profit Board Evaluations and Self-assessments
Non-Profit Board Evaluations and Self-assessments in the UK Non-profit organisations in the UK perceive vast benefit from board evaluations. These may take the form of an independent evaluation, or a self-assessment. There is no legal obligation for a non-profit board to evaluate or assess its performance;…