Uncategorized

Icebergs Ahead! Five Questions Every Board Should Ask the CISO

You’re in town for a board meeting, and run into the CISO in the lift. Or, better yet, he or she is in the board meeting to give a rundown on cyber security. You’d like to take an active role in data governance. First off, kudos for that—but what are you supposed to ask? You’re not a cyber security expert…

In fact, many board members may not understand everything that the CISO’s role entails or the specifics of how the CISO’s responsibilities differ from those of the CIO and CTO. Whereas CIOs and CTOs make the technology work, CISOs identify and manage technology-related threats to the business’s operations or reputation. They must obtain a 360-degree view of the threats and how much they might end up costing the company, as well as the costs of reducing the probability of a cyber attack to an acceptable level.

Given the prevalence of security breaches and the scope and magnitude of the consequences, getting “up close and personal” with your CISO shouldn’t require a chance encounter in the lift. You should demand direct access to the CISO on a formal—and regular—basis.

But that doesn’t mean you need to dig into the technical details about risks and mitigation plans. By asking a set of high-level questions, you can gather information that positions you to be an active participant in key strategic decisions relating to information security:

1. What are the top information-security threats facing your company? These are the “icebergs” that have the potential to severely damage the business’s viability. Theft of data often grabs the headlines, but cyber attacks are alarmingly diverse. Other potential threats include a “denial of service” attack that could stop your company from operating its business, as well as malware injection and phishing, to name just a few.

2. For each of these major threats, what are your company’s high-level mitigation strategies and the costs for executing them? Find out how the information security team plans to reduce these threats to a tolerable level and ensure that the costs of mitigation don’t outweigh the expected benefits. The CISO should also be able to explain how the team monitors the performance of the mitigation actions.

3. How frequently does your company reevaluate previously identified risks and seek to identify new ones? The information security team should never assume that it knows all the major threats or is mitigating them effectively. Ensure that the team reevaluates which icebergs are out there at least annually, and then reexamines whether its mitigation strategies are still effective.

4. What is the crisis response plan when risk management fails? It’s a question of when, not if, your company will experience a cyber attack. How it responds will make a huge difference in terms of both financial and reputational damage. The CISO should be able to present a few slides that summarise the response plan for the top-three threat scenarios. Make sure the information security team is applying lessons from previous incidents that occurred at your company and others in their efforts to aggressively manage the potential fallout from attacks.

5. To what extent are the budgets for technology spending and security spending aligned and proportionately scaled? Security spending should grow proportionately with technology spending. You don’t want your technology infrastructure to grow faster than the information security team’s ability to mitigate the risks. Ensure that the team has the resources it needs to keep pace.

Remember, you don’t have to be a cyber-security expert to talk to the CISO. If the discussion strays into the technical weeds, steer the CISO back to business issues. The same common-sense principles and risk-versus-reward assessments that drive discussions when you’re planning a merger or acquisition are just as helpful if you’re talking about information security risks with your CISO.

In upcoming posts, we’ll delve deeper into what you should look for when discussing each of these issues with your CISO.





Featured Blog