How Can Boards and CIOs Help Reduce Risk? By Asking the Right Questions

Cybersecurity breaches can result in millions of dollars in losses for global enterprises and they can even represent an existential threat for smaller companies. For boards of directors not to get seriously involved in protecting the information assets of their organizations is not just risky — it’s negligent.

Boards need to be on top of the latest threats and vulnerabilities their companies might be facing, and they need to ensure that cybersecurity programs are getting the funding, resources and support they need.

Lack of cybersecurity oversight

In recent years boards have become much more engaged in security-related issues, thanks in large part to high-profile data breaches and other incidents that brought home the real dangers of having insufficient security. But much work remains to be done. The fact is, at many organizations board oversight of cybersecurity is unacceptable.

Research has shown that many boards are not prepared to deal with a cyberattack, with no plans or strategies in place for cybersecurity response. Few have a board-level cybersecurity committee in place.

More CIOs are joining boards

On a positive note, more technology leaders including CIOs are being named to boards, and that might soon extend to security executives as well. Earlier this year the Security Exchange Commission (SEC) proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.

This includes requirements for public companies to report any board member’s cybersecurity expertise, reflecting a growing understanding that the disclosure of cybersecurity expertise on boards is important when potential investors consider investment opportunities and shareholders elect directors. This could lead to more CISOs and other security leaders being named to boards.

Greater involvement of IT and security executives on boards is a favorable development in terms of better protecting information resources. But in general, boards need to become savvier when it comes to cybersecurity and be prepared to take the proper actions.

Asking the right questions

The best way to gain knowledge about security is to ask the right questions. One of the most important queries is which IT assets the organization is securing? Knowing the answer to this requires having the ability to monitor the organization’s endpoints at any time, identify which systems are connecting to the corporate network, determine which software is running on devices, etc…

Deploying reliable asset discovery and inventory systems is a key part of gaining a high level of visibility to ensure the assets are secure.

Another important question to ask is how is the organization protecting its most vital resources? This might include financial data, customer records, source code for key products, encryption keys and other security tools, and other assets.

Not all data is equal from a security, privacy and regulatory perspective, and board members need to fully understand the controls in place to secure access to this and other highly sensitive data. Part of the process for safeguarding the most vital resources within the organization is managing access to these assets, so boards should be up to speed on what kinds of access controls are in place.

Board members also need to ask about which entities pose the greatest security risks to the business at any point in time, so this is another key question to ask. The challenge here is that the threat vectors are constantly changing. But that doesn’t mean boards should settle for a generic response.

Accessing threats from the inside out

A good assessment of the threat landscape includes looking not just at external sources of attacks but within the organization itself. Many security incidents originate via employee negligence and other insider threats. So, a proper follow-up question would be to ask what kind of training programs and policies the company has in place to ensure that employees are practicing good security hygiene and know how to identify possible attacks such as phishing.

Part of analyzing the threat vector also includes inquiring about what the company looks like to attackers and how they might carry out attacks. This can help in determining whether the organization is adequately protected against a variety of known tactics and techniques employed by bad actors.

In addition, board members should ask IT and security executives about the level of confidence they have in the organization’s risk-mitigation strategy and its ability to quickly respond to an attack. This is a good way to determine whether the security program thinks it has adequate resources and support to meet cybersecurity needs, and what needs to be done to enhance security via specific investments.

It’s most effective when the executives come prepared with specific data about security shortfalls, such as the number of critical vulnerabilities the company has faced, how long it takes on average to remediate them, the number and extent of outages due to security issues, security skills gaps, etc.

In the event of an emergency

Finally, board members should ask what the board’s role should be in the event of a security incident. This includes the board’s role in determining whether to pay a ransom following a ransomware attack, how

board members will communicate with each other if corporate networks are down, or how they will handle public relations after a breach, for example.

It has never been more important for boards to take a proactive, vigilant approach to cybersecurity at their organizations. Cyberattacks such as ransomware and distributed denial of service are not to be taken lightly in today’s digital business environment where an outage of even a few hours can be extremely costly.

Boards that are well informed about the latest security threats, vulnerabilities, solutions and strategies will be best equipped to help their organizations protect their valuable data resources as well as the devices, systems and networks that keep business processes running every day.

Want to learn more? Check out this Cybersecurity Readiness Checklist for Board Members.

Risk Management