Senior leaders are bound to take ownership in matters concerning information security. According to a Survey on the Global State of Cybersecurity, 83% of mid-level and senior executives in Fortune 500 companies feel that their involvement will result in a more efficient management of cyber threats and the building of resilient infrastructure. The survey showed that any firm’s Board will be confident in security measures if they participate in the company’s overall IT strategy.
As cybercrimes soar, Cybersecurity is fast becoming an important agenda discussed in most Board meetings. If you are in charge of a company’s cybersecurity and about to face the board, there are common questions that you may be asked. In this post, we share the six security questions your Board will ask and how to prepare for them.
1. Do We Have a Complete Understanding of the Cyber Threats and Risks in Our Firm and Industry Sector?
Board members are bound to ask this question due to the increasing importance of data and network security in business. In fact, only about 15% of board directors in Fortune 500 companies failed to address cybersecurity issues during their annual board meetings in 2018, compared to 22% in 2015.
There has been an increased focus on information security, as boards use it to guide business decisions. The first thing that your board expects of you and your Chief Information Security Officer (CISO) is to have a firm grasp on matters regarding Network and Information Security. But, how?
There are many facets to a huge topic like Network and Information Security. It’s good to know about the policies and controls that add layers of defences to any network. These include:
- Email security
- Anti-malware software
- User behavioral analytics monitoring software
- Cloud security
- Intrusion prevention systems
Why is it important to Have a Complete Understanding of Cyber Threats and Risks in Our Firm and Industry Sector?
Security threats have become more of a norm than an occasional breach in modern-day information-driven cyberspace. Today, most companies have at least a small portion of their staff in charge of their Information Technology and cybersecurity. With passing days, the IT teams are growing in numbers because these companies need greater defenses as hackers and malware get more sophisticated with time.
To avoid and prevent data breaches, almost all industries are taking strides to improve the safety of their data and security compliance across the board. This is not only the case for SMEs but also for established corporations and Governmental bodies. At all levels, governments are also coming up with regulations to enhance the safety of economies and citizens, and these laws often have a bearing on how organizations handle data. Some of these laws that you may have heard of, and which the board should take note of include the Health Insurance Portability and Accountability Act (HIPAA) which safeguards healthcare data, and the Sarbanes-Oxley Act (SOX) which safeguards financial records.
To answer the question right, you have to convince the board that you have a solid grasp on the current trends in data security and data security threats. It would help if you also guided the board to understand that the nature of cyber-attacks is continually evolving. Explain the facts and figures that will compel them to appreciate the fact that these attacks will get more frequent and powerful with time. You, the CISO, CIO, and the IT department should have a strategy to help the organization stay up-to-date with the current environment and attack vectors to stay ahead of the threats.
Beyond assuring the board that you will keep abreast of industry trends, staying on high alert when your industry is being targeted, also convince them that you have a deep understanding of the business impacts of a successful attack, and the best practices to enable fast recovery and resilience.
2. Is there an Accepted Security Framework Upon Which We Base Our Cybersecurity Program?
The Board of Directors is always concerned with the effectiveness and compliance of all company policies. Your Board will pose this question to know whether the firm’s information security is guided by a documented, effective, and efficient structure. With a cybersecurity program that complies with set standards and frameworks, it will be easy to acquire equipment and personnel to implement the policies.
It is crucial to have a framework to serve as a guide when formulating security policies and developing a security program. When it comes to cybersecurity, you don’t have to reinvent the wheel. There are plenty of great frameworks out there, with various families of standards depending on your firm’s needs. Some include:
- The ISO/SEC 27000 family for managing information security
- The NIST framework to help improve critical infrastructure
- The COBIT framework to govern and control IT infrastructure
With frameworks, you get a guide that will help you implement the processes critical to your firm. These frameworks also facilitate compliance with industry standards and regulations. The main standards and regulations your policy should address include:
- Health Insurance Portability and Accountability Act (HIPAA)
- 2002 Homeland Security Act, which includes the Federal Information Security Management Act (FISMA)
- The Gramm-Leach-Bliley Act
- International Traffic in Arms Regulations (ITAR)
To answer this question satisfactorily, you and your IT team will determine the risks in your industry, the level of control you have over your infrastructure, training programs, relationships with third parties, among others. The frameworks will help take advantage of advanced knowledge in security within your sector. An accepted framework relieves the firm of the worry that comes with figuring out the initiation of a program and lets you focus on the implementation.
3. Is the Cybersecurity Strategy Aligned to the Business Strategy?
Your Board of Directors is always concerned about bottom lines and returns on investment. The members will pose this question to see if your cybersecurity policy addresses the firm’s business needs.
It is important that cybersecurity be part of the conversation during the formulation of strategic initiatives. In most cases, resistance to security measures often stems from the assumption that it is a barrier to competing objectives. In fact, some have always assumed that security is more of an obstacle, interrupting business, and limiting employees’ liberties. This only happens when the cybersecurity strategy is not integrated from the start. In these cases, IT security is not treated as part of core business activities and is not discussed at strategic and project levels. The later on security is considered, the more of a hindrance it can be.
The best response to this question involves an alignment between the security program and the company’s investment strategy. With a baked-in cybersecurity strategy, it is easier to allocate resources, roles, and responsibilities to help protect the investment. An aligned strategy will also guide training programs, encouraging the participation of all employees in information and network security. With a comprehensive cybersecurity strategy, you and your team have a full understanding of the current and future threats as they relate to your business. You can align resource appropriation and work plans to ensure your security plan is working for your company in order to maximum productivity and resilience.
4. How Do We Detect and Respond to Cyber Attacks?
The Board of Directors would love to know that all business information is secure, but they also want to know that there is a plan to react when it is compromised. Data loss is detrimental to business, oftentimes leading to closure of business. The Board will ask this question to get assurance that, in case of a data breach, the business will go on. Your policy should, therefore, address backup and disaster recovery.
When it comes to threat detection, understanding is that there is not a single tool made for this ability is crucial. While there doesn’t exist such a thing as 100% protection, you need a collection of systems that integrate and interact with each other to give you the best chance of intercepting a threat. It is important that you and the team have the capability to aggregate information from multiple systems and analyze them to get a better understanding.
Often, a data breach may lead to downtime, which could paralyze the operations of the organization. Part of your preparedness entails having a solid plan for both business continuity and data recovery. Such a plan can then be put in motion smoothly if a breach occurs. Two essential parameters that define business continuity and disaster recovery are the Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
While RTO defines how much time it will take to restore the network infrastructure from the time the breach happens to the time normal operations resume, RPO, on the other hand, defines how far to roll back in time from the time the breach occurs, to the last data backup.
When responding to this question, it is important to explain that you possess the skills and knowledge to manage an incident entirely. Security requires a cross-functional skillset. Besides the IT team, one board member with a technical background can serve as the board’s advisor and consultant on matter cyber-security. This makes it easier to manage incidents with an understanding of their business impact. Preparation to respond requires financial and human resources, along with time. It is also important to point out your awareness of existing threats seen through periodical reviews and your incidence report plan. You and the board can then agree on an acceptable risk tolerance level.
5. How Do We Prepare Other Colleagues to Play Their Security Role?
With an increased focus on information security, Board members have also developed the understanding that the weakest link in cybersecurity is the human factor. Thus, employee awareness is key on the board members’ agenda. The members will ask you this question to know that you have a proper cybersecurity training program in place.
Every employee has a crucial role in keeping company systems secure. When it comes to technology, everyone should know the risks. With a workforce that understands the elements of cybersecurity, staff activities will be geared to promote it. While employees are the firm’s biggest asset, they also present the largest security risk. Training can, therefore, help reduce the firm’s susceptibility to attacks.
So, when asked about the training program, you can borrow a leaf from the 8 best practices on employee training with regard to cybersecurity. These are:
- Get everyone invested in the firm’s security strategy
- Invest in continual training
- Prioritize cyber-security awareness
- Consult with executives
- Emphasize on password and authentication best practices
- Train employees on Social Engineering and Phishing Attacks
- Make security training part of employee onboarding
- Conduct security threat drills
With proper training, you get everyone interested in cybersecurity, allowing the entire firm to build good habits.
6. Who’s in Charge?
Accountability is always top on the minds of every board member. They always want to understand the roles and responsibilities of all management personnel. The board members will ask this question to examine the team recruited to manage the firm’s cybersecurity.
With a security strategy in the works, the function should be in the docket of a Board Member, with accountability resting on an individual responsible for keeping the business safe. This individual is likely to be the Chief Information Security Officer (CISO). The roles, responsibilities, and the reporting line should be clear. This way, there shall be visibility, accountability and credibility in all levels of the organization. This line of reporting is guided by organizational policies. The roles and duties of all individuals in the field of cyber-security should be outlined within the firm’s Security Governance model. These roles cover the entire organization and its relationships with third-parties where applicable.
These questions can serve as a guide to CEOs, CIOs and CISOs in firms when making Board presentations. Even without these questions, it is important that you provide this information, as it will help guide in the making of business decisions. Information and Network security demand involvement at all levels. Make it the responsibility of everyone in your organization by addressing concerns by the board members.