A recent set of regulations issued by the Securities and Exchange Commission has highlighted the importance of cybersecurity understanding at the leadership level of public companies. These regulations require public companies to disclose any cyber attacks they experience, which means that those in charge must have a deep understanding of the cybersecurity landscape in order to comply with the new rules.
For board members, unmasking the cybersecurity landscape can be a challenging task. However, it is an essential part of their role in terms of governance and risk management. To help navigate these regulations and ensure that they are adequately prepared, here are 10 critical questions that board members should be asking their Chief Information Security Officers (CISOs) about cyber risk and management.
The first question that board members should ask is: “What does the company’s risk landscape look like, and what is the company’s current cybersecurity risk profile?” This question provides a broad overview of the company’s cybersecurity status, including any identified vulnerabilities, ongoing threats, and the steps being taken to mitigate risks. It is an essential starting point for understanding the overall cybersecurity posture of the organization.
Another important question for board members to ask their CISOs is: “How does the company keep the fort secure, and how does it manage cybersecurity risks?” This question provides insights into the strategies, tactics, and resources that the company employs to manage cybersecurity risks. Board members can then evaluate whether these measures align with the organization’s risk profile and ensure that the company is taking appropriate steps to protect its assets.
Board members should also inquire about the company’s incident response plan. They should ask: “Is the company ready for a storm? Does it have an incident response plan?” Preparation is half the battle when it comes to cybersecurity incidents. Having a clear, actionable incident response plan in place is indispensable for any well-prepared organization. This plan should include processes for detection, containment, recovery, and follow-up.
Quantitative insights into an organization’s cybersecurity performance can be highly illuminating. Therefore, board members should ask: “Is the company winning? What cybersecurity metrics does it track?” Understanding which metrics are being monitored and how they influence decision-making is a critical aspect of effective governance. This allows board members to assess the company’s progress in managing cybersecurity risks and make informed decisions.
Another important question for board members to ask is: “What are the company’s crown jewels, and how does it guard them?” Board members need to be fully aware of the organization’s most valuable assets, such as data and systems, and how they are being safeguarded. This ensures that appropriate measures are in place to protect these assets from potential cyber threats.
In the rapidly evolving cybersecurity landscape, staying ahead of threats is crucial. Board members should ask: “How does the company stay ahead of threats?” This question prompts the CISO to explain how the company stays abreast of the latest threats and trends in cybersecurity. It demonstrates that the company is proactive in addressing emerging challenges and adapting its security measures accordingly.
Third-party risks can often lead to cyber incidents. Therefore, board members should ask: “Are the company’s allies trustworthy? What’s the company’s plan for third-party risk management?” Many cyber incidents are precipitated by vulnerabilities in third-party vendors or software. A strong cybersecurity strategy must encompass provisions to manage third-party risks. Board members should ensure that the company has effective measures in place for vetting partners and managing these risks appropriately.
The human factor cannot be ignored when it comes to cybersecurity. Board members should ask: “Does the company foster a security-conscious culture? What are its cybersecurity training and awareness programs?” Understanding the initiatives in place to educate employees about their roles in preventing cyber incidents can make a world of difference. It ensures that employees are aware of potential risks and are equipped with the knowledge to mitigate them.
Financial resources are vital for implementing effective cybersecurity measures. Therefore, board members should ask: “Does the company invest wisely? How is its cybersecurity budget allocated?” Knowing how resources are being disbursed allows boards to discern whether the most significant risks and challenges are receiving adequate attention and funding. It ensures that the company’s cybersecurity efforts are appropriately supported.
Finally, board members should ask: “Can the company control the narrative during a crisis? How will it handle communications in the event of a significant breach?” Effective communication during a cybersecurity incident is critical for maintaining trust with stakeholders and preserving an organization’s reputation. Board members should ensure that the company has a well-defined communication plan in place, allowing them to respond quickly and accurately to any potential breaches.
In conclusion, board members must have a comprehensive understanding of the cybersecurity landscape to comply with the recent SEC regulations. By asking their CISOs important questions about cyber risk and management, board members can ensure that their organizations are taking the necessary steps to protect against cyber threats. With the cybersecurity landscape evolving at an unprecedented pace, board members must arm themselves with knowledge and stay informed about the latest best practices and industry trends.