The Board has a fiduciary obligation to oversee and establish business policies and practices that will drive the company’s growth and performance. This responsibility includes understanding the cybersecurity of their company, which is directly linked to the company’s value and valuation. In the past, cybersecurity was seen as an IT problem. However, many people now understand how cybersecurity fits into the business context. They also recognize the need to translate technical risks into business risk in order to bridge that gap between business strategy and technical expertise. Although board members may not be able to fully understand cybersecurity, they must understand the impact on business that a cyber attack can have, the financial implications of cyber risks, and the potential reputational and legal consequences. They must be educated and know how to ask the right questions to achieve this.
These are the questions that the Board of Directors should ask their CISOs, technical teams and technical staff:
1. What was your process for creating your organizational cybersecurity roadmap? Did it comply with any mandatory regulations? Or was it specifically tailored to our IT architecture.
Although existing frameworks, such as NIST and ISO, can help an organization improve its cybersecurity, they don’t suffice.
The Board of Directors must adopt a mathematical, fact-based and data-driven approach. They must understand the risks to the company, the likelihood of these risks being exploited, and the possible business impact if an attack is carried out. The board can use data, numbers, and facts to understand the potential business impact of cyber attacks and the cost of each threat.
Cybersecurity assessments should be performed on an ongoing basis, with attack surfaces constantly increasing and changes in the external and internal threat landscapes rapidly changing. The board must ensure that security controls are validating the organization based on actual attack behavior and not simulations. They should ask themselves if their cybersecurity investments can withstand new and evolving threat scenarios and attack vectors, and whether management has made strategic changes based on incidents at other companies.
3. What can you do to respond to the constantly changing market threats?
It is important to have a solid cybersecurity roadmap. However, it is just as important to be able to quickly pivot based on external threats.
It is important that organizations ensure their short-term plans allow them to respond to market changes and new threats. An organization should have complete visibility into both internal and external threats and adjust their mitigation plans and recommendations accordingly.
4. Do we have a plan of attack in case there is a breach?
It is too late to create a mitigation plan after a cyber attack has occurred. The impact of a cyber-attack is determined by how organizations respond to it.
They must take into account:
*Management of crises.This strategic plan requires collaboration with PR, legal, and customer management to communicate and manage the decisions.
*Incident response.The technical plan that includes digital forensics. It ensures effective mitigation of any incident with minimal disruption to business operations and the company’s bottom line.
The board must ensure that an incident response team is in place to address both security and business aspects of any crisis. This includes investigating the circumstances and assisting with mitigation.
5. What is the best way to quantify risk?
It is important for organizations to evaluate the possible dollar loss and the cost of mitigating the risks. Businesses want to maximize their cybersecurity investments. It is important to quantify business risks, not just technical ones, as the first step towards achieving this goal.
The board must make cybersecurity a priority, just like other business-related topics discussed at the board level (such as go-to-market, manpower, and cash flow). The board might also consider seeking expert cybersecurity advice as they do with many other important business issues. The board should continue to ask the right questions in order to improve their cyber literacy. This will also improve the partnership between IT and the board.