Six Questions Boards Should Ask Their Executives about Cyber Risks
Author:Tom Patterson, Global Managing Partner, Consulting, CSC Global Cybersecurity
Scott Cogan, Strategic Alliances Director, RSA Archer
The vast majority of board members haven’t been recruited for their technical or security acumen; however, boards still must get involved in the security of the organization they govern.
Cyber risk promises to escalate with almost alarming speed—driven by increasingly sophisticated threats, vigilant regulators, and frustrated stakeholders. Failing to ask questions can transition quickly into failures of operations, careers, even companies. Even if a board does not yet have security expertise, boards can still help manage the risks their companies face by asking the following six questions.
1. What new actions are you taking to protect our firm from the increasingly high risks associated with cybersecurity incidents?
Yesterday’s security approach focused primarily on investing in compliance and basic preventive measures. Today, firms need to focus more time, energy, and resources on detection and response to have a chance against modern threats. This means new programs, processes, and a shift in technology spending toward prevention and response.
2. What governance mechanisms are in place to ensure controls are effective and offer meaningful information, and how can you prove the information is trustworthy?
Governance programs must have an executive owner and a cross-functional committee that holds regular meetings with key stakeholder representation from all business functions. Regulators and litigators increasingly are looking for attestation that governance and compliance information can be validated and controls are effective. This focus increases for owners and operators of critical infrastructure.
3. Security is separate from compliance, and we need both. What is our proactive plan to match real countermeasures to our real cybersecurity threats over the next three years?
Greater visibility is absolutely required—everywhere. Make sure your company is positioned to see more data and is capable of turning it into actionable information. While risk from threats continues to increase and potential economic fallout is real, the good news is we have made dramatic improvements in technology’s ability to capture massive amounts of data, conduct targeted analysis to detect problems, and prioritize rapid response to address key risks.
4. Since attempts to steal from and damage our organization are inevitable, what is our response plan with specifics regarding our internal/external team, tools, rehearsal schedule, peer analysis, expert analysis, standards, and regulatory adherence?
Breaches are occurring everywhere. It’s one issue to manage an actual event; how an organization handles that event is even more closely scrutinized today. If it’s found that your organization has reacted poorly to an event, especially in protecting stakeholders, damages will rise.
5. Detail how we can leverage the best tools, talent, intelligence, and practices to defend our business as talent grows scarce and criminals get smarter.
Cybercriminals continue to expand their organizations, skills, tools, and knowledge. To stay ahead requires more effort. Securing your organization will become increasingly challenging as you look to capitalize on trends, such as mobility and the Internet of Things (IoT), and advances in areas like big data analytics. If your organization owns or operates critical infrastructure, regulators will continue to apply pressure.
6: How does the cyber risk team work with the organization’s broader enterprise risk function?
Communication within the organization, between partners and supply chains, and with industry organizations has become more important as cybercriminals continue to extend their reach and capabilities. Within your organization, the enterprise and cyber risk functions must be connected and need to speak the same language regarding risk. This effort will create a clearer picture regarding business context and how cyber risk translates to business impact.
The fact that board members are asking these questions will spur security improvements and better overall risk management. Demand that your executives deliver answers in plain language, not techo-cybersecurity babble. Ask for clear progress reports at all future quarterly meetings. The biggest benefit of asking these questions comes from simply asking that they be thought through and debated in the normal course of business
View the complete article here: Weighing In Views from Governance and Boardroom Experts, Corporate Board Member-Q3 2014