Five Questions Board Members Should Ask Their CISO

Written by

Long gone are the days where security was solely the responsibility of CISOs or their security equivalent.

With the average data breach costing an estimated 4 million dollars in 2016 and rapidly rising, security has made its way into the fiduciary duties of the board. As apparent from the Yahoo hack, the blame for a data breach often goes all the way up to the CEO and the board.

In this new era of cybercrime, organizations need to approach security from the first line defenses in the IT department all the way up to the board room to maintain their competitive edge and stay off the front page of The Wall Street Journal for a data breach.

It’s the responsibility of both the CISO and the board to work together to share the responsibility of maintaining a secure company. More than half of board members surveyed were willing to fire security executives as a result of failing to provide useful, actionable information, according to a 2016 report from Osterman Research.

Brought in for a wide array of advising capabilities, board members can often lack the cybersecurity expertise needed to stay on top of the constantly evolving cyber field. According to Harvard Business Review, 37% of surveyed board members said that cybersecurity, more specifically keeping on top of risk and security issues, was the most challenging part of their role.

That being said, board members need to take responsibility for asking the right questions. These are five questions that every board member needs to ask their CISO, CIO or security equivalent:

How secure are we as an organization? What is our risk score matrix?

Without full insight into this question, your team is essentially working blind – putting your entire organization, its reputation and customers at risk. You can’t improve a process if you don’t know what you have to work with. Understanding your security deficiencies in an organization is just as critical as understanding the sales pipeline and accounting metrics.

How are you designing a security posture that does not slow down business operations?

Being a security focused organization is crucial and can be a huge asset to the company’s bottom line, but it’s imperative that security isn’t slowing down business operations beyond what’s necessary. Disconnected security is a surefire way to slow down your business.

Further, organizations are moving faster than ever before in deploying new services and products for their customers, which is causing legacy security organizations the inability to keep up with lines of businesses.

How do we know that data/IP systems not in our control are safe and secure like Internet of Things (IoT) and Cloud?

Are all your third-party tools and service providers 100% secure? If not, their vulnerabilities are your vulnerabilities – weakening your security posture. Organizations are always responsible for their data, even if they use third party vendors, which leads to further diligence. As organizations adopt new architectures like cloud technology, this is an opportunity to embrace security as part of the scope of work versus security being an afterthought.

How do we ensure that we are ahead of the new regulatory requirements coming down the pike?

There are constantly multiple cybersecurity regulatory mandates coming down the pike. Does your organization know which ones apply to it, the specific qualifications to meet the mandates and the possible fees and ramifications if it fails to meet the mandates? Regulations are a part of any board discussion, but you need to take a proactive approach to reviewing and continuously improving your security posture versus taking a reactive approach. Relying on a reactive approach will take your organization’s resources away from customer success.

Who is responsible for security?  CISO or CIO? Risk & Compliance Officer?

We’ve already established that security needs to be a team effort but who is leading the charge? Who has final say over security processes, how to spend the security budget and the division of labor? The best way to determine who is responsible for security is the person who is responsible for answering “How secure are we?” and when there is a breach, who is the executive that will be responsible for remediating the issue.

Security isn’t something that can just be swept under the rug while the board and executive team plans on just pointing figures if something bad happens. Cybersecurity threats are only going to get worse so organizations need to make the shift to being security-driven from the IT department all the way to the board room.

Board members need to make time to discuss security matters and work with the CISOs or their security equivalent to maintain a successful business that is security-focused.

Cybersecurity is not the responsibility of an individual or a small team within an organization. As we approach 2020, cybersecurity will be not a vertical within an organization but rather a horizontal fiber that is weaved throughout an organization.

What’s hot on Infosecurity Magazine?