11 questions that board members should be asking about cyber security
Published By
David Wakeley
January 14, 2021
5 min read.

One of the most critical elements of corporate governance in today’s enterprise is ensuring that your organisation is equipped to defend itself, its assets and its stakeholders against cyber threats.

In order to be able to do this effectively, board members should be fully across where their company’s cyber security program is at and whether there are any weak or blind spots that require attention.

Here is a list of 11 questions around cyber security that every board member should know the answer to, and if they don’t, they should be knocking on the door of their cyber security chief to find out.

1. What are our critical assets and what layers of protection do we have in place to safeguard them?

It is important to determine that none of your valuable information is exposed to unnecessary risk through a lack of adequate protection.

2. What are our regulatory compliance obligations, are we meeting them, and who is responsible for updating them?

Failure to maintain compliance obligations can lead to severe consequences and heavy fines, so it is imperative to make sure you are covered and are fully up to date at all times.

3. What level of training do our staff have in cyber defence, how is their competence measured, and do they receive updates when new threats emerge?

Staff training is essential and it needs to be more than a box ticking exercise. To avoid that scenario, regular measurement and testing of security awareness among staff should be mandatory.

4. How are we keeping abreast of new and emerging threats and how are they incorporated into our threat planning? 

Your cyber defence is only as good as its ability to deal with the latest threat. Organisations should be actively seeking out information to keep up to date with the latest threats so they can prepare for them.

5. What risk management  or industry framework are we using to measure our approach?

Establish what risk management or industry framework (such as ASD ISM, ISO 27000 or NIST) is being followed to ensure suitable benchmarking.  There should be a clear delineation of responsibility and ownership, and everyone should know what they are working towards, (as opposed to a siloed, piecemeal approach, which ultimately leads to confusion and important security elements being missed).

6. Who holds responsibility for maintaining and updating our cyber resilience across the organisation, are we well enough resourced in this area, and if not, what do we need to bolster?

You need to be aware of who is responsible for every element of your operational security, so that in the event of an incident, you are able to identify what is being done to address and rectify the situation without delay.

It is vital to ensure that your security team are well enough resourced to be able to deliver the level of security your organisation requires, but if they ask for additional resources, there needs to be justification. They need to demonstrate what impact that extra funding will have on your overall security preparedness and effectiveness so you can determine whether that investment is worthwhile.

7. What measures do we have in place to minimise the impact of a breach through rapid identification and action?

The time taken to respond is critical when it comes to managing a breach, in order to contain the damage and manage the cost, so you need to know what measures have been implemented to identify and deal with a breach. Once stopped, a damage assessment and notification of those affected should be the highest priority. This should be followed by a security audit and an update of your security plan to defend against a similar breach in the future, and further training given to staff if required.  

8 . How often do we test our security and intrusion response and what is our process for acting on the findings?

You only know how prepared you are for an attack if you thoroughly test and train for one. It is imperative that your cyber defences are thoroughly tested for multiple scenarios so that when the real thing happens, everyone knows what to do and you are on a war footing from the get go, rather than having to scramble.

9. Do we have a cyber security insurance policy and is the cover at the level required to offset any potential loss incurred by a breach or extended downtime?

Not only do you need to be covered by insurance (especially if you’re not well enough resourced to recover from a breach without insurance), it is also important that your level of cover is appropriate for the level of risk and what you potentially stand to lose.

10. How do we determine the effectiveness and value of our security solution?

Don’t wait for a breach to determine the quality of your security solution. Ensure your security spend considers a range of factors, such as effectiveness, value for money, benchmarked performance, ease of operation, and so on. 

11. How are we ensuring that our remote workers do not expose the organisation to increased risk compared to our office-based staff, and what advice are they being given to address and mitigate any heightened risks?

This is even more pertinent in the current climate, with more people than ever working from home because of COVID-19 restrictions. But even in these difficult times, security should never be sacrificed for convenience.

Once these questions have been answered, and any shortcomings have been identified and addressed, your organisation will be very well placed to deal with whatever cyber threats come your way now and into the future.

You Should also read

Understanding the proposed changes to the security of critical...

Security is the responsibility of everyone. What role do we play?

Self defence: everyone has a role to play

What is an incident response retainer?