Source: https://www.infosecurity-magazine.com/blogs/five-questions-board-members-ciso/
Security isn’t something that can just be swept under the rug while the board and executive team plans on just pointing figures if something bad happens. Cybersecurity threats are only going to get worse so organizations need to make the shift to being security-driven from the IT department all the way to the board room.
Board members need to make time to discuss security matters and work with the CISOs or their security equivalent to maintain a successful business that is security-focused.
Cybersecurity is not the responsibility of an individual or a small team within an organization. As we approach 2020, cybersecurity will be not a vertical within an organization but rather a horizontal fiber that is weaved throughout an organization.
These 5 questions should be part of a critical conversation any business owner/board of directors should have with its CIO/CISO/I.T Guy:
How secure are we as an organization? What is our risk score matrix?
Without full insight into this question, your team is essentially working blind – putting your entire organization, its reputation and customers at risk. You can’t improve a process if you don’t know what you have to work with. Understanding your security deficiencies in an organization is just as critical as understanding the sales pipeline and accounting metrics.
How are you designing a security posture that does not slow down business operations?
Being a security focused organization is crucial and can be a huge asset to the company’s bottom line, but it’s imperative that security isn’t slowing down business operations beyond what’s necessary. Disconnected security is a surefire way to slow down your business.
Further, organizations are moving faster than ever before in deploying new services and products for their customers, which is causing legacy security organizations the inability to keep up with lines of businesses.
How do we know that data/IP systems not in our control are safe and secure like Internet of Things (IoT) and Cloud?
Are all your third-party tools and service providers 100% secure? If not, their vulnerabilities are your vulnerabilities – weakening your security posture. Organizations are always responsible for their data, even if they use third party vendors, which leads to further diligence. As organizations adopt new architectures like cloud technology, this is an opportunity to embrace security as part of the scope of work versus security being an afterthought.
How do we ensure that we are ahead of the new regulatory requirements coming down the pike?
There are constantly multiple cybersecurity regulatory mandates coming down the pike. Does your organization know which ones apply to it, the specific qualifications to meet the mandates and the possible fees and ramifications if it fails to meet the mandates? Regulations are a part of any board discussion, but you need to take a proactive approach to reviewing and continuously improving your security posture versus taking a reactive approach. Relying on a reactive approach will take your organization’s resources away from customer success.
Who is responsible for security? CISO or CIO? Risk & Compliance Officer?
We’ve already established that security needs to be a team effort but who is leading the charge? Who has final say over security processes, how to spend the security budget and the division of labor? The best way to determine who is responsible for security is the person who is responsible for answering “How secure are we?” and when there is a breach, who is the executive that will be responsible for remediating the issue.