6 Cybersecurity Questions Your Board of Directors Will Ask
This article highlights six frequently asked information security questions by corporate boards and how to answer them effectively.
Corporate cybersecurity incidents continue to surge, and senior-level executives are being asked to account for them now more than ever. A recent Global State of Cybersecurity study shows that more than 80% of Fortune 500 business leadership teams believe their increased involvement in data and information security will instigate a more efficient cyber threat mitigation and prevention process.
The survey also revealed that corporate board members feel more confident in executive teams that take ownership over cybersecurity initiatives and won’t simply delegate these projects to their security operation centers (SOSs) and in-house IT departments. Indeed, a swath of evidence shows that business leaders who assume more oversight and responsibility over their information security strategies find better results in the long run.
As data theft and cybercrime prevention have swiftly become the hot topic of the day, information security remains at the top of the agenda at board discussions. If you are in charge of safeguarding your company’s sensitive data and presently facing an upcoming board meeting, we’ve put together a few common cybersecurity questions your board members might ask. In this article, the team at PCH Technologies highlights six frequently asked information security questions by corporate boards and how to answer them effectively.
1. What is the scope of your understanding of current cybersecurity threats posed to our industry and our organization specifically?
On the subject of cybersecurity, board members tend to lead with this relatively open-ended question. This is their attempt to gauge how well you understand any cyber threats currently impacting your business sector. The Harvard Business Review conducted a recent survey revealing that 68% of its respondents discussed cybersecurity topics regularly at board meetings. Expect this question to come up at an early stage of the discussion. Furthermore, if you represent a Fortune 500 company, remember that fewer than 15% of corporate board directors omit the topic of cybersecurity entirely during their annual meetings. And this figure continues to decrease.
In fact, more scrutiny is placed on cybersecurity than ever as board members invoke the subject as a point of departure to inform their long-term information security strategies. Most board directors expect their CEOs and Chief Information Security Officers (CISCOs) to possess a thorough understanding of how they aim to protect their company networks and data. So, what specifically does the board expect you to know about the company’s security strategy? Here are a few topics and concerns that a board will typically raise about your cybersecurity policies and controls:
- Malware and ransomware protection
- Threat detection and prevention
- Cloud Security
- 2-factor authentication (2FA)
- Email security
- User behavior analytics
- Insider threats
2. On a scale of 1 to 10, how much of a priority is cybersecurity for your executive leadership team, and how well do you and your associates understand emergent cyber threats to our industry?
Cybersecurity incidents aren’t just one-off occurrences anymore. Detecting and preventing cyberattacks are now routine practices, especially for medium to large-sized enterprises. Threats to small businesses continue to escalate as well. And most companies dedicate a small portion of their IT department to safeguarding their networks and valuable business data. As the prospects for a successful cyberattack increase, IT security budgets continue to grow because businesses require a stronger line of defense against criminal hackers who become more sophisticated with the day.
Ideally, your primary objective should be to successfully ward off bad actors by preventing 100% of data breaches and threats through diligent, proactive monitoring of your networks and systems. This approach is imperative since all industries across every economic sector have started taking significant measures to improve cybersecurity compliance. While, due to the rise of incidents, cyber threats have assuredly caught the attention of small business owners in recent years, enterprise-level organizations and governmental bodies have taken a similarly keen interest in protecting their digital assets from cybercriminals.
Cybersecurity impacts business operations at all levels and government regulators continue imposing increasingly strict guidelines to enhance the digital safety of its citizens. New regulations emerge every day, each dictating how companies must handle sensitive customer data. The laws may be so new that, during the course of your annual board meeting, you may not be fully prepared to address them when raised. The best way to present yourself under these ever-changing regulatory conditions is to assure the board that, while you might not be familiar with every new rule, you have established a small team dedicated to tracking them.
Your aim should be to convince the board that you comprehend the evolving nature of cybersecurity by arriving at the meeting equipped with up-to-date data that supports your knowledge. In so doing, you will reassure the board of your ability to defend the company against attacks that only get more advanced with time. The head of your SOC and IT department should have worked with your executive team to develop a strategy for identifying emergent threats before your meeting. This way, when your board questions you on the latest attack vectors, you’ll arrive prepared with the most current information.
Finally, aside from showing the board that your team keeps itself informed of the latest threats, remember to emphasize that you place a high priority on any and all ongoing targeted cyber threats your industry faces. Let the board know that you’re deeply aware of the impact a successful attack can have on the immediate viability of the organization. Reiterate to the board that you have developed a reliable set of best practices for recovering swiftly after a successful attack to minimize disruption.
3. What is the concise framework you’re using to implement our cybersecurity strategy?
Above all, board directors want to know about the effectiveness of your cybersecurity approach and how well it adheres to both established company policies and government regulations. Expect the board to probe you on whether or not your cyber protection measures are informed by documented research and reflect well-considered procedures and protocols. A cybersecurity initiative rooted in solid research, an efficient framework, and clear standards always translates to a more simplified implementation.
An adequately streamlined security framework forms the basis of the company’s security policies and marks a strong point of departure for future programs that prevent new threats. An effective approach to cyber protection does not mean you need to revolutionize existing frameworks, however. The are dozens of dependable, industry-specific models upon which you can base your methods for managing data security. Here are just a few:
- The COBIT framework
- The NIST framework
- The ISO/SEC family
When you use a proven framework, you’re always ensured a roadmap for implementing your cybersecurity processes and procedures. These established models for protecting your business also assist in facilitating regulatory compliance and standard practices. Depending on your industry, US regulators expect your policies to comply with the Health Insurance Portability and Accountability Act (HIPPA), the 2002 Homeland Security Act, International Traffic in Arms Regulations (ITAR), and the Gramm-Leach-Biley Act.
Answering questions surrounding your cybersecurity framework means you’ll have to work closely with your SOC and IT department to identify the primary security risks to your industry. Staying proactive in this way helps you establish your controls, training initiatives, and relationships with your vendors and joint venture partners. The benefit of using an existing framework is that you can rely upon well-developed bodies of knowledge within your industry to protect your digital assets. Implementing a proven framework means you don’t have to develop a program from scratch. You can subsequently place more focus on a successful implementation.
4. How well does your approach to cybersecurity align with our overall business strategy?
Your board is fundamentally concerned with profitability, namely how quickly you can realize a return on investment. On the subject of cybersecurity, anticipate the board of directors to assess your strategy in this same light. Members will be curious to know how well your security policies match company revenue growth objectives. Therefore, it is vital to come prepared to address both the long and short-term goals of your cybersecurity policies to gain the complete support of the board.
Upon starting the conversation about your cyber protection strategies, be ready to explain how their formulations help advance broader organizational strategic initiatives. If the board seems reticent to accept your plan, this is likely attributable to the fact the directors view it as a potential obstacle to competing objectives. The perception among board members that security is a non-revenue generating activity interrupting growth is, unfortunately, all too common. This problem nearly always stems from a poorly developed cybersecurity strategy at the outset. If protecting your digital assets isn’t placed at the forefront early on, it tends to fall out of priority, and the subject can even be left out of annual board discussions completely. The longer you put off developing a robust cybersecurity program, the harder it is to establish one on the backend.
When the board questions you on how your security framework can help drive growth and profitability, the best response is an answer that brings attention to the company’s existing and future investments in IT. A well-implemented strategy makes your program simpler to manage and, thus, easier to justify to the board when you explain how it protects business investment strategies. Demonstrable strategic alignment also helps inform future training programs because it makes your cybersecurity initiative more accessible to employees outside your IT and security departments. You want your plan to work on a macro level to optimize productivity and reaction times.
5. Will you describe your plan for responding to a cyber attack?
This question usually arises during the latter stages of the conversation, after you’ve convinced the board that you’re equipped to respond to a cyber incident. They will want to understand the specifics of how you would react after a successful attack. No business can afford the loss of sensitive business data because it can cause operations to shutter entirely within just a few weeks. The board needs to feel confident that you can respond to a data breach in a way that prevents expensive downtime.
In the event of a successful attack, the most reliable strategy for keeping your operations online is by developing an effective disaster recovery plan and backing up company data. Letting the board know you’re backing up essential operational data and that you have a bulletproof disaster recovery plan in place helps assure the directors that business will continue after a breach.
Your plan for network monitoring and threat protection is equally important. If the ability to protect the company 100% existed, cybersecurity wouldn’t be a point of discussion. However, since no one solution exists, you’ll need to explain to the board the various approaches and interrelated solutions that give you the best opportunity to intercept a cyber-attack before it ever occurs. Let the board know that your IT team has the ability to draw from multiple systems to assess the larger picture.
If a data breach leads to extended downtime, your company operations may never recover. For that reason, both backups and business continuity planning are vital. More importantly, your disaster recovery plan must be easily understandable, not reliant on any one employee, and readily put into motion upon short notice.
6. Who’s ultimately responsible for implementing your cybersecurity initiative?
The obvious answer to a question like this is that you’re the one accountable for successfully protecting company data and networks. The board, however, is more broadly interested in understanding your management personnel’s various roles and responsibilities. Expect probing questions about individual staff members you’ve hired, their backgrounds, and how well prepared they are to protect the company from sophisticated cyber threats.
When answering this question, ensure that the roles and responsibilities are clear. This added transparency helps the board understand that you apprehend the importance of accountability across all levels of the company while ensuring that you’ve established the right team to keep your company safe.
Are you confident with your current cybersecurity plan?
PCH Technologies is a top-rated cybersecurity service provider with decades of experience serving enterprise-level organizations across multiple business sectors. We provide comprehensive cyber risk assessments for corporate executive teams preparing for their annual board meeting.
For more on how PCH Technologies can help you develop an impenetrable cybersecurity plan, schedule your free discovery call online today or call us at (856) 754-7500 now.