4 Cybersecurity Questions Boards Need to Address

The world has changed a lot since the first case of COVID was found in Wuhan, the virus did not just effect our day to day life’s but also our work .  As a board member of an organization how much do you understand about Cybersecurity ? Do you have the right advisors who can help your board to be cyber aware and empower the right person to help the organization  stay secure ?

If yes answered any of this questions as yes then you are reading the right blog post.  This blog post  is going to be about how Boards of any size of a company can ensure their CISO /CIO or IT teams are doing the right thing to protect their business. Let’s start !

We all know that there are two type of organizations

1. The ones they know they are hacked
2. The ones they don’t !

Any company regardless of their size should  assume breach and take the right approach to minimize their effect in case of a cyber attack. While there is two types of organizations of course there is also two types of boards.

1. Those  that approves  their teams to take a defensive posture related to their security
2. Those they empower their teams to take offensive approach

It’s a famous saying by entrepreneurs that they hire are smarter people then themself , while I saw many hiring managers  they do the opposite, also at a board level!. Someone with good connections can be easily hired in C -Level Technical positions, and in my career I helped many of those to get back to their business through Incident Response teams 🙁 A good example for this can be the famous SolarWinds attack , where the ex CEO and current top executives blamed an intern for using a password “SolarWinds123” ! Don’t you think it was a lame excuse ? So what are you doing not to be in the same sport as those executives ?

By now any board member should know that Cybersecurity is not just a cost center and a technical element. IT is a “key” component that can transform business and if the technology is used correctly IT is actually a profit center . Look at companies that invested in the cloud way before COVID, and how easy they transformed from working in the office to remote !

Boards should support innovation, and innovation is mostly done with technology. While Technology is important , securing it is of course as important , that’s why ask Boards should tasks their executive management to have Incident Response in place, foreseen any possible cyber attack and in case it happens how to get back online as soon as possible , and while the tech teams will be busy doing that they should know how to communicate this with their customers / partners /media and of course the regulators / government. Boards needs to be minded innovative and resilient.

Ok then, what are the 4 key questions boards needs to address ?

1- How can IT help to make revenue ?

Your Digital transformation  program is not just about technology, but also Risks. While Technology is implemented used, risk management should identify any possible gaps , and any gaps which can not be mitigated should be known by the Board,

2- What is your Cybersecurity Strategy ?

In other words what does cybersecurity mean to your organization?

As the board you need to know the consequences if your organization is breached, how to respond to not just the attack but also customers, share holders , partners , and more ! The Boards needs to approve the “Cyber Risk Framework ” The possible exposers needs to assessed for impacts based on  metrics such as response time, cost and legal or compliance implications, and planned for to attract investment commensurate to a risk-based assessment.

Any board should know need  what information is business critical, you need to be able to answer the below questions with our any hesitation :

• What your crown jewels are and how you can protect it.
• As board do you to have a periodic review of your cyber resilience program.
• Is the Cyber strategy aligned to your business risks ?
• Are those risks identified ? Do you monitor the risks , and if yes how ? What are the escalation metrics ?
• What is the people strategy around the business and is this also aligned with your Cyber Strategy ? Does the cyber strategy cover insider risks and how you do monitor /mitigate the risk?
• What is the relation with your Partners / Third Parties . Is the relation with your supply chain part of your cyber strategy ?

All the answers for the questions above will give you “satisfaction” on how your critical information , assets and data are secured. The board should have confidence on what is done in the IT space and how it effects the organization.

And the final step about the stagy will be about how the budget is aligned and how the  recourses has been allocated to make the Cyber Strategy a successful. In other words the ROI needs to be clear.

3.As a board, what is our plan to develop in the areas in which we’re lacking?

Appointing ownership for the cyber security project is important . Its also important to know / understand the legal implications of cyber risks , the ownership of the Cyber plan, ( The Chief Information Security Officer – CISO) should be empowered to implement the strategy with success and reach to any of the board member as necessary , when needed.

4. Does the board has the right committee to understand cyber matters ?

Most of the boards have external advisors , and its really important to select the right advisor who understands not just business but also Cybersecurity to its core.

I saw many “external board advisors ” which are again assigned based on “recommendations” which is not wring for sure, but if the recommendations comes from a board who is not aware that they are “cyber ready’ then the recommendation is not going to be right !

Again through my career I met many advisors wondering how they were advising others while themself had no clue of even the basics of Cybersecurity . For sure they were excellent communicators using the right buzzwords , based on some articles they were reading.

There will be more blog post in the near future about this topic, so please keep an eye at my LinkedIn page or here to read more.

If you think you need help to understand Cybersecurity better, you might read my new book , which you can see the details below :

Continue reading 4 Cybersecurity Questions Boards Need to Address and Beware of!