Cyber Security Questions for Board of Directors

Cyber Security Questions for Board of Directors.

Although Board of directors have added cybersecurity risk to their agendas, there is no standard way for boards to think about cybersecurity, much less time-tested guidelines to help them navigate the issue.

For boards, cybersecurity is an issue of enterprise risk. As with all enterprise risks, the key focus is mitigation, not prevention. This universally understood enterprise risk guideline is especially helpful in the context of cybersecurity because no one can prevent all cyber breaches. Every company is a target, and a sufficiently motivated and well-resourced adversary can and will get into a company’s network.
Consequently, terms like “cyber defense” are insufficient descriptors of an effective posture because they evoke the image that corporations can establish an invincible perimeter around their networks to prevent access by bad actors. Today, it’s more accurate to think of the board-level cybersecurity review goal as “cyber resilience.” The idea behind the cyber resilience mindset is that, because you know network breaches will happen, it is more important to focus on preparing to meet cyberthreats as rapidly as possible and on mitigating the associated risks.

1. How do we integrate Cybersecurity with the current business direction and planning? 

2. What are our main Cybersecurity risks? 

3. Is the right amount of Cybersecurity risk accepted? 

4. Is our process for identifying, assessing and managing Cybersecurity risks effective? 

5. Do we have Cybersecurity culture in our organisation ? Do people in this organisation have a common understanding of the term "Cybersecurity"? 

6. How do we ensure that Cybersecurity risk management is an integral part of the planning and day-to-day operations of individual business units? 

7. How do we ensure that the Board’s expectations for Cybersecurity risk management are communicated to and followed by the employees in the company? 

8. Do we have process to manage Electronic evidence? How do we ensure that our executives and employees act in the best interests of this organisation's Cybersecurity posture? 

9. How is Cybersecurity risk management coordinated across the organisation and vendors?

10. How do we ensure that the organisation is performing according to the business plan and within appropriate Cybersecurity risk tolerance limits? 

11. How do we monitor and evaluate changes in the external environment and their impact on the organisation's strategy and Cybersecurity risk management practices? 

12. What information about the Cybersecurity risks targeting the organisation does the Board get to help it fulfil its stewardship and governance responsibilities? 

13. How do we know that the information the Board gets on Cybersecurity risks or threats and vulnerabilities is timely, accurate and reliable? 

14. How do we decide what information on Cybersecurity risks we should publish? 

15. How do we take advantage of the organisational learning that results from the Cybersecurity risk management corrective actions and/or preventive action plans? 

16. What are our priorities as a Board in the oversight of Cybersecurity risks? 

17. How does the Board handle its responsibility for the oversight of opportunities that introduce Cybersecurity risks to the organisation? 

18. How does the Board ensure that at least some of its members have the requisite knowledge and experience to address Cybersecurity risks and one of the member serves as an expert ?

19. How do we, as a Board, help establish the "tone at the top" that reinforces the organisation's values and promotes a "Cybersecurity culture"? 

20. How many grades the Board wish to give itself for overseeing Cybersecurity risk? 
The board is accountable for the organisation’s investment strategy. In years past, information security spending was part of a larger IT-related budget. Not anymore. Gartner estimates that by 2020, IT security spending will grow from $75 billion to $170 billion. With such levels of spending, boards will be more apt to scrutinize investments and actively manage budgets. 
To manage the risk associated with a cyber attack, leadership must bring together key components of an organisation to develop joint ownership of risks and a comprehensive approach to cybersecurity. Having a policy isn’t enough. Companies also need tools, processes, and up-to-date information on the ever changing threats to their enterprises. 

The Author is Chevening Cyber Security Fellow (UK) and participant of IVLP (USA) on Linking Digital Policy Cyber Crime Law Enforcement Program. He is a Practising Lawyer of Bombay High court. 

He regularly Advices Top Corporate Companies and Government Agencies on Cybersecurity Technical and Legal Issues.