10 Questions Boards Need to Ask About Cybersecurity

  • Carissa Duenas
  • Published: March 17, 2022
10 Questions Boards Need to Ask About Cybersecurity

Boards of directors must prioritise securing their organisations and demonstrate a commitment to establishing a cybersecurity-oriented culture. It is become part of their fiduciary and oversight responsibilities for managing risk.

But many boards are unsure about how to tackle and understand the cyber positions of their organisations. Some view it as a technical exercise best left to IT teams, while others believe they need to have the expertise to comprehend how cybersecurity impacts the firm.

What steps can boards take to address this?

In this article, we discuss:

  • 5 concepts that boards need to have — or understand — about cybersecurity 
  • 10 questions that boards need to ask at the next board meeting

What boards need to know about cybersecurity

1. Cybersecurity goes beyond protecting data.

This article establishes this point well: Cybersecurity does not only cover measures required to protect data. It goes beyond preventing personal information being leaked, customer databases being stolen, or the fraudulent use of credit cards. 

While those remain issues, it is important to consider that businesses have also drastically digitised their processes to sustain operations during the pandemic (maybe even before then). To oversee cybersecurity in today’s business environment requires a more holistic approach.

A healthy cybersecurity posture involves taking into account digital and connected systems that control one’s information supply chains (i.e. automatic ordering and fulfillment processes, for example), production processes (such as the remote management of equipment) and the management of a digitally connected remote workforce.

Directors need a general understanding of the security ecosystem, and relationships within, in order to adequately address risk.

2.  When thinking about cybersecurity, boards should focus on risk, reputation, and business continuity.

Priorities can get muddled when it comes to addressing cybersecurity, especially when it comes to the roles of cybersecurity professionals and the board of directors. 

The goal of cybersecurity professionals is to develop practices to ensure confidentiality, integrity, and availability of both data and systems. This is the so-called “CIA” of cybersecurity. Cyber-professionals focus on the tactical level: how to address the technical, operational and organisational aspects of cybersecurity.

Directors do not require the same technical knowledge as these professionals. They also do not need to become cybersecurity experts. Instead, they must take a look at the issue from a macro perspective and focus on the impacts on risk, reputation, and business continuity. 

However, cybersecurity professionals and boards do share the common goal of protecting the organisation. What they need to do together is to establish objective and useful metrics, and be guided by clear, consistent language to spark insightful discussions. Directors should not get  lost “in the weeds.” Eliminating the use of technical jargon when presenting reports or metrics to the board helps prevent this. It also aids in getting  everyone on the same page.

 3. Boards need to be engaged when it comes to cybersecurity oversight. 

It’s not the board’s role to write and draft the organisation’s cybersecurity plan. Instead, what it needs to ensure is that there is an actionable plan. 

To help craft a cybersecurity strategy, executives and directors can look into the NIST Cybersecurity Framework.

This framework was developed by the US National Institute of Standards and Technology (NIST). This framework presents a set of standards and recommendations that enable companies to be more prepared in the event of cyberattacks. It is simple enough to give directors a good structure to think about the important considerations for cybersecurity.

It has five areas

  1. Identify: what processes and assets need protection?
  2. Protect: implement safeguards to ensure protection of the enterprise’s assets
  3. Detect: implement mechanisms to identify the occurrence of cybersecurity incidents
  4. Respond: develop techniques to contain the impacts of cybersecurity events, and 
  5. Recover: implement appropriate processes to restore capabilities and services impaired due to cybersecurity incidents.

Well-prepared organisations have documented and communicated plans for each of these areas and “rehearsed” the actions needed to be taken in the event of a cyber-breach. The NIST framework helps organisations prepare for cyber-incidents and provides direction on what to do post-attack. 

4. The current approach to cybersecurity is employing defensive “layers.”

Many enterprises currently approach cybersecurity with a series of layered protective measures to safeguard critical information — or a “defense-in-depth” strategy. This means that when there is a failure in one of the security mechanisms, it can be backed up by another in order to stop the attack. 

This approach is also known as the “castle-and-moat because it mimics the layered, defensive strategy used to protect medieval castles from external attack.

Castle-and-Moat vs. Zero-Trust Models

However, it must be said that while the castle approach provides perimeter defense, many organisations find merit in shifting to a zero-trust model. There are fundamental differences between the castle-and-moat and zero-trust approaches.

In a nutshell, the castle-and-moat approach is based on the philosophy of defending your perimeter while assuming everything that’s already inside doesn’t pose a threat and is already cleared for access. 

Zero-trust security works on the assumption that security risks are present both inside and outside the network. Nothing inside is to be trusted by default — hence the name “zero-trust.” With zero-trust, security is built into the network, and “not just layered on top of it.” 

Whether adopting castle-and-moat or zero-trust, a high-level understanding of the security approach the organisation employs can provide context for cyber-related discussions and facilitate more meaningful conversations on cyber issues.

5. Cybersecurity is not an IT problem. It involves the entire organisation.

A recent study from Stanford University and security firm Tessian revealed that 85% of data breaches were caused by human error. This emphasises the need to foster a “security-first” culture throughout the organisation. Delivering a consistent message on the value the firm places on security can help shift the mindset of employees. Employees should recognise their role as champions of security.

10 cybersecurity questions that boards need to ask

Here’s a list of questions that will help your board understand how cybersecurity is being managed in the organisation. 

1. What are our “crown jewels” or most critical assets — and how are we protecting them?

The board must identify what the organisation’s most important assets are (e.g. is it intellectual property, customer databases, financial information?), and take steps to secure them.

A best practice is for the board to look at key assets and have “risk or value-based  governance mechanisms” around them.

2.  Is the board well-educated on cyberrisks? 

Boards can further be engaged and educated on cybersecurity matters when discussions revolve around: 

1.) the types of cyberthreats to the organisation

2.) the assets that are prone and vulnerable to those threats

3.) what investments can be made to combat those threats

This gives them a crucial starting point to initiate conversations with management and executives on the cybersecurity position of the firm.

If more information is needed, the board shouldn’t hesitate to avail of the services of cybersecurity counsel or forensic providers to provide board-specific training sessions so directors obtain a better understanding of the cyberrisk position of the company.

3. Are we informed about regulatory schemes and legal obligations? 

Though this isn’t easy given the ever-changing state of privacy and cybersecurity legislation, boards must still know about the potential and current regulatory, and contractual obligations the company has, especially with respect to cybersecurity.  This often requires an occasional evaluation of the organisation’s ability to adhere and meet them. By doing so, boards — and management — assume a proactive risk mitigation approach, rather than a passive one.

4. Have we adopted layers of protection to secure the organisation?

Boards don’t need to make the decision on how to implement the defensive strategies required by the organisation. But they do need to be made aware of what these are, as well as how effective they will be in protecting the company.

5. How do we know if we’ve been breached? How do we detect a data breach?

Part of the board’s fiduciary duty is to ensure that the organisation has both protection and detection capabilities.  The reality is that most breaches are not immediately detected. Boards have to ensure that their organisations know how it can be detected (or that the company has a plan for it) and the risk it assumes from using that approach.

6. What is the board’s role in cyber-incidents?

Should the decision to pay out a ransom in a ransomware attack fall on the board? Should the board be accessible to customers? Should they meet with top organisation leaders for hands-on, agile decision making? What decisions should be delegated to management?

It is important for the board to know what their role will be in the event of a cybersecurity breach. It wouldn’t be a bad idea for boards to conduct “fire drills” and tabletop exercises so they know what to do when a cyber-incident takes place.

7. What is our response plan?

Though the board will not likely be directly involved in the creation of a response plan, it’s part of their responsibility to ensure there is one. This plan should involve answers to the following questions:

1.) What is the role of executives and leaders in the response plan?

2.) What is the communications plan?

3.) Who is responsible for alerting authorities?

4.) Who will manage client and media concerns?

8. Are we making appropriate investments in cybersecurity?

Companies should also carefully evaluate their protection levels and risk tolerance before making any investments. It may be helpful to look into cyber-attack simulations or penetration/vulnerability tests prior to committing to specific investments.

It’s critical for an organisation to have a skilled, knowledgeable, and cybersecurity-focused team to tackle security problems and vulnerabilities that impact the core of the business. This team will be able to help the business allocate and direct investments to where it is most needed.

9. Does the board practice good digital hygiene in its processes and communications?

Internal communications are conducted with security and privacy in mind. It should ask questions such as: do we communicate over secure channels? Are board documents encrypted? Are our methods for video conferencing or collaboration secure?

Using a board portal is beneficial from this perspective. 

A board portal is a centralised, highly secure, online hub designed for board administrators and directors to organize and manage meetings, access materials, communicate with each other, and execute their governance responsibilities. It supports securing board-related functions and activities. 

The adoption of  security-focused board portals, such as Boardlogic, is not only integral to protecting board assets, but it also plays a role in cascading down a “security-first” culture. The board walks the cybersecurity talk, i.e. security begins at the top.

10. Do we integrate security concerns into our discussions?

Boards make decisions on mergers and acquisitions, partnerships with third-parties, technology or digital transformation efforts, and other major initiatives. The current cyberthreat horizon almost demands that security implications should be included in these discussions. There are security standards that must be met or thresholds to consider. Factoring in a security conversation helps manage enterprise risk.

Takeaway

Boards can’t shy away from their cybersecurity governance responsibilities.

As the most valuable assets of organisations are digitised, stakeholders expect the organisation to employ all possible measures to protect itself against the perilous cybersecurity landscape. This requires that the board asks the right questions, so cyber-priorities and plans can be laid out effectively. Neglecting or failing to comprehend the firm’s current cybersecurity posture is a misstep that can ultimately hurt the resiliency of the organisation.

————

References:

[1] Pearlson, K., & Neto, N. N. (2022, March 4). 7 Pressing Cybersecurity Questions Boards Need to Ask. Retrieved March 8, 2022, from https://hbr.org/2022/03/7-pressing-cybersecurity-questions-boards-need-to-ask

[2] What is the NIST Cybersecurity Framework? (n.d.). Retrieved March 8, 2022, from https://www.balbix.com/insights/nist-cybersecurity-framework/

[3] Mahajan, R., Shukla, G., & Seshadri, D. (n.d.). The Changing Role of the Board on Cybersecurity. Retrieved March 10, 2022, from https://www2.deloitte.com/content/dam/Deloitte/in/Documents/risk/in-ra-changing-role-of-the-board-on-cybersecurity-noexp.pdf

[4]The Psychology of Human Error. (n.d.). Retrieved March 11, 2022, from https://www.tessian.com/research/the-psychology-of-human-error/

[5] Ratnaparkhi, K. (2021, August 26). What is the castle-and-moat network model? Retrieved March 8, 2022, from http://technoponder.com/what-is-the-castle-and-moat-network-model/