9 security questions a director should ask management
I recently collaborated on an ECODA/AIG/ISA publication that serves as a guide for board members on how to approach cybersecurity. You can find the 5 basic principles from the guide in my previous post. Find the full ECODA handbook here.
The handbook provides a few toolboxes, of differing quality. Toolbox A is worth a read.
The toolbox is a list of questions to evaluate how cybersecurity is handled in your organization. It allows board members to do a self-assessment, to get the ‘lay of the land’.
Many of these questions reflect back on the principles from our guidebook: having a solid risk management program, access to security expertise, mitigation of risks through insurance, etc.
- Does the CEO encourage open access between and among the Board, external sources, and management about emerging cyber threats?
- Are we considering the cybersecurity aspects of our major business decisions, such as M&A, partnerships, new product launches, etc., in a timely fashion?
- Do we know the maturity scale of our cyber risk program?
- Are we spending appropriately on cybersecurity tools and training? Do we know if our spending is cost-effective? Are we actually improving security or just completing compliance requirements?
- Who is managing our cybersecurity? Do we have the right talent and clear lines of accountability/communication for cybersecurity?
- Have we considered how we would manage our communications in the case of a cyber event, including communicating with the public, our shareholders, our regulators, our rating agencies? Do we have segmented strategies for each of these audiences?
- Does our organization participate in any of the public or private sector ecosystem-wide cybersecurity and information-sharing organizations?
- Is the organization adequately monitoring current and potential cybersecurity-related legislation and regulation?
- Does the company have adequate insurance, including Directors and Officers, that covers cyber events? What exactly is covered? Are there benefits beyond risk transfer to carrying cyber insurance?
I find these questions help to keep the cybersecurity conversation in the business sphere.
Don’t allow yourself to be ‘out-jargoned’ by security professionals. Security is a business issue you have to get a grip on!
In future posts, we will get into some of the details of cyber risk management and security governance.