9 security questions a director should ask management

9 security questions a director should ask management

I recently collaborated on an ECODA/AIG/ISA publication that serves as a guide for board members on how to approach cybersecurity. You can find the 5 basic principles from the guide in my previous post. Find the full ECODA handbook here.

The handbook provides a few toolboxes, of differing quality. Toolbox A is worth a read.


The toolbox is a list of questions to evaluate how cybersecurity is handled in your organization. It allows board members to do a self-assessment, to get the ‘lay of the land’.

Many of these questions reflect back on the principles from our guidebook: having a solid risk management program, access to security expertise, mitigation of risks through insurance, etc.

Here goes:

  1. Does the CEO encourage open access between and among the Board, external sources, and management about emerging cyber threats?
  2. Are we considering the cybersecurity aspects of our major business decisions, such as M&A, partnerships, new product launches, etc., in a timely fashion?
  3. Do we know the maturity scale of our cyber risk program?
  4. Are we spending appropriately on cybersecurity tools and training? Do we know if our spending is cost-effective? Are we actually improving security or just completing compliance requirements?
  5. Who is managing our cybersecurity? Do we have the right talent and clear lines of accountability/communication for cybersecurity?
  6. Have we considered how we would manage our communications in the case of a cyber event, including communicating with the public, our shareholders, our regulators, our rating agencies? Do we have segmented strategies for each of these audiences?
  7. Does our organization participate in any of the public or private sector ecosystem-wide cybersecurity and information-sharing organizations?
  8. Is the organization adequately monitoring current and potential cybersecurity-related legislation and regulation?
  9. Does the company have adequate insurance, including Directors and Officers, that covers cyber events? What exactly is covered? Are there benefits beyond risk transfer to carrying cyber insurance?


I find these questions help to keep the cybersecurity conversation in the business sphere.

Don’t allow yourself to be ‘out-jargoned’ by security professionals. Security is a business issue you have to get a grip on!

In future posts, we will get into some of the details of cyber risk management and security governance.

Start typing and press Enter to search

Shopping Cart