Cyber Risk: What Questions to Ask – and How to Ask Them

The days are long gone when board members could take a passive approach to cybersecurity. If you sit on a board, you have a fiduciary responsibility to help set the agenda for cybersecurity and exercise proper oversight to minimize overall risk to the organization.

In order to provide that oversight, you must feel comfortable having “risk conversations “with your business and cybersecurity leaders, as well as your peers at the board level. Collectively, you have a shared responsibility to ensure the organization is identifying, quantifying and monitoring risk, while making needed preparations to deal with a successful cyberattack.

This puts added pressure on board members to know what questions to ask, when to ask them and how to ask them. In order to exercise proper oversight, you must also strive to overcome the inherent language barriers that exist between business and technical people.

Perhaps even more important, you must be able to understand, evaluate and scrutinize the answers you are getting from your business and cybersecurity leaders. Otherwise, how can you help determine whether the organization is actually adhering to the risk parameters set by the board?

Understanding the Board’s Role

To get started, it is important to understand and internalize the evolving oversight role of board members when it comes to cybersecurity. The National Association of Corporate Directors (NACD) in the U.S. outlines five core principles for corporate boards to improve oversight of cyber risks:

1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
2. Directors should understand the legal and regulatory implications of cyber risks as they relate to their company’s specific circumstances.
3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time on the board meeting agenda.
4. Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget.
5. Board management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach. [1]

Finding Common Language

Before you even start asking questions to achieve these goals, you have to make sure you are on common ground with your cybersecurity people in terms of the language you are both using. It will do you no good if they delve deep into product specs that may be meaningful to them but provide little illumination to you in terms of risk management and mitigation. It’s okay to be inquisitive and want to learn more, but don’t be intimidated if there is any tech talk.  Just keep on asking them to explain it so you can understand it.

You have to talk in language that relates to the overall goals of the business. Make sure your cybersecurity leaders are comfortable in that milieu. For example, they must be able to quantify the financial risk if a key application goes down; go beyond discussing what a material impact of a major data privacy breach would mean in terms of costs, goodwill and brand reputation – but also about the integrity and availability of the data and systems on which the business depends on; assess the overall impact of missing a regulatory compliance requirement.

The more specific you can be in defining risks to avoid, accept, mitigate or transfer (see principle #5 above), the more focused you can be in posing the best follow-up questions to ensure that the board is exercising proper oversight.

Building a Cybersecurity Framework

Once you feel that the board is on the same page as the CIO, CISO and other cybersecurity leaders in terms of defining the organization’s risk profile, it is time to get down to the business of evaluating where you stand in relation to that risk profile.

That starts with asking about and developing an understanding of the underlying cybersecurity framework the organization is using to design and support their people, processes and technologies.

Perhaps your organization, like many across the world, is using a framework modeled on the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework. As of a couple of years ago, 70% of security professionals viewed the NIST framework as a security best practice; that  number has surely gone up with the release of Version 1.1. in April 2018.

The NIST Cybersecurity Framework is probably the most comprehensive framework in helping to manage risk. It not only helps protect your organization from a successful cyberattack; it also helps limit your liability and help establish a culture of cybersecurity within your organization.

Asking the Right Questions

Once you have established your risk profile and identified the organization’s cybersecurity framework, you are ready to ask the follow-up questions necessary to make sure best practices are being followed and the organization is adapting regularly to the rapidly evolving threat landscape.

Here are some of the key questions board members should be asking:

1. Are there formal review processes in place to evaluate where the organization stands against its cybersecurity framework?
2. How often do these reviews take place and what metrics are used to evaluate whether the organization’s risk profile is improving or getting worse?
3. Have these metrics been developed in close coordination with the organization’s risk profile?
4. What is the expected security behavior of employees and how is that communicated to them? Are there awareness campaigns to ensure that people are aware of the cybersecurity expectations?
5. Is the organization monitoring employees versus expected behaviors and outcomes? For example, email is often the biggest security gap. Are employees being tested with controlled phishing and malware campaigns?
6. How does the organization identify inefficiencies? Does it do ongoing gap analyses? If so, how often are they done? When gaps are identified, are there formal processes to fix them?
7. How quickly can the organization respond to a compromised system? What techniques are used? If it takes two days to respond, how can that be reduced to a day, or a half day, or an hour?

Simply by posing these questions you are delivering significant value to your organization. You are forcing your teams to focus on managing risk and developing real-world metrics and best practices to evaluate how the organization is performing against those risks.

You are also ensuring that ongoing governance and oversight processes are in place to force cybersecurity teams to constantly evaluate and monitor their people, processes and technologies to adapt to changing market conditions and new threats.

Generally, a good rule of thumb is to have IT and cybersecurity teams evaluate their progress every six to nine months. This may seem like a high frequency, but it’s not in today’s environment. Yes, the threat landscape is changing quickly, but perhaps the biggest reason to stay on top of cybersecurity is that most businesses are also changing quickly.

Across all industries, we are witnessing accelerated development cycles and “consumerized” expectations for new services, increased mobility and targeted analytics—not to mention a growing attack surface fueled by growth of the Internet of Things, artificial intelligence and machine learning.

Conclusion

 As a board member, you don’t need to be a cybersecurity expert, but the more you know, the more value you can provide in your oversight role. For example, you should take time time to review the NACD handbook on Cyber-Risk Management and the NIST Cybersecurity Framework.

You should also talk to your peers and compare notes. Many directors sit on multiple boards and have different experiences across various industries.  By sharing experiences and knowledge, you can bring new ideas to the table that can improve any organization’s cybersecurity risk posture.

Serving on a board of directors is a privilege. But it also comes with a responsibility to add value. When it comes to cybersecurity, attaining some basic knowledge and understanding which questions to ask can go a long way towards ensuring that the oversight you provide is informed, up to date and well positioned to propel the organization forward.

[1] “Cyber-Risk Oversight,” NACD