“Increasingly, cybersecurity is becoming a top-of-mind issue for most CEOs and boards, and they are becoming more preemptive in evaluating cybersecurity risk exposure as an enterprisewide risk management issue, not limiting it to an IT concern.” – Deloitte’s “Cybersecurity: The changing role of audit committee and internal audit

As mentioned in a previous article, boards are feeling increased pressure from government regulators and shareholders regarding their role in the oversight of cyber risks. This article looks at the questions a CISO is likely to face when presenting to the board, as well as what directors are advised to ask CISOs about when it comes to cybersecurity.

Board Questions Regarding Oversight

Boards have only recently taken on cyber risks in the boardroom. They are still looking to find the right fit for cyber risks within the board and its environment, as evidenced by ongoing arguments such as whether cyber risks should be a full-board issue or delegated to an audit or risk committee, and what amount of time boards should give to cyber issues.

According to KPMG’s latest report, “Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom,” the questions on directors’ minds are: “Am I asking the right questions? How do I get comfortable? Are we doing enough? How do I know we are doing the right things? Are we making the right decisions?”

The report goes on to list questions that boards are asking about cybersecurity oversight in general, including whether the CISO function is correctly positioned (i.e., not under the CIO), whether the CISO has direct reporting capability to the CEO, the frequency and quality of meetings and briefings where cyber risks are the primary topic.

In particular, boards are concerned about their responsibilities to shareholders when it comes to cybersecurity. Notably, this includes whether boards themselves are asking the right questions and receiving quality answers and, most importantly — from a director’s perspective, anyway — whether the board is being transparent enough in keeping shareholders informed about the organization’s handling of cyber risks.

Board Questions to Executive Management and CISOs

According to SpencerStuart, boards also know they have a duty to ensure top executives understand their own role in managing and overseeing risks, that management understands how cyber risks can impact the business and that management appropriately funds cybersecurity efforts.

Written from the perspective of cybersecurity program management, EY’s Cyber Program Management report has boards asking the organization’s security leadership questions such as:

  • Are profit-generating assets adequately secured?
  • How well-protected is high-value information?
  • Is the organization’s cybersecurity strategy aligned with its business objectives?
  • How is the effectiveness of the cybersecurity program measured?
  • Is the organization spending appropriately on security priorities?
  • Would the organization be able to detect a breach?
  • Does the cybersecurity area have access to adequate resources?
  • How does the organization’s security program compare to that of its peers?

As boards seek to better understand the nature of cyber risks, directors are also asking questions about the threats faced, the levels of cyber insurance and the nature of the coverage, the ways that an attack could unfold, how the organization would detect and respond to such a scenario and how/when the incident would be reported to the board. Boards are also asking CEOs to take a more proactive role in managing cyber risks, and they’re asking about the extent to which cybersecurity is a priority for leadership.

Boards Undergo a Mental Shift

Robyn Bew, director of research at the National Association of Corporate Directors (NACD), gave advice to boards of directors in a piece from Ethical Boardroom. She suggested boards ask management about the level of cyber risk tolerance for various assets and threats, how cybersecurity is factored into business decisions and business relationships (i.e., the security of third-party vendors) and the threshold level of a material breach requiring board notification.

This advice is part of a larger framework of knowledge for directors assembled by the NACD, compiled in the Cyber-Risk Oversight handbook, available in executive summary form and in full from the NACD website.

As boards internalize the mental shift — moving from an “our-layers-of-defense-make-us-secure” mindset to a “breach-is-inevitable-let’s-be-ready” mindset — directors are starting to ask more probing questions about the level of readiness to detect, respond to and handle the inevitable breach.

The Wall Street Journal article titled “Cybersecurity: Boards Must Ask Sharper, Smarter Questions” recommended that boards ask about the lessons learned and the revamped response process from recent cybersecurity incidents. They should inquire particularly about the overall evaluation of the security team’s response to the incident. More mature board discussions are likely to involve a review of the effectiveness of security controls and the overall security program, as well.

The Relevant Questions

Cybersecurity Docket had a good recap of an approach recommended to boards. When it comes to overseeing cyber risks, directors should address the subject of cyber risks “with a vigorous, skeptical, intelligent and methodical inquiry.” The article contains a detailed list of 10 cybersecurity concerns that boards should be asking about, ranging from policies to insurance to lessons learned.

Another CISO — who has asked to remain anonymous — was invited to present at a conference of board directors. There, the executive was asked about:

  • Issues that stem from organizational structure, such as where the CISO function should be housed and what dotted line reporting paths should exist;
  • Attributes that boards could use to determine how effective the CISO was at performing his/her job;
  • Best practices for cyber risk management and how best to measure and communicate risks; and
  • The rising cost of cybersecurity programs and the difficulty in evaluating their effectiveness. Directors asked if there is a threshold point at which throwing more money at cybersecurity does not provide enough of a return.

Understanding and anticipating these questions can help security professionals and CISOs communicate more clearly with executives, implement cybersecurity initiatives and better position the organization for success.

More from Risk Management

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Machine Learning Applications in the Cybersecurity Space

3 min read - Machine learning is one of the hottest areas in data science. This subset of artificial intelligence allows a system to learn from data and make accurate predictions, identify anomalies or make recommendations using different techniques. Machine learning techniques extract information from vast amounts of data and transform it into valuable business knowledge. While most industries use these techniques, they are especially prominent in the finance, marketing, healthcare, retail and cybersecurity sectors. Machine learning can also address new cyber threats. There…

3 min read

Now Social Engineering Attackers Have AI. Do You? 

4 min read - Everybody in tech is talking about ChatGPT, the AI-based chatbot from Open AI that writes convincing prose and usable code. The trouble is malicious cyber attackers can use generative AI tools like ChatGPT to craft convincing prose and usable code just like everybody else. How does this powerful new category of tools affect the ability of criminals to launch cyberattacks, including social engineering attacks? When Every Social Engineering Attack Uses Perfect English ChatGPT is a public tool based on a…

4 min read