What Cybersecurity Questions Are Boards Asking CISOs?

“Increasingly, cybersecurity is becoming a top-of-mind issue for most CEOs and boards, and they are becoming more preemptive in evaluating cybersecurity risk exposure as an enterprisewide risk management issue, not limiting it to an IT concern.” – Deloitte’s “Cybersecurity: The changing role of audit committee and internal audit

As mentioned in a previous article, boards are feeling increased pressure from government regulators and shareholders regarding their role in the oversight of cyber risks. This article looks at the questions a CISO is likely to face when presenting to the board, as well as what directors are advised to ask CISOs about when it comes to cybersecurity.

Board Questions Regarding Oversight

Boards have only recently taken on cyber risks in the boardroom. They are still looking to find the right fit for cyber risks within the board and its environment, as evidenced by ongoing arguments such as whether cyber risks should be a full-board issue or delegated to an audit or risk committee, and what amount of time boards should give to cyber issues.

According to KPMG’s latest report, “Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom,” the questions on directors’ minds are: “Am I asking the right questions? How do I get comfortable? Are we doing enough? How do I know we are doing the right things? Are we making the right decisions?”

The report goes on to list questions that boards are asking about cybersecurity oversight in general, including whether the CISO function is correctly positioned (i.e., not under the CIO), whether the CISO has direct reporting capability to the CEO, the frequency and quality of meetings and briefings where cyber risks are the primary topic.

In particular, boards are concerned about their responsibilities to shareholders when it comes to cybersecurity. Notably, this includes whether boards themselves are asking the right questions and receiving quality answers and, most importantly — from a director’s perspective, anyway — whether the board is being transparent enough in keeping shareholders informed about the organization’s handling of cyber risks.

Board Questions to Executive Management and CISOs

According to SpencerStuart, boards also know they have a duty to ensure top executives understand their own role in managing and overseeing risks, that management understands how cyber risks can impact the business and that management appropriately funds cybersecurity efforts.

Written from the perspective of cybersecurity program management, EY’s Cyber Program Management report has boards asking the organization’s security leadership questions such as:

  • Are profit-generating assets adequately secured?
  • How well-protected is high-value information?
  • Is the organization’s cybersecurity strategy aligned with its business objectives?
  • How is the effectiveness of the cybersecurity program measured?
  • Is the organization spending appropriately on security priorities?
  • Would the organization be able to detect a breach?
  • Does the cybersecurity area have access to adequate resources?
  • How does the organization’s security program compare to that of its peers?

As boards seek to better understand the nature of cyber risks, directors are also asking questions about the threats faced, the levels of cyber insurance and the nature of the coverage, the ways that an attack could unfold, how the organization would detect and respond to such a scenario and how/when the incident would be reported to the board. Boards are also asking CEOs to take a more proactive role in managing cyber risks, and they’re asking about the extent to which cybersecurity is a priority for leadership.

Boards Undergo a Mental Shift

Robyn Bew, director of research at the National Association of Corporate Directors (NACD), gave advice to boards of directors in a piece from Ethical Boardroom. She suggested boards ask management about the level of cyber risk tolerance for various assets and threats, how cybersecurity is factored into business decisions and business relationships (i.e., the security of third-party vendors) and the threshold level of a material breach requiring board notification.

This advice is part of a larger framework of knowledge for directors assembled by the NACD, compiled in the Cyber-Risk Oversight handbook, available in executive summary form and in full from the NACD website.

As boards internalize the mental shift — moving from an “our-layers-of-defense-make-us-secure” mindset to a “breach-is-inevitable-let’s-be-ready” mindset — directors are starting to ask more probing questions about the level of readiness to detect, respond to and handle the inevitable breach.

The Wall Street Journal article titled “Cybersecurity: Boards Must Ask Sharper, Smarter Questions” recommended that boards ask about the lessons learned and the revamped response process from recent cybersecurity incidents. They should inquire particularly about the overall evaluation of the security team’s response to the incident. More mature board discussions are likely to involve a review of the effectiveness of security controls and the overall security program, as well.

The Relevant Questions

Cybersecurity Docket had a good recap of an approach recommended to boards. When it comes to overseeing cyber risks, directors should address the subject of cyber risks “with a vigorous, skeptical, intelligent and methodical inquiry.” The article contains a detailed list of 10 cybersecurity concerns that boards should be asking about, ranging from policies to insurance to lessons learned.

Another CISO — who has asked to remain anonymous — was invited to present at a conference of board directors. There, the executive was asked about:

  • Issues that stem from organizational structure, such as where the CISO function should be housed and what dotted line reporting paths should exist;
  • Attributes that boards could use to determine how effective the CISO was at performing his/her job;
  • Best practices for cyber risk management and how best to measure and communicate risks; and
  • The rising cost of cybersecurity programs and the difficulty in evaluating their effectiveness. Directors asked if there is a threshold point at which throwing more money at cybersecurity does not provide enough of a return.

Understanding and anticipating these questions can help security professionals and CISOs communicate more clearly with executives, implement cybersecurity initiatives and better position the organization for success.

Share this Article:
Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.