Corporate board members have a fiduciary responsibility to establish and oversee policies and practices that drive their company’s performance. This includes understanding the business impact a cyber breach can have and what’s being done to prevent it. Boards today are more disposed to ask questions regarding the effectiveness of their company’s security programs.
Cyber security is quickly becoming an essential part of the agenda discussed in board meetings, which CISOs and technical teams need to be ready for. Below, we’ve outlined a list of six key questions your board will ask and how to answer them in a clear and concise manner.
1. What are the most important assets or “crown jewels” that we must protect?
The Board of Directors (BOD) wants to make sure that your organization’s most important assets are secure. It may be your customer’s data, your internal networks and systems, or your company’s IP. Asking what is being protected and what needs to be protected is the first step to any successful cyber security program. If there is no agreement on what to protect, the strategy will not work.
2. What are the layers of protection we have put in place?
There is no way to be 100% secure, however, there are specific measures that can be taken to manage risk effectively. Protection is achieved with multiple lines of defense — antivirus software alone is not enough to keep your assets from being compromised. The BOD needs to know what layers of protection are in place, and how well each layer is serving its purpose.
3. Is our cyber security program compliant with industry standards and regulations?
The BOD is always concerned with the compliance of all company policies. The board will want to know whether the organization’s cyber security is guided by an existing, documented structure — some of the most widely accepted include ISO, NIST, and GDPR. It’s also important to demonstrate compliance with industry standards and regulations, which are more strict in legal and medical settings.
4. How do we know if we’ve been breached? How do we detect a breach?
Detection capabilities are a vital component of any cyber security strategy. Many breaches are not identified immediately after they occur, so the BOD needs to know how a breach is detected and agree with the level of risk resulting from this approach. There is no single tool used for threat detection, but rather a collection of systems that interact with each other, giving your organization the best chance of intercepting a threat.
5. What are our response plans in the event of a cyber incident?
A data breach can be detrimental to a business, often leading to financial loss, downtime, reputational damage, and more. So, what happens in the event of a cyber attack? The BOD needs assurance that the business will go on. Part of your preparedness involves having a solid plan for both business continuity and disaster recovery. Test your plans and ensure that all team members know what’s expected of them.
6. Is our cyber security investment enough? How are we allocating resources?
As with all other resources, a budget must be set for cyber security. You can’t invest any amount of time or money to be 100% secure. However, the BOD needs to guarantee they have a highly skilled and knowledgeable IT team to understand vulnerabilities and tackle issues as they arise. It’s crucial to evaluate your level of protection and risk tolerance regularly to determine if and when new investments are appropriate.
Experienced Cyber Security Consultants in NJ & FL
Mindcore works with companies in various industries in New Jersey, Florida, and across the United States. Our team offers comprehensive cyber security services, including penetration testing, vulnerability assessments, and more. We are committed to helping you achieve the highest level of protection against unwanted threats. For answers to any questions you have or to schedule a consultation, please contact us today!
