12 Essential Cybersecurity Questions Every Board Member Should Ask
The Top 12 Essential Cybersecurity Questions Every Board Member Should Ask
Introduction
As a board member of a publicly traded tech company, your role in overseeing cybersecurity risks is crucial. This guide presents 12 critical questions to ask about cybersecurity, providing rationale, key considerations, sample responses, and real-world incidents to highlight their importance. By asking these questions, you'll ensure that your company is proactively addressing cybersecurity risks and fostering a culture of security awareness.
1. What is our current cybersecurity risk profile?
Question: Can you provide an overview of our current cybersecurity risk profile and how it aligns with our risk appetite?
Rationale: Understanding the company's cybersecurity risk profile is fundamental to effective oversight. It allows the board to assess whether the current security posture aligns with the organization's risk tolerance and strategic objectives.
Key Considerations:
Sample Good Response: "We conduct quarterly risk assessments using the NIST Cybersecurity Framework. Our current risk profile shows moderate risk in data protection and low risk in network security. We've identified high-risk areas in our supply chain and are implementing additional controls. Our overall risk posture aligns with our defined risk appetite, but we're continuously working to reduce risks in identified areas."
Sample Bad Response: "We don't have a formal risk profile. Our IT team handles security, and we haven't had any major incidents, so we assume our risks are low."
Real World Incident: The 2017 Equifax breach, which exposed sensitive data of 147 million people, was partly due to the company's failure to maintain an up-to-date risk profile and address known vulnerabilities promptly.
2. How do we measure the effectiveness of our cybersecurity program?
Question: What metrics and key performance indicators (KPIs) do we use to measure the effectiveness of our cybersecurity program, and how do they align with our business objectives?
Rationale: Measurable metrics are essential for evaluating the performance of the cybersecurity program and ensuring it supports business goals. This question helps the board understand if the right indicators are being tracked and if they provide meaningful insights.
Key Considerations:
Sample Good Response: "We use a balanced scorecard approach with metrics aligned to the NIST Cybersecurity Framework. Key metrics include mean time to detect (MTTD) and respond (MTTR) to incidents, percentage of assets with up-to-date patches, and employee security training completion rates. These are reviewed monthly by the CISO and quarterly by the board. We also track the reduction in our cyber insurance premiums as a business-aligned metric."
Sample Bad Response: "We mainly look at the number of blocked attacks by our firewall and consider our program effective if this number is high."
Real World Incident: The 2013 Target data breach, which affected 41 million consumers, highlighted the importance of effective metrics. Despite having advanced security tools, Target failed to respond to alerts promptly, indicating a lack of effective monitoring and response metrics.
3. How are we addressing the human element in cybersecurity?
Question: What strategies do we have in place to address the human element in cybersecurity, including employee training, awareness programs, and fostering a security-conscious culture?
Rationale: Human error remains one of the leading causes of cybersecurity incidents. This question ensures that the board is aware of efforts to mitigate risks associated with human behavior and to cultivate a security-minded organizational culture.
Key Considerations:
Sample Good Response: "We have a comprehensive security awareness program that includes monthly phishing simulations, role-based training modules, and a gamified learning platform. We measure effectiveness through reduction in click rates on phishing tests, increase in reported suspicious emails, and improvements in our annual security culture survey. We also have a 'security champion' program in each department to promote best practices."
Sample Bad Response: "We send out an annual email reminding employees about password security and have posters about cybersecurity in the break room."
Real World Incident: The 2015 U.S. Office of Personnel Management (OPM) breach, which exposed personal data of 21.5 million individuals, was initiated through a phishing attack that compromised a third-party contractor's credentials, highlighting the critical importance of comprehensive security awareness training.
4. How are we managing third-party and supply chain cybersecurity risks?
Question: What processes do we have in place to assess, monitor, and mitigate cybersecurity risks associated with our third-party vendors and supply chain?
Rationale: Third-party risks are increasingly significant as companies rely more on external vendors and complex supply chains. This question ensures the board understands how these risks are being managed and integrated into the overall risk management strategy.
Key Considerations:
Sample Good Response: "We have a dedicated third-party risk management program. All vendors undergo a rigorous security assessment before onboarding, with annual reassessments for critical vendors. We use a combination of questionnaires, document reviews, and on-site audits. Our contracts include specific security requirements and right-to-audit clauses. We also use continuous monitoring tools to track the security posture of key vendors in real-time."
Sample Bad Response: "We trust our vendors to handle security on their own. We don't really have visibility into their practices."
Real World Incident: The 2013 Target breach, mentioned earlier, was actually initiated through a third-party HVAC vendor, underscoring the importance of robust third-party risk management.
5. How are we staying ahead of evolving threats and technologies?
Question: What processes do we have in place to stay informed about emerging cybersecurity threats and technologies, and how do we adapt our strategies accordingly?
Rationale: The cybersecurity landscape is constantly evolving. This question ensures that the company is proactively identifying and addressing new threats and leveraging new technologies to enhance its security posture.
Key Considerations:
Sample Good Response: "We have a dedicated threat intelligence team that monitors global threat landscapes and participates in industry-specific information sharing forums. Our CISO presents a quarterly briefing on emerging threats and our response strategies. We have an innovation budget for piloting new security technologies and a formal process for evaluating and implementing them. Additionally, we conduct annual red team exercises to test our defenses against the latest attack techniques."
Sample Bad Response: "We rely on our antivirus software to keep us updated on new threats. We upgrade our systems when the IT budget allows."
Real World Incident: The rapid spread of the WannaCry ransomware in 2017, which affected over 200,000 computers across 150 countries, highlighted the importance of staying current with threat intelligence and promptly applying security updates.
6. What is our incident response and business continuity plan?
Question: Can you outline our incident response and business continuity plan? How often is it tested and updated?
Rationale: A well-prepared and regularly tested incident response plan is crucial for minimizing the impact of a cybersecurity incident. This question ensures that the company is prepared to respond effectively to various cyber incidents and maintain business operations.
Key Considerations:
Sample Good Response: "We have a comprehensive incident response plan that covers various scenarios including data breaches, ransomware attacks, and DDoS incidents. The plan is tested quarterly through tabletop exercises and annually through a full-scale simulation. It clearly defines roles and responsibilities, including board involvement for high-severity incidents. After each test or actual incident, we conduct a thorough review and update the plan accordingly. Our business continuity plan is integrated with our incident response plan and includes strategies for maintaining critical operations during prolonged disruptions."
Sample Bad Response: "We have a general disaster recovery plan that the IT team manages. We haven't had to use it yet, so we're not sure how effective it is."
Real World Incident: The 2017 Equifax breach response was widely criticized for its lack of preparedness and poor communication, highlighting the importance of a well-prepared and tested incident response plan.
7. How are we addressing cloud security and data protection?
Question: What strategies do we have in place to ensure the security of our cloud infrastructure and protect sensitive data, both in transit and at rest?
Recommended by LinkedIn
Rationale: As companies increasingly move to cloud-based services and face stricter data protection regulations, it's crucial to have robust cloud security and data protection measures in place. This question helps the board understand how these critical areas are being addressed.
Key Considerations:
Sample Good Response: "We have a cloud-first security strategy that includes a multi-layered approach. We use strong encryption for data in transit and at rest, implement strict access controls with multi-factor authentication, and regularly audit our cloud configurations. We have a dedicated team that manages our cloud security posture and works closely with our cloud providers to understand and fulfill our responsibilities in the shared security model. For data protection, we have implemented data loss prevention tools, conduct regular data classification exercises, and have a comprehensive data governance program to ensure compliance with relevant regulations."
Sample Bad Response: "We use a reputable cloud provider, so we assume they take care of security. We don't really have visibility into how our data is protected in the cloud."
Real World Incident: The 2019 Capital One breach, which exposed personal information of over 100 million individuals, was due to a misconfigured web application firewall in their cloud environment, emphasizing the importance of proper cloud security management.
8. How do we ensure the security of our software development lifecycle?
Question: What processes do we have in place to ensure security is integrated throughout our software development lifecycle (SDLC)?
Rationale: For tech companies, secure software development is crucial to prevent vulnerabilities that could lead to breaches or compromise product integrity. This question helps the board understand how security is being built into the development process from the ground up.
Key Considerations:
Sample Good Response: "Security is integrated at every stage of our SDLC. We use a DevSecOps approach with automated security testing tools integrated into our CI/CD pipeline. All developers undergo annual secure coding training, and we have security champions in each development team. We conduct regular code reviews, static and dynamic application security testing, and penetration testing before major releases. We also have a public bug bounty program and a vulnerability disclosure policy to encourage responsible reporting of security issues. Our product security team works closely with development teams to promptly address any identified vulnerabilities."
Sample Bad Response: "Our developers are skilled professionals, so we trust them to write secure code. We do a security check before releasing products to production."
Real World Incident: The 2017 Equifax breach was caused by a vulnerability in the Apache Struts framework that wasn't patched promptly, highlighting the importance of secure development practices and timely vulnerability management.
9. How are we managing IoT and operational technology security risks?
Question: What strategies do we have in place to address security risks associated with Internet of Things (IoT) devices and operational technology (OT) in our environment?
Rationale: As IoT devices proliferate and IT/OT convergence increases, these areas present unique security challenges. This question ensures the board is aware of how these risks are being managed, especially in industries where OT plays a critical role.
Key Considerations:
Sample Good Response: "We have a comprehensive IoT and OT security program. We maintain a real-time inventory of all IoT devices and OT systems using automated discovery tools. These systems are segmented from our corporate network and monitored by our security operations center. We have implemented specific security policies for IoT/OT, including strict access controls, regular firmware updates, and network-level protections. For critical OT systems, we conduct annual security assessments and have incident response plans tailored to OT environments. We also work closely with our OT vendors to ensure security is built into their products and that vulnerabilities are promptly addressed."
Sample Bad Response: "We don't really distinguish between IoT/OT and regular IT systems. They're all on the same network and managed the same way."
Real World Incident: The 2015 Ukraine power grid cyberattack, which caused widespread power outages, demonstrated the potential impact of OT security breaches and the importance of securing critical infrastructure.
10. How are we addressing insider threats?
Question: What measures do we have in place to detect, prevent, and mitigate insider threats, both malicious and unintentional?
Rationale: Insider threats, whether intentional or accidental, pose a significant risk to organizations. This question ensures the board understands how the company is managing access to sensitive data and systems, and monitoring for suspicious internal activities.
Key Considerations:
Sample Good Response: "We have a multi-faceted approach to insider threat management. This includes strict access controls based on the principle of least privilege, regular access reviews, and privileged access management solutions. We use User and Entity Behavior Analytics (UEBA) to detect anomalous behavior patterns. Our data loss prevention (DLP) system monitors for unauthorized data transfers. We also have a robust employee offboarding process to ensure prompt revocation of access. Additionally, we have an insider threat awareness program as part of our overall security training, and we've established an ethics hotline for reporting suspicious behavior. All these measures are implemented with due consideration for employee privacy, in consultation with our legal and HR departments."
Sample Bad Response: "We trust our employees and don't believe in monitoring their activities. We haven't had any insider problems, so we don't see it as a major risk."
Real World Incident: The 2019 Capital One breach, while initiated externally, was facilitated by a former employee who exploited their knowledge of the company's cloud infrastructure, highlighting the potential impact of insider threats and the importance of proper access management.
11. How are we preparing for quantum computing threats?
Question: What steps are we taking to prepare for the potential cybersecurity threats posed by quantum computing, particularly in terms of our cryptographic systems?
Rationale: While large-scale quantum computers are not yet a reality, their potential to break many current cryptographic systems poses a significant future threat. This question ensures the board is thinking ahead about long-term cybersecurity risks and preparedness.
Key Considerations:
Sample Good Response: "We've established a quantum readiness taskforce led by our CISO and CTO. We've conducted an inventory of all systems and data that rely on current public-key cryptography, which is most vulnerable to quantum attacks. We're actively monitoring the development of post-quantum cryptography standards by NIST and other bodies. We've begun testing post-quantum algorithms in non-critical systems and are developing a roadmap for transitioning our critical systems to quantum-resistant algorithms over the next 5-10 years. We're also ensuring that any new systems we implement are 'crypto-agile,' meaning they can easily switch to new algorithms when needed."
Sample Bad Response: "Quantum computing is still theoretical and far off. We'll worry about it when it becomes a real threat."
Real World Incident: While there haven't been quantum computing attacks yet, the "harvest now, decrypt later" threat is real. Nation-state actors are suspected of collecting encrypted data now with the intention of decrypting it once quantum computers become available, potentially exposing long-term secrets.
12. How do we ensure cybersecurity is considered in our mergers and acquisitions (M&A) process?
Question: What steps do we take to assess and mitigate cybersecurity risks during mergers and acquisitions?
Rationale: M&A activities can introduce significant cybersecurity risks if not properly managed. This question ensures that cybersecurity due diligence is an integral part of the M&A process, helping to identify potential vulnerabilities, compliance issues, or security gaps in the target company.
Key Considerations:
Sample Good Response: "Cybersecurity is a critical component of our M&A due diligence process. We have a dedicated team that conducts a comprehensive cybersecurity assessment of target companies, including vulnerability scans, policy reviews, and compliance checks. This assessment covers network security, data protection practices, incident response capabilities, and potential security debts. Post-acquisition, we have a detailed integration plan that includes bringing the acquired company's security posture up to our standards within a specified timeframe. We also conduct a thorough audit of the combined entity's security posture once integration is complete."
Sample Bad Response: "We focus on financial and operational aspects during M&A. We assume the IT teams will handle any technical integration issues after the deal is done."
Real World Incident: The 2017 Verizon acquisition of Yahoo was significantly impacted by the discovery of major data breaches at Yahoo during the due diligence process. This led to a $350 million reduction in the acquisition price and highlighted the importance of cybersecurity considerations in M&A activities.
Conclusion
As a board member, asking these 12 essential cybersecurity questions demonstrates your commitment to effective risk oversight and helps foster a culture of security awareness throughout the organization. By regularly engaging with these topics, you ensure that cybersecurity remains a strategic priority and that the company is well-positioned to address evolving threats.
Remember that cybersecurity is not just an IT issue, but a critical business risk that requires ongoing attention and investment. Your role in asking these questions and driving discussions around cybersecurity is crucial in safeguarding the company's assets, reputation, and long-term success.
As cyber threats continue to evolve, it's important to revisit and update these questions regularly. Stay informed about emerging risks and best practices, and don't hesitate to seek external expertise when needed. By maintaining a proactive stance on cybersecurity governance, you contribute significantly to the resilience and security posture of your organization.
-
#enterpriseriskguy
Muema Lombe, risk management for high-growth technology companies, with over 10,000 hours of specialized expertise in navigating the complex risk landscapes of pre- and post-IPO unicorns. His new book, “The Ultimate Startup Dictionary: Demystify Complex Startup Terms and Communicate Like a Pro — For Founders, Entrepreneurs, Angel Investors, and Venture Capitalists” is out now.