Cybersecurity Across The Board - 5 Cybersecurity Questions Board Members Should Be Asking

Cybersecurity is truly an organization-wide concern. CyberNINES has recently posted about C-level involvement in cybersecurity, as well as how a business’s physical and cybersecurity needs are becoming one and the same. Now a recent SEC ruling has shed light on the need for an organization’s board members to step up their cyber awareness—wise advice not just in regard to the SEC, but to any regulatory framework and to business operations in general.

According to a recent Cybersecurity Dive post, despite the growing risk and increased consequences of cyberattacks, the board members of businesses and nonprofit organizations are often undertrained in cybersecurity. This means the board is less likely to challenge management on questions of cyber issues, as opposed to financial or other areas with which they might be more familiar, and they don’t have the knowledge to assess the company’s cybersecurity performance. They don’t ask the hard questions, because they don’t know the questions to ask.

In order to be more effective cybersecurity stewards, board members should invest in—and set aside funds for—ongoing cyber awareness training, for the board and throughout the organization. The post also recommends greater interaction between business leadership and the chief information security officers (CISO). And just as board members need a greater understanding of cybersecurity, CISOs need a greater understanding of business and risk management; they need to be able to communicate security risks in terms that nontechnical business leaders can understand and act on.

Forbes recommends that boards consider the following questions:

• How does the organization handle cybersecurity board reporting? Many boards already include this to some extent, but is it frequent enough? Does it give them a good understanding of the organization’s risk profile? Are they getting the right information to help them guide the organization’s cyber strategy?
• How does the organization handle cybersecurity training? The majority of security breaches are caused by human error, but training team members to recognize phishing attempts and other malicious attacks can help prevent this. And as mentioned above, investing in training for the board members themselves can help them better guide the organization and make effective decisions regarding cybersecurity.
• How can the organization test their cybersecurity preparedness? Practice makes perfect and helps to ensure that the correct policies and procedures are in place if an incident should occur. (CyberNINES offers services, such as our Tabletop Exercise, to help with this.)
• Does the board need to include a cybersecurity expert, such as a CISO? Not all organizations do this, but many find it beneficial. At the very least, as mentioned above, regular communication between the head of cybersecurity and the board is essential.
• How much should the organization invest in cybersecurity? Is the cybersecurity budget sufficient for the organization, and what are the financial impacts if they don’t invest enough?