5 Security Questions You Must Answer While Briefing the Board on Cyber Risk

Are you all set to brief your board on the cyber risk of an organization? If yes, you must know how to respond to your board’s most likely security questions.

According to a study conducted by Gartner, 100% of employees from large enterprises will have to explain their board of directors about the risks and vulnerabilities that exist in their technology and business. With constant evolution and up-gradation of technologies taking place, securing their cyberspace is now becoming an essential factor for any company operating on digital platforms.

Here’s the brief to the answers on five unavoidable questions that a board will ask you:

Is our business 100% secure? Can you say it with surety?

“Are we secure?” can be listed as one of the most general questions ever asked by any board to a Chief Information Security Officer (CISO). Most of the time, this question is accompanied by the confirmation question “Are you sure?”.

CISO’s are cyber experts, and they know that this question cannot be answered in one word as ‘Yes‘ or ‘No.’ 

The key to answering these questions lies in understanding the awareness of board members about CyberSecurity? Do your research about how much they already know about cybersecurity? Was any direct competitor breached recently? Is there any new member on the board who is raising the question? Or they are looking to upgrade the security posture of the organization?

Understanding the relevant context will help in determining the proper metrics required to deliver.

Especially for new board members, it’s crucial to talk about security as a journey, determining where the organization exists today and where you would like it to go. It’s also essential to make it clear that there’s no such thing as bulletproof security.

How bad is it out there? What about what happened at acme corporation company? What’s our cyber condition?

Most board members are extensive readers. As a result, they will come across threat reports, blogs, articles, and regulatory pressures to understand the risks. They have a habit of learning what the competitors are doing, especially peer organizations.

When asked such questions, you must try to avoid guessing at the root cause of a security issue at a different company. Instead, answer the question diligently by replying, “I won’t speculate on the incident that took place at company acme corporation until more information is available. I’ll be happy to give you a follow up on it when I know more.” Further, you must discuss a series of broader security responses, such as recognizing similar weaknesses and how they can be fixed.

Do we know what our risks are? What keeps you up at night?

The board needs to get a surety that all the company’s cyber-related risks are being handled. Likewise, CISO’s must be prepared to explain the organization’s risk tolerance to defend risk management decisions.

Describe the company’s impact on risk management decisions and make sure your positions are supported by evidence. The second part is essential because boards are making decisions based on risk tolerance. Any dangers outside the tolerance level take a remedy to deliver them.

The board will be looking for assurances that material risks are being satisfactorily managed, and that subtle, long-term strategies could be appropriate in some situations.

Are we judiciously allocating resources? Is our investment correctly aligned? Why are we spending so much?

Every official tends to find reassurance that risk and security management leaders of the organization are not sitting still. They aspire to know about the metrics and ROI.

While answering this question, you must use a ‘balanced scorecard’ approach, in which the top layer expresses your aspirations with the business and the performance of the organization. Try to explain the goals in terms of how the company is performing instead of basing it with technology.

How did this happen? I thought you had this under control? What went wrong?

If the company witnessed a cyber attack, then you’ll stand answerable to them about what, how, and why it happened.

An incident is inevitable, so be genuine. Share what you’re doing to find out what happened. Be clear, acknowledge the event, provide details on business impacts, outline flaws or gaps which need to be worked out, and offer a mitigation strategy.

These were the five security questions you must know answers to while briefing the board on cyber risk. We hope you’ll remember our suggestions and implement them in relevant situations.

Till next time, be secured...