Boards of directors are increasingly paying more attention to IT security, and for good reason. They may personally be on the hook for liability should  there be a data breach or major business disruption.

So CISOs should be prepared to face tough questions. A recent column by Christophe Veltsos, associate professor in the department of computer information science at Minnesota State University, outlined what boards should be looking for. Although it’s aimed at directors — and board members reading this piece should also —  CISOs should keep in mind  questions like these are what they may run into:

  • Are profit-generating assets adequately secured?
  • How well-protected is high-value information?
  • Is the organization’s cybersecurity strategy aligned with its business objectives?
  • How is the effectiveness of the cybersecurity program measured?
  • Is the organization spending appropriately on security priorities?
  • Would the organization be able to detect a breach?
  • Does the cybersecurity area have access to adequate resources?
  • How does the organization’s security program compare to that of its peers?

Veltsos quotes a security publication advising directors to look at cyber risks “with a vigorous, skeptical, intelligent and methodical inquiry.” CISOs have been warned.

Read the full column here.