Tuesday, June 22, 2021

Six cyber security questions a board should ask the CISO

The answer to the question ‘Who is responsible for cyber security in an organization?’ is debatable. It ranges from

–everyone, because it can touch every member of the enterprise;

–the CISO or equivalent — who oversees the implementation of corporate strategy;

–the CEO, who hires the infosec leader;

–or the board of directors, which sets the tone for the organization and the risk strategy.

Most experts say it lies with the board.  Which means the directors should be asking pointed questions to the C-suite. In a column this week Ted Pretty, CEO of data discovery maker Covata suggests six.

1– Which threats does the organization face?

2–What motivates the attackers?

3–What would the impact of a breach be?

4–How likely is a breach?

5–What’s our current level of risk?

6–How do we reduce that level?

Let’s take a few of these:

Considering the number of incidents network administrators face every day (an incident being defined as everything from a probe to spam to an actual bypass of defences) infosec pros can answer the first question with, ‘Every cyber threat known to mankind.’ That isn’t what the board needs to hear. It should want to know realistically who might have the company in its sights. Criminals after personal information? Competitors or nation states after intellectual property? Activists who don’t like the company’s stand on an issue or the country where it does business?

The impact of a breach can be difficult to calculate. There are a number of reports from firms ranging from the Ponemon Institute to security vendors to industry analysts. All are valuable, if not quite precise. The cost to a company’s reputation is also a variable. What the board wants to hear from all of this is a reasonable, defensible calculation.

Arguably, most important for the board to know is the current level of risk, which can only be determined by scoring the organization’s security maturity — no small a task.

Bottom line: As an infosec leader are you prepared now to answer these questions?

Read the full column here

Would you recommend this article?

0
0

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News