Six cyber security questions a board should ask the CISO

The answer to the question ‘Who is responsible for cyber security in an organization?’ is debatable. It ranges from

–everyone, because it can touch every member of the enterprise;

–the CISO or equivalent — who oversees the implementation of corporate strategy;

–the CEO, who hires the infosec leader;

–or the board of directors, which sets the tone for the organization and the risk strategy.

Most experts say it lies with the board.  Which means the directors should be asking pointed questions to the C-suite. In a column this week Ted Pretty, CEO of data discovery maker Covata suggests six.

1– Which threats does the organization face?

2–What motivates the attackers?

3–What would the impact of a breach be?

4–How likely is a breach?

5–What’s our current level of risk?

6–How do we reduce that level?

Let’s take a few of these:

Considering the number of incidents network administrators face every day (an incident being defined as everything from a probe to spam to an actual bypass of defences) infosec pros can answer the first question with, ‘Every cyber threat known to mankind.’ That isn’t what the board needs to hear. It should want to know realistically who might have the company in its sights. Criminals after personal information? Competitors or nation states after intellectual property? Activists who don’t like the company’s stand on an issue or the country where it does business?

The impact of a breach can be difficult to calculate. There are a number of reports from firms ranging from the Ponemon Institute to security vendors to industry analysts. All are valuable, if not quite precise. The cost to a company’s reputation is also a variable. What the board wants to hear from all of this is a reasonable, defensible calculation.

Arguably, most important for the board to know is the current level of risk, which can only be determined by scoring the organization’s security maturity — no small a task.

Bottom line: As an infosec leader are you prepared now to answer these questions?

Read the full column here

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now