Definite Inquiries: 5 Security Questions Your Board Will Raise

Unlock the insights into boardroom discussions as we uncover the 5 pivotal security questions that forward-thinking boards are poised to bring to the forefront.

Remember - they're primed to delve deeper than the basics

Boards are now better equipped to engage in comprehensive discussions with security and risk management leaders, reflecting their increased awareness and readiness to scrutinize their organizations' security strategies. This enhanced acumen is a response to the imperative of pursuing digital aspirations amidst the escalating cybersecurity risks faced by remote teams.

As a result of this heightened sophistication, the era of rudimentary queries such as 'How secure are we?' or 'Why the need for increased security funding after last year's approval?' is gradually waning. Instead, boards are poised to delve into more intricate and pointed investigations, reflecting their commitment to a deeper understanding of the security landscape.

“Security and risk management leaders often struggle to respond to board questions that are shaped by media reports, which leads to a breakdown of trust between business leaders and technology leaders”, as noted by Sam Olyaei, Director Analyst at Gartner

It becomes the responsibility of the organization to craft responses that guide conversations towards instilling confidence, ensuring compliance, and fostering a supportive environment for security initiatives. Amidst diverse individual interests and considerations, boards share a collective concern that can be distilled into three pivotal areas of focus:

1. Revenue/Mission: Aligning with operational or non-operational financial gains and amplifying non-revenue mission-driven objectives.

2. Cost: Emphasizing anticipation of future cost reduction and immediate minimization of operating expenditures.

3. Risk: Encompassing financial, market, regulatory compliance and security, innovation, as well as safeguarding brand and reputation.

"In light of these core concerns, board inquiries can be organized into these five distinct categories."

What it may sound like: How did this come about? I thought we had it managed? Where did things take a wrong turn?

Why it’s posed: These inquiries emerge when a significant incident or occurrence has transpired, and the board is either already aware of it or the chief information security officer (CISO) is providing them with information. This is particularly pertinent at present, with boards potentially seeking answers pertaining to fortifying the organization's security, given the considerable number of employees working remotely. Similar queries might arise concerning any incident, including breaches of data that could have had an impact on the organization overall.

How to reply: Accept that incidents, regardless of their nature, are unavoidable; hence, focus on the truth. Communicate the extent of your current knowledge and your ongoing efforts to uncover any missing pieces. In essence, acknowledge the incident, furnish particulars concerning its impact on the business, elucidate vulnerabilities or deficiencies that require resolution, and present a plan for mitigating the situation.

Exercise caution against favoring a single option as the ultimate solution in the board's presence. While the security leader retains the responsibility for overseeing security and risk, accountability must always be clearly established at the board or executive level.

An Incident Reporting plan actually formally answers them.

Check it out: Incident Reporting Guide by SEC

What it may sound like: Are we completely secure? Are you confident?

Why it’s posed: These types of inquiries are frequently posed by board members who lack a full grasp of security and its implications for the organization. Achieving complete and absolute security is an unattainable goal. Your responsibility involves identifying the most critical areas of risk and allocating available resources to address them in alignment with the organization's risk tolerance.

How to reply: Given the dynamic evolution of the threat landscape, it's not feasible to eradicate all potential information risks. My task involves establishing measures to effectively control and mitigate these risks. As our organization expands, we must consistently evaluate the level of risk that aligns with our growth. Our objective is to establish a resilient program that strikes a harmonious equilibrium between safeguarding our operations and facilitating our business endeavors.

Want to be sure?

Check it out: How to implement a Zero-Trust Architecture

What it may sound like: What's the current state of the threat landscape? How does it compare to the incident at X company? How does our performance stack up against others?

Why it’s posed: Board members come across threat reports, articles, blogs, and regulatory demands to comprehend risks. They consistently inquire about the actions of other entities, particularly peer organizations. They seek insights into the prevailing conditions and how their situation measures up against others.

How to reply: Refrain from speculating on the cause of a security problem at another company by stating, "I prefer not to speculate on the incident at Company X until additional information becomes accessible. However, I'm prepared to provide further details once I have more insights." Instead, consider addressing a range of comprehensive security measures, such as identifying a similar vulnerability and discussing enhancements to business continuity strategies.

Check out one of the biggest breaches of 2023: IBM Breach 2023

What it may sound like: Are we aware of the risks? Which ones concern you particularly?

Why it’s posed: The board understands that embracing risk involves a decision (if not, that's a matter to address). They seek assurance that the company's risks are being managed, and you should be ready to clarify the organization's willingness to tolerate risk in order to justify risk management choices.

How to reply: Clearly outline how risk management decisions impact the business and substantiate your viewpoints with substantiated facts. The latter aspect is crucial since boards determine their choices guided by risk tolerance. Risks surpassing the tolerance level demand rectification to ensure they are mitigated. However, this doesn't necessarily entail abrupt, drastic changes in a short span, so exercise caution against overly reactive responses.

The board desires confirmation that you are effectively addressing significant risks, and recognizes that in certain cases, nuanced, gradual strategies may be suitable. Keep in mind that the board holds responsibility for overall enterprise risk, of which cyber risk constitutes a significant, though not exclusive, aspect. Strive for concise, direct responses. Lack of control and impending threats are not considered risks. Instead, emphasize prominent factors under your control, such as intellectual property loss, regulatory adherence, and third-party risk.

Want to handle this with a robust framework: NIST Cyber Security Framework 2.0 2023

What it may sound like: Is our resource allocation adequate? Is our expenditure sufficient? What's the rationale behind our expenditure?

Why it’s posed: The board seeks confidence that security and risk management leaders are proactive and focuses on metrics and return on investment (ROI).

How to reply: Implement a well-balanced scorecard strategy employing a straightforward traffic-light system. The primary layer should convey business goals and the organization's performance in relation to those goals. Strive to articulate aspirations based on business performance rather than just technology. Performance relies on a range of security metrics assessed through a defined set of objective standards.

Want a detailed analysis of your cyber security architecture? How much do you spend? Do you really need more or less?

Get a head start in Security with us

How about a free Security Architecture Review