Assessing Cyber Risk: 13 Critical Questions for the Board
Boards of Directors constantly need to be educated about and aware of their organizations’ cybersecurity posture. Regulations hold them responsible for decision-making and governance. Meanwhile, increased ransomware attacks pose a financial risk to their shareholders. To enhance the risk analysis, questions like these can provide visibility into the company’s strategy.
How do we assign responsibility for managing our security risk?
At a basic level, every organization should be assigning responsible parties to manage cybersecurity risk. As a director, you need to make sure that your organization assigns responsibility for the following activities:
- Setting policy and practices
- Continuous monitoring
- Access request review and approval
- Access reviews
- Incident response
- Breach notification
- Crisis communications
Managing risk means ensuring appropriate accountability across the entire organization, as well as the cybersecurity detection and response process.
What is the process for establishing behavior baselines?
Threat detection requires an organization to recognize abnormal activity occurring in systems, networks, software, and devices. However, to detect abnormal activity your company needs to define normal or baseline activity first.
Some key baselines should include:
- Resource use
- Failed user logins
- Hardware availability
- Network availability
- Number of expected processes
- Times when devices or processes should be running
Each of these activities relates directly to cybersecurity risk. For example, if the security team knows that on average a system runs 100 processes between the hours of 8 am and 5 pm, then they can define a number of processes running during that time indicating malware infection.
How do we measure detection and response capabilities?
Baselines exist as a way to determine abnormal activities. Your security team should set a risk-based tolerance around when an activity exceeds “normal.” For example, 150 processes running on a system may fall within a risk tolerance for various reasons, but 175 may be the number that sends an alert to the security analysts.
Determining abnormal should relate to how well security teams can detect and respond to potential threats. Cybersecurity key performance indicators (KPIs) should align with how rapidly the security analysts can mitigate risk and eradicate threats.
When measuring the effectiveness of the security team’s detection and response processes, you need to know:
- Mean Time to Detect (MTTI)
- Mean Time to Investigate (MTTI)
- Mean Time to Contain (MTTC)
- Mean Time to Resolve (MTTR)
- Mean Time to Recover (MTTR)
As you improve your cyber risk posture, your teams should be able to reduce the time it takes to complete these mission-critical tasks.
How do we measure cyber risk management?
While detection and response are an important part of cybersecurity risk mitigation, they are not the only way that your organization measures its ability to manage security. Risk management includes all the different activities that prevent the alerts that indicate a threat has been detected in your environment.
Your Chief Information Security Officer (CISO) should also be able to give you metrics around the following:
- Intrusion attempts
- Unidentified devices detected on internal networks
- Number of users with privileged access
- Patching cadence
How do we evaluate security solutions?
While you should leave the security solution decisions to the experts, you need to understand the evaluation process. You need to understand what the tool does, why you need it, and how the person decided it was necessary.
This question is important for several reasons:
- Increased costs: Tools can have overlapping capabilities so you need to know what it does and what it adds to your security stack
- Supply chain attacks: Threat actors target security solutions so you need to understand the vendor’s security posture.
- Security gap: Tools should close security gaps so you need to know what risk the purchase mitigates.
You don’t need to know all the technical specifications. You do need to understand what security gap existed that your CISO felt needed to be closed.
How do we measure their effectiveness?
No cybersecurity problem has ever been fixed just by throwing money at it. If that was the case, then most companies would never experience a data breach. In order to prove that the addition to the security stack provides a return on investment, you need to know how the CISO and security team are evaluating its effectiveness.
Depending on the security solution’s purpose, you should look for answers to questions like:
- What improvements on cybersecurity KPIs did this provide?
- What reduction in alerts has this provided?
- How has this enhanced reporting capabilities?
- Is the security team receiving fewer false positives?
- What is the reduction in cost per incident?
How do we prepare the incident response team?
Your incident response team is on the cybersecurity frontlines defending your organization every day. However, threat actors keep looking for new ways to bypass security controls or exploit vulnerabilities. To keep pace, your incident response team needs support and training.
You should be asking questions like:
- How often do we run tabletop exercises?
- How do we fine-tune our security tools?
- Do they have the technology resources they need?
- Do we provide them adequate training?
How do we demonstrate due diligence when choosing third-party vendors?
Threat actors keep targeting supply chains because they have a high return on investment. If threat actors find a vulnerability in a vendor, they can attack all of that company’s customers. To mitigate this risk, you need to understand the third-party risk management process from start to finish.
Some questions that can help you gain visibility into the process include:
- Is the vendor a publicly held company? If so, do they have any cybersecurity issues in their public financial documentation?
- Did the vendor provide a self-assessment?
- Did you review independent third-party documentation that supports the self-assessment?
- When was the most recent penetration test and what were the results?
Have we assigned the right person to be responsible for managing third-party risk?
Depending on your organization’s structure, any number of different people could be responsible for managing third-party risk. However, you need to have at least one person designated as the “point of contact” to ensure appropriate accountability and responsibility.
There’s no “right” way to assign responsibility, but you do need to know the different parties who can be responsible. This can help you determine whether you have the right person in charge. For more informed decision making, you should consider whether the person chosen has the:
- Knowledge and experience to review security risk
- Access to data and documentation to continuously monitor risk
- Ability to review service level agreements (SLAs) for security-related contract language
- Visibility into operations to ensure compliance with SLAs
How do security, audit, and compliance communicate?
Modern business operations require collaboration. As organizations add more Software-as-a-Service (SaaS) applications to their IT stack, the lines between security, audit, and compliance become blurry. Today, IT and security are integral to compliance and audit outcomes. As industry standards organizations and legislative bodies add new privacy and security mandates, these three teams need to communicate effectively.
Some considerations that can give insight into whether your teams are collaborating well, include:
- Documentation completeness
- Number of audit findings
- Time spent gathering audit documentation
- Time spent responding to auditor questions
How does our cybersecurity posture compare to peers in the industry?
At least annually, directors engage in a financial market analysis. These reviews show how well your organization’s revenue compares to others in your industry. Increasingly, you need visibility into how well your security compares to your industry peers. As cybersecurity incidents increasingly impact companies’ financials, you need visibility into how your organization’s cybersecurity posture compares to industry peers, the same way you need to know how your financials compare.
Some places to look for benchmarks include:
- Cyber insurance market reports
- Industry trade organization reports
- Data breaches mentioned in the news
- Analyst reports
- Competitor 10K reports
How do we assess employee cyber awareness?
Employee cyber awareness training should be conducted at least annually. However, directors and senior leadership need to create a culture that prioritizes security awareness. You also need to provide auditors with training documentation as part of your compliance activities.
Some ways to create a cyber aware culture and assess employees include providing:
- Online courses
- Quizzes
- Phishing tests
- Security policies
- Regular updates on new security issues
How do security and executive leadership teams stay current on evolving security and regulatory trends?
While the executive and security teams also need to be a part of the cyber awareness initiatives, they need continuous insight into changing security threats and regulatory trends as well. Additionally, they should be providing you with regular updates when changes in either of these landscapes impacts the organization’s security or compliance posture.
Some questions to ask your teams include:
- Do we belong to our industry’s Information Sharing and Analysis Center (ISAC)?
- Do we have counsel tracking changes in privacy and cybersecurity laws?
- How are we monitoring updates to industry standards and cybersecurity frameworks?
- What threat intelligence feeds do we gather information from?
SecurityScorecard: Cyber risk reports for Boards of Directors
SecurityScorecard’s security ratings platform helps CISOs and directors communicate more effectively. Our security ratings use an easy-to-read A-F scale that shows the organization’s security strengths and weaknesses.
Our board reporting capabilities provide visibility into how security program initiatives align with business needs to help directors focus investments and mitigate risk. With our platform, your CISO can compare up to seven companies, providing insight into how your company’s security compares with industry peers.
At SecurityScorecard, we focus on bridging the language gap between technology leaders and business leaders to ensure a holistic approach to mitigating cybersecurity risk.