Posted on Oct 6, 2021
Boards of Directors constantly need to be educated about and aware of their organizations’ cybersecurity posture. Regulations hold them responsible for decision-making and governance. Meanwhile, increased ransomware attacks pose a financial risk to their shareholders. To enhance the risk analysis, questions like these can provide visibility into the company’s strategy.
At a basic level, every organization should be assigning responsible parties to manage cybersecurity risk. As a director, you need to make sure that your organization assigns responsibility for the following activities:
Managing risk means ensuring appropriate accountability across the entire organization, as well as the cybersecurity detection and response process.
Threat detection requires an organization to recognize abnormal activity occurring in systems, networks, software, and devices. However, to detect abnormal activity your company needs to define normal or baseline activity first.
Some key baselines should include:
Each of these activities relates directly to cybersecurity risk. For example, if the security team knows that on average a system runs 100 processes between the hours of 8 am and 5 pm, then they can define a number of processes running during that time indicating malware infection.
Baselines exist as a way to determine abnormal activities. Your security team should set a risk-based tolerance around when an activity exceeds “normal.” For example, 150 processes running on a system may fall within a risk tolerance for various reasons, but 175 may be the number that sends an alert to the security analysts.
Determining abnormal should relate to how well security teams can detect and respond to potential threats. Cybersecurity key performance indicators (KPIs) should align with how rapidly the security analysts can mitigate risk and eradicate threats.
When measuring the effectiveness of the security team’s detection and response processes, you need to know:
As you improve your cyber risk posture, your teams should be able to reduce the time it takes to complete these mission-critical tasks.
While detection and response are an important part of cybersecurity risk mitigation, they are not the only way that your organization measures its ability to manage security. Risk management includes all the different activities that prevent the alerts that indicate a threat has been detected in your environment.
Your Chief Information Security Officer (CISO) should also be able to give you metrics around the following:
While you should leave the security solution decisions to the experts, you need to understand the evaluation process. You need to understand what the tool does, why you need it, and how the person decided it was necessary.
This question is important for several reasons:
You don’t need to know all the technical specifications. You do need to understand what security gap existed that your CISO felt needed to be closed.
No cybersecurity problem has ever been fixed just by throwing money at it. If that was the case, then most companies would never experience a data breach. In order to prove that the addition to the security stack provides a return on investment, you need to know how the CISO and security team are evaluating its effectiveness.
Depending on the security solution’s purpose, you should look for answers to questions like:
Your incident response team is on the cybersecurity frontlines defending your organization every day. However, threat actors keep looking for new ways to bypass security controls or exploit vulnerabilities. To keep pace, your incident response team needs support and training.
You should be asking questions like:
Threat actors keep targeting supply chains because they have a high return on investment. If threat actors find a vulnerability in a vendor, they can attack all of that company’s customers. To mitigate this risk, you need to understand the third-party risk management process from start to finish.
Some questions that can help you gain visibility into the process include:
Depending on your organization’s structure, any number of different people could be responsible for managing third-party risk. However, you need to have at least one person designated as the “point of contact” to ensure appropriate accountability and responsibility.
There’s no “right” way to assign responsibility, but you do need to know the different parties who can be responsible. This can help you determine whether you have the right person in charge. For more informed decision making, you should consider whether the person chosen has the:
Modern business operations require collaboration. As organizations add more Software-as-a-Service (SaaS) applications to their IT stack, the lines between security, audit, and compliance become blurry. Today, IT and security are integral to compliance and audit outcomes. As industry standards organizations and legislative bodies add new privacy and security mandates, these three teams need to communicate effectively.
Some considerations that can give insight into whether your teams are collaborating well, include:
At least annually, directors engage in a financial market analysis. These reviews show how well your organization’s revenue compares to others in your industry. Increasingly, you need visibility into how well your security compares to your industry peers. As cybersecurity incidents increasingly impact companies’ financials, you need visibility into how your organization’s cybersecurity posture compares to industry peers, the same way you need to know how your financials compare.
Some places to look for benchmarks include:
Employee cyber awareness training should be conducted at least annually. However, directors and senior leadership need to create a culture that prioritizes security awareness. You also need to provide auditors with training documentation as part of your compliance activities.
Some ways to create a cyber aware culture and assess employees include providing:
While the executive and security teams also need to be a part of the cyber awareness initiatives, they need continuous insight into changing security threats and regulatory trends as well. Additionally, they should be providing you with regular updates when changes in either of these landscapes impacts the organization’s security or compliance posture.
Some questions to ask your teams include:
SecurityScorecard’s security ratings platform helps CISOs and directors communicate more effectively. Our security ratings use an easy-to-read A-F scale that shows the organization’s security strengths and weaknesses.
Our board reporting capabilities provide visibility into how security program initiatives align with business needs to help directors focus investments and mitigate risk. With our platform, your CISO can compare up to seven companies, providing insight into how your company’s security compares with industry peers.
At SecurityScorecard, we focus on bridging the language gap between technology leaders and business leaders to ensure a holistic approach to mitigating cybersecurity risk.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.