• Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
  • Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
BLOG

Assessing Cyber Risk: 13 Critical Questions for the Board

10/06/2021

Boards of Directors constantly need to be educated about and aware of their organizations’ cybersecurity posture. Regulations hold them responsible for decision-making and governance. Meanwhile, increased ransomware attacks pose a financial risk to their shareholders. To enhance the risk analysis, questions like these can provide visibility into the company’s strategy.

How do we assign responsibility for managing our security risk?

At a basic level, every organization should be assigning responsible parties to manage cybersecurity risk. As a director, you need to make sure that your organization assigns responsibility for the following activities:

  • Setting policy and practices
  • Continuous monitoring
  • Access request review and approval
  • Access reviews
  • Incident response
  • Breach notification
  • Crisis communications

Managing risk means ensuring appropriate accountability across the entire organization, as well as the cybersecurity detection and response process.

What is the process for establishing behavior baselines?

Threat detection requires an organization to recognize abnormal activity occurring in systems, networks, software, and devices. However, to detect abnormal activity your company needs to define normal or baseline activity first.

Some key baselines should include:

  • Resource use
  • Failed user logins
  • Hardware availability
  • Network availability
  • Number of expected processes
  • Times when devices or processes should be running

Each of these activities relates directly to cybersecurity risk. For example, if the security team knows that on average a system runs 100 processes between the hours of 8 am and 5 pm, then they can define a number of processes running during that time indicating malware infection.

How do we measure detection and response capabilities?

Baselines exist as a way to determine abnormal activities. Your security team should set a risk-based tolerance around when an activity exceeds “normal.” For example, 150 processes running on a system may fall within a risk tolerance for various reasons, but 175 may be the number that sends an alert to the security analysts.

Determining abnormal should relate to how well security teams can detect and respond to potential threats. Cybersecurity key performance indicators (KPIs) should align with how rapidly the security analysts can mitigate risk and eradicate threats.

When measuring the effectiveness of the security team’s detection and response processes, you need to know:

  • Mean Time to Detect (MTTI)
  • Mean Time to Investigate (MTTI)
  • Mean Time to Contain (MTTC)
  • Mean Time to Resolve (MTTR)
  • Mean Time to Recover (MTTR)

As you improve your cyber risk posture, your teams should be able to reduce the time it takes to complete these mission-critical tasks.

How do we measure cyber risk management?

While detection and response are an important part of cybersecurity risk mitigation, they are not the only way that your organization measures its ability to manage security. Risk management includes all the different activities that prevent the alerts that indicate a threat has been detected in your environment.

Your Chief Information Security Officer (CISO) should also be able to give you metrics around the following:

  • Intrusion attempts
  • Unidentified devices detected on internal networks
  • Number of users with privileged access
  • Patching cadence

How do we evaluate security solutions?

While you should leave the security solution decisions to the experts, you need to understand the evaluation process. You need to understand what the tool does, why you need it, and how the person decided it was necessary.

This question is important for several reasons:

  • Increased costs: Tools can have overlapping capabilities so you need to know what it does and what it adds to your security stack
  • Supply chain attacks: Threat actors target security solutions so you need to understand the vendor’s security posture.
  • Security gap: Tools should close security gaps so you need to know what risk the purchase mitigates.

You don’t need to know all the technical specifications. You do need to understand what security gap existed that your CISO felt needed to be closed.

How do we measure their effectiveness?

No cybersecurity problem has ever been fixed just by throwing money at it. If that was the case, then most companies would never experience a data breach. In order to prove that the addition to the security stack provides a return on investment, you need to know how the CISO and security team are evaluating its effectiveness.

Depending on the security solution’s purpose, you should look for answers to questions like:

  • What improvements on cybersecurity KPIs did this provide?
  • What reduction in alerts has this provided?
  • How has this enhanced reporting capabilities?
  • Is the security team receiving fewer false positives?
  • What is the reduction in cost per incident?

How do we prepare the incident response team?

Your incident response team is on the cybersecurity frontlines defending your organization every day. However, threat actors keep looking for new ways to bypass security controls or exploit vulnerabilities. To keep pace, your incident response team needs support and training.

You should be asking questions like:

  • How often do we run tabletop exercises?
  • How do we fine-tune our security tools?
  • Do they have the technology resources they need?
  • Do we provide them adequate training?

How do we demonstrate due diligence when choosing third-party vendors?

Threat actors keep targeting supply chains because they have a high return on investment. If threat actors find a vulnerability in a vendor, they can attack all of that company’s customers. To mitigate this risk, you need to understand the third-party risk management process from start to finish.

Some questions that can help you gain visibility into the process include:

  • Is the vendor a publicly held company? If so, do they have any cybersecurity issues in their public financial documentation?
  • Did the vendor provide a self-assessment?
  • Did you review independent third-party documentation that supports the self-assessment?
  • When was the most recent penetration test and what were the results?

Have we assigned the right person to be responsible for managing third-party risk?

Depending on your organization’s structure, any number of different people could be responsible for managing third-party risk. However, you need to have at least one person designated as the “point of contact” to ensure appropriate accountability and responsibility.

There’s no “right” way to assign responsibility, but you do need to know the different parties who can be responsible. This can help you determine whether you have the right person in charge. For more informed decision making, you should consider whether the person chosen has the:

  • Knowledge and experience to review security risk
  • Access to data and documentation to continuously monitor risk
  • Ability to review service level agreements (SLAs) for security-related contract language
  • Visibility into operations to ensure compliance with SLAs

How do security, audit, and compliance communicate?

Modern business operations require collaboration. As organizations add more Software-as-a-Service (SaaS) applications to their IT stack, the lines between security, audit, and compliance become blurry. Today, IT and security are integral to compliance and audit outcomes. As industry standards organizations and legislative bodies add new privacy and security mandates, these three teams need to communicate effectively.

Some considerations that can give insight into whether your teams are collaborating well, include:

  • Documentation completeness
  • Number of audit findings
  • Time spent gathering audit documentation
  • Time spent responding to auditor questions

How does our cybersecurity posture compare to peers in the industry?

At least annually, directors engage in a financial market analysis. These reviews show how well your organization’s revenue compares to others in your industry. Increasingly, you need visibility into how well your security compares to your industry peers. As cybersecurity incidents increasingly impact companies’ financials, you need visibility into how your organization’s cybersecurity posture compares to industry peers, the same way you need to know how your financials compare.

Some places to look for benchmarks include:

  • Cyber insurance market reports
  • Industry trade organization reports
  • Data breaches mentioned in the news
  • Analyst reports
  • Competitor 10K reports

How do we assess employee cyber awareness?

Employee cyber awareness training should be conducted at least annually. However, directors and senior leadership need to create a culture that prioritizes security awareness. You also need to provide auditors with training documentation as part of your compliance activities.

Some ways to create a cyber aware culture and assess employees include providing:

  • Online courses
  • Quizzes
  • Phishing tests
  • Security policies
  • Regular updates on new security issues

How do security and executive leadership teams stay current on evolving security and regulatory trends?

While the executive and security teams also need to be a part of the cyber awareness initiatives, they need continuous insight into changing security threats and regulatory trends as well. Additionally, they should be providing you with regular updates when changes in either of these landscapes impacts the organization’s security or compliance posture.

Some questions to ask your teams include:

  • Do we belong to our industry’s Information Sharing and Analysis Center (ISAC)?
  • Do we have counsel tracking changes in privacy and cybersecurity laws?
  • How are we monitoring updates to industry standards and cybersecurity frameworks?
  • What threat intelligence feeds do we gather information from?

SecurityScorecard: Cyber risk reports for Boards of Directors

SecurityScorecard’s security ratings platform helps CISOs and directors communicate more effectively. Our security ratings use an easy-to-read A-F scale that shows the organization’s security strengths and weaknesses.

Our board reporting capabilities provide visibility into how security program initiatives align with business needs to help directors focus investments and mitigate risk. With our platform, your CISO can compare up to seven companies, providing insight into how your company’s security compares with industry peers.

At SecurityScorecard, we focus on bridging the language gap between technology leaders and business leaders to ensure a holistic approach to mitigating cybersecurity risk.

Return to Blog
Join us in making the world a safer place.
FREE ACCOUNT SIGN UP
Products
Solutions
Customers
Marketplace
Partners
Resources
Company
Trust Portal
Security Ratings
Login
Blog
Contact
Careers

SecurityScorecard
Tower 49
12 E 49th St
Suite 15-100
New York, NY 10017

[email protected]

United States: (800) 682-1701
International: +1(646) 809-2166
Social-linkedin Social-facebook Twitter Instagram Youtube