10 questions for the board to ask on cybersecurity

Cybersecurity is a potential minefield of risk. Every company must be thinking about it, and every board needs to be asking the hard questions. By hard questions, I don’t just mean “can people hack our systems?” it’s important to go back even further – what are our systems? How are we exposed? What are we doing to protect ourselves?

These are the ten questions that I think every board needs to be asking about cybersecurity:

1. Where is our organisation’s data? Who owns it, and how important is it to the business?

Cyber attacks are most likely to occur when you have data that someone else, for whatever reason, wants. A board needs to understand what data the company has – and not just the obvious, like email addresses and phone numbers. Then, it needs to think about why that data might be important to someone else.

For example, a radiology company stores x-rays, and they’re a kind of data. Imagine someone is trying to get residency in the United States, but they have lung disease that would prevent them from getting it. Suddenly, a clear chest x-ray is a valuable commodity for them. Who owns that data? Who is thinking about how to protect it?

2. Is cybersecurity treated as an enterprise-wide risk management issue, not just an IT issue?

Cybersecurity affects an entire company. It’s not just an IT issue – it’s a potential major risk to the whole organisation. It’s easy for boards to make the mistake of thinking it’s specifically related to technology, but actually, it’s more about culture.

Boards need to think about how they manage people and cybersecurity together. Human error is a major factor in poor security. Think about phishing attacks – do staff understand the impact their actions could have on the wider business? Do they know the possible points of entry? Do they know how to minimise personal risk, and the risk to the organisation?

3. Does the board understand the legal implications of cyber risks as they relate to the company’s context?

An issue can be both complex and complicated – and those are two different things. A complex system might be made up of simple parts, while a complicated system may have only a few difficult parts.

Cyber security is complex. But most of the time it’s not complicated. Most issues of cybersecurity are made up of identifiable and understandable smaller components.

A board must ask penetrating questions to understand what these separate parts are. It’s only through breaking the issue down to its component parts that we can start to get a feel for the true risks to the company, and the broader legal implications. These issues only become apparent when the board has the confidence to look at the issue in detail.

4. Does the board have adequate access to cybersecurity expertise?

Across all areas, a board needs a highly capable executive team to help them understand and resolve critical strategic issues.

Almost any ASX director can answer the question “is our CFO any good?” with conviction. Yet answering “is our CIO or CTO any good?” would make most directors much more uncomfortable. If you’re uncomfortable in answering this question, then you’re unlikely to really trust the advice that’s coming back from your executive team.

Asking more questions is a good start, but if a board doesn’t have the expertise to explore and challenge the answers, it will have no choice but to accept them at face value. Whenever a board must accept answers at face value without having the knowledge and expertise to interrogate the responses, we should get very uncomfortable.

5. Have we thought about which cyber risks are to be avoided, accepted, mitigated, or transferred through insurance?

A board may fully explore its attitude towards cybersecurity – really dig deep and answer all the pertinent questions – and find there are still unavoidable risks.

The important thing is to be consistent in managing those risks. Think about how banks dealt with credit card fraud a decade ago – it was cheaper for them to write a cheque than to build complex systems to stop the fraud. But as the cheques have got bigger, the response has had to change.

Each company is unique, and so has unique cybersecurity requirements. A board should use expert advice to identify the right frameworks and response for your specific organisation.

6. When was the last security audit or assessment done?

This might be the most pertinent question a board can ask – and it should be immediately followed by, what did it tell us we need to do? A security audit will identify vulnerabilities in the system and processes, and offer suggestions for addressing them. No board should feel it has ticked all the cybersecurity boxes unless regular audits have been conducted.

The crucial thing is not to stop there. Consider the results of the audit and what needs to be done. Without follow-through, an audit is meaningless.

7. Are you confident the team has corrected any of the findings that were identified in those reports?

Once a board has a good understanding of the challenges, the next step is to ask “How confident are we that management has actually fixed the problem?” The board needs to ask for real evidence of action being taken. It needs to be results-focused and show confirmation that the problems have been addressed.

8. Have you assessed information security risks, and developed a plan to treat information security risks?

Once the cybersecurity risk report is understood by the board, it needs to think seriously about what plans need to be put in place. What is the plan to mitigate each of these unique risks, and do they incorporate every specific element of risk? What actions can be taken to avoid them? Is the plan flexible enough to manage new risks?

With these plans in place, the board then needs to make sure it knows how the rest of these questions tie in. How does a security audit affect the plan? How does the plan need to change when our data changes? Risk mitigation can never be done in isolation.

9. Have you selected and implemented relevant controls to manage unacceptable risks?

A very serious cyber attack has the potential to bring down an entire company. It’s a very rare and unlikely event. But the board has to plan for it.

Nassim Taleb – a renowned risk analyst – calls this a “black swan” risk. It might be random, unpredictable, or unprecedented.

But if it does happen, and the board has not planned for it, the outcome could be fatal. The board needs to ask itself, seriously: what could this look like and how would we survive?

10. Do company directors insert themselves into security discussions regularly, and do they ask for regular updates from their C-level executives?

The best way for a board to know its cybersecurity maturity is regularly insert themselves into company level discussions. I would ask each of the board members “when was the last time that you walked around and talked to some of the technologists about cyber security?” “How comfortable did you feel when the conversation got into a little bit of detail?” Finally, “were you able to ask questions, did you walk away with a greater degree of confidence?”

It’s a very healthy sign when board members can have a two-way conversation with the security team (in the same way you might with finance or HR). In the end, that’s perhaps the best indication of a board that truly understands cybersecurity.

Get an unfair advantage, subscribe to the free monthly update

The best of The Resolution, delivered to your inbox every month