Security Questions Your Company’s Board Members Will Ask

Things Board Members Care About

Apart from individual growth in the company, the board cares about majorly three things.

• Cost: Avoid any future costs along with decrement in operating expenses.
• Revenue/ Mission: Enhancing non-revenue mission objectives.
• Risks: Market, financial, innovation, regulatory compliance & security.

Here are some of those questions that board members would ask.

Question-Related to Incident

Questions: What went wrong? How did this happen? I thought you had this under your control, etc.

The board members ask these questions when they get to know about the cyber breach or while the chief information security officer is telling them about the incident. It seems relevant when board members ask these kind of questions specifically about securing the online data of the organization since a large portion of employees is working remotely.

Now, you can tell them about the severity of the incident and state the facts. Tell them what you know and what will you do to resolve the issue. Acknowledge the incident and tell them about the impact it would cause on the business and what are your plans.

However, the security leader will be responsible for the oversight of the risk and security but make sure to define the accountability at the board/executive level.

Question-Related to Trade-off

Question: Are you sure that we are 100% secure?

This kind of question usually come up from the board members who do not understand the security and its impact on the business. Since it is impossible to be totally protected, it will be your responsibility to identify the risk and tell them about the resources that will be used to manage the issue based on business appetite.

You can respond to these questions like “Considering the nature of the threat, it is not possible to get rid of all the sources of risk. I will implement controls to manage the issue. As the business grows, we will have to repeat the reevaluation to understand how much risk would be fine.”

Landscape Question

Questions: How bad it is? How are we performing compared to others?

The company’s board members go through articles, threat reports, blogs and regulatory pressure to learn about the risks. That is why they always ask about how other companies are doing compared to their company.

You can answer like “ I would not hypothesize on the what other company is doing without getting enough information but I’ll let you know as soon as I get enough information.” You can discuss the broader security responses such as recognizing similar weak spots and how are you doing compared to them.

Risk Related Question

Question: Are we aware of the risks that we can take?

The board members know that accepting risk is a choice and if they don’t then it is your responsibility to let them know about it. They would want to know the expected risks of the company are being controlled and you should tell them the tolerance of the company.

Tell the board members about the impact on business due to risk management decisions and make sure to have proper evidence to back it up. The next part would be crucial as the board members take their decisions after knowing the risk tolerance. Since any risk beyond tolerance needs treatment to bring it within the safe zone. Having said that, this does not require any changes in a short period so beware of overreacting.

Question-Related to Performance

Question: Question-related to expenditure. Whether the company is spending enough on resources or if the company is spending too much.

The board members ask these questions because they want to know if the Security & Risk Management Leaders are working properly and they want reassurance about the Return of investment and Metrics.

You can take the approach and use a balanced scorecard that is based on a traffic-light mechanism. Make sure to tell them about the performance of the organization against business aspirations. Also, explain the aspiration according to the business performance and not technology.

Use of Cyber Insurance

Everything is done online now a days and with the increase in the usage of the internet, the number of cyber threats have also increased. Since every company whether a startup or an established one, all of them are prone to cyber threats. This is why it is vital for organizations to protect their online data with cyber insurance policies because cyber threats are inevitable.

Conclusion

These were some of the security questions that board members ask and you can respond to them accordingly. Even though organizations use the best anti-malware available in the market but the hackers are also getting better and better every day.