Cyber threats are at an all-time high. The grave implications make the C-suite, hitherto not convinced about such dangers, sit up and take notice. They realise that the responsibility for security breaches ultimately falls on them. At the same time, increasing competition puts pressure on margins. The C-suite demands maximum value for every dollar spent. In such circumstances, the board members ask tough cyber security questions before making budgetary approvals. 

Here are five cyber security questions most boards ask.

1. How bad is the overall state of cyber security? 

Despite cyber attacks posing a clear and present danger to enterprises, many board members do not track security on a real-time basis. Some may even need awareness of cyber security. When the CIO presents a budget proposal, they want to know about the overall threat landscape. They would also like to compare the state of enterprise network security relative to peer organisations. 

To answer the question, security and risk management leaders may: 

• Track attacks differed by competitors and peer organisations. Determine if similar vulnerabilities exist in the enterprise. 
• Implement enhanced monitoring capabilities to track the state of network security.
• Develop business continuity plans to overcome unexpected prolonged outages. 
• Track the ever-changing requirements, such as EU General Data Protection requirements. 
• Keep abreast of industry trends and developments through news feeds, blogs, credible social media posts, and other channels.

Resist the temptation to quantify or evaluate risks on cost-benefit terms. Some risks cause extensive unquantifiable damages if it comes to pass.

2. What is the enterprise’s current threat landscape, and how it mitigates external and internal threats?

Directors need a real picture of the cyber-physical and digital threats facing their enterprises. Successful IT teams always assess threats and risks and remain aware of their threat landscape.

The threat landscape includes the current and evolving security threats the enterprise faces. The most common threats include malicious actors, technology risks, and systems vulnerabilities. The threat landscape changes fast in today’s fluid and dynamic world. For instance, emerging technology poses new risks. 

Also, not all risks require dramatic change. It will suffice to provide an antidote to risks outside the tolerance, to bring it within tolerance. 

Assess the enterprise threat landscape in the following ways:

• Conduct risk assessments. Identify the enterprise assets and evaluate the potential threats faced by these assets. Determine the likelihood of occurrence of such threats, and prioritise risks based on impact.
• Keep track of the latest threat intelligence. Subscribe to threat intelligence feeds, attend security conferences, and participate in security communities.
• Conduct regular penetration testing through simulated attacks to identify vulnerabilities and improve security.
• Deploy intrusion detection and prevention systems tools to identify potential threats. Analyse security data and logs to collaborate with internal and external stakeholders. Understand the potential risks from partners, customers, and suppliers.

Review and update the threat landscape assessment to ensure relevance. Constant update keeps the enterprise safe from new threats.

3. Are we making optimal allocations of resources?

No enterprise has an infinite budget. Despite the critical nature of security, investments always come at the cost of trade-offs. The CIO’s role is to identify, evaluate, and prioritise the potential risks. But they face a challenge in allocating resources as security is a moving target. 

Consider an enterprise with huge intellectual property data and personally identifiable information. Such enterprises may seek to prioritise ransomware protection. On the other hand, a geographically spread-out enterprise may prioritise endpoint protection.

To ensure optimal allocation of the IT budget:

• Factor in a margin of error for deadlines and budget when proposing the original strategy proposal.
• Prepare strong justifications for budget overruns. Make sure such spending is not controversial.
• Apply dashboards that make explicit how security contributes to business performance. One popular model is the balanced scorecard approach. Here, the top management defines the business aspiration. A “traffic-light” mechanism reveals the extent to which the enterprise fulfils these aspirations. 
• Use frameworks such as the U.S. NIST Cybersecurity Framework, which offers directors and executives a robust structure for cybersecurity. It offers details such as controls, processes, and procedures. 

4. How did the incident happen?

There is ‘perfect protection’ in cyber security. It is impossible to prevent 100% of the incidents. The best the security team can do is resolve incidents before it causes substantial damage. 

• Acknowledge the incident. Provide details on the business impact. Outline the flaws and gaps in the security apparatus that led to the incident, and chalk out a provisional mitigation plan. 
• Resist the temptation to push the incident under the carpet or remain tight-lipped about the details. The tendency of non-disclosure comes due to the sensitivity of the situation. But non-disclosure can violate compliance regulations and lead to heavy fines. Another inevitable implication is the loss of stakeholder confidence and sure loss of business. 
• Apply a fact-based approach. Explaining the incident eliminates the uncertainty surrounding the event. Stakeholders get confidence that the personnel responsible have the situation under control. 

5. How to manage third-party vendors and ensure their compliance with in-house security standards?

Today’s digital ecosystem is collaborative. Only some enterprises can expect to do everything by themselves. Successful enterprises cultivate an ecosystem of partners.

But collaboration with third-party partners and vendors comes with security risks. It becomes inevitable to grant access to at least some part of the network to such partners, and such access may be one entry point for attackers.

Adopt the following best practices to manage third-party vendor security:

• Define and document security requirements. Articulate the security expectations and standards to vendors and other external stakeholders. Make sure all parties to contracts and agreements are aware of these requirements. Outline the security requirements, responsibilities, and expectations upfront in a formal written contract.
• Conduct due diligence before signing vendor agreements. Research their security practices. Ensure they have the needed certifications, accreditations, and expertise.
• Implement a vendor risk management program that co-opts regular security assessments and audits. 
• Work with vendors and other external partners to implement best practices.

There are no definite answers to board questions. The best responses show options, which vary depending on the board’s context, maturity, and competence. Most board members do not have expertise in IT or security. They remain unaware of the impact of security risks on the business. The onus is on the CIO and the IT team to ensure the director board is aware of the state and future of cybersecurity.